Security Problem

BabarNazmi
BabarNazmi used Ask the Experts™
on
I am having very strange problem from couple of weeks, I don't understand that thing, I m so much affraid of hacking and that sort of things thats y I always removed my system from other network by mean of removing NetBios and Client for Microsoft Network. and uses security software etc. But I am continously watching that my system is accessed by some one, I am using windows 2000 SP3, in "doucments and setting" one folder automatically created everytime with Administrator,All Users and Default user which is 'machine_name + "$" ' I don't understand how anybody can access my system and why my security software are not able to see that communication ? Also when i removed that folder it will created again, and when i tried to restrict system on "Documents and Settings" then this folder is not able to create.

Please tell me, what is the problem
Regards
Babar Shafiq
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
This is likely not an external user but rather from a function for a program on your machine. You may want to look again at the defined users, by right-click MyComputer, then manage, but as you are reviewing your own machine's habits, I would more recommend a review of the EventViewer available on the same screen. Review all three logs periodically to best assess its changes in behaviors.

Author

Commented:
I already checked those things before but I have only one user in my machine which is "Administrator" all others are deleted or disabled, but i think when ever i goto Network share or enable Client for microsoft network then this thing happen and when i try to restrict folder creation other folder will be created with "machine_name" + "$" + "workgroup_name", I think somebody is doing NetBios over TCPIP thing with me ? what do u people suggest ??
Hi BabarNazmi

You could try & change your firewall settings.
Block all incomming requests to Netbios (Port: 137, 138, 139).

Did you install any software on your computer, right before this happened ?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
Sounds like an odd problem.  As mentioned, filtering out ports 137-139 at your firewall will stop netbios sessions from entering (or exiting) your network, assuming you're running a firewall.

If this is a single machine connected to the Internet through a public broadband connection (cable, xDSL), it is possible that someone has gained access to your machine through another application, most likely SQL or IIS, if either are running.  They may then be creating accounts on your machine, and connecting to it via straight TCP/IP and viewing shares that way.

Unfortunately, if you're not running a properly configured firewall, it's hard to say what *may* have happened.  I hate to say it, but if you think you have have been hacked, backup your important data files and reformat.  On your fresh installation, apply all applicable patches, harden your OS, and put a firewall in front of the machine.  You should be ok from that point on.

Shawn Preston, CISSP
Founder, SecureThinking
www.securethinking.net

"Where Information Security Evolves"
well here goes, you can turn off netbois all you want, but if you are using a blank password and somebody is able to remotely access your registry you are screwed and that isnt part of netbois, also once they get into the registry if they know what they are doing they modify one key and they can telnet into your box and its over basically so please use a login password, and make sure you write a script to delete the ipc,admin, and logical drives everytime you reboot something like "net share ipc$ /delete" in a wordpad document and change to whatever.bat and put in startup folder in start menu hope this helps

Commented:
Server or workstations? At command line:

nbtstat

Choose which options you will.

netstat

* this will list out all the "Active Connections" you seek info about

net use

- gets connections and status, such as mapped drives; for more:

net
net help
net help use
net help _________               (etc)

- my guess is that you will find a familiar name there of a machine that you really do want to talk to, even a "somebody is doing NetBios over TCPIP thing with me". If you do not, please identify here. I note that this identifies the port, which we can all then use for whichever lookup system is available to further identify suspects. If not, then I suggest my answer was correct, namely, rephrasing, that the 'suspicious activity' is more an incomplete understanding (none of us knows all), and that you are not being hacked.

Commented:
If still unsettled, consider personal firewall like ZoneAlarm, fire it up and block all ports. When you have no work to do. Watch the complaints of those programs that can no longer talk on the wire. Enable them one at a time as you learn to believe that they warrant permission of yours to access the 'net.

Commented:
> Also when i removed that folder it will created again,

Fight back trick for some systems, after deleting it, recreate it with a unique ownership, apply every restriction you can think of to keep others out. If that works, then the one using it should start complaining, and that is one way to find out who that was. Again I suspect it being something you do want to use. So you should also reserve enough time to both find out and to restore it to the way it was. If I am wrong, you'll have a little time to better document the perpetrator. Iff the trick works. Similarly if files get placed there, you can tinker with permission levels, restricting access to owner, with yourself as owner.

Commented:
> you can turn off netbois all you want,

btw, this is really not so good idea in work environment, for netbios is used for the NT boxes to talk to each other, advertising themselves, shared services and the like. With it off, things can get even more confusing for awhile. But like anything else, go ahead when prepared to turn back on quickly (reboots needed).

Author

Commented:
I have installed very good firewall, a MAC based firewall but it didn't show anything and no application complain about any outgoing connection, but when I am developing a Mac filter some time ago I saw that on Internet sharing level (2000,XP) when we use Internet connected computer as a gateway (not proxy) then no firewall will see any connection but the client computers are using that pc internet connection, and this is documented that no software firewall can show those sorts of connections, I think in my case this might be happen,cause I m in ISP where my network people have special command in there field, I just want to have suggestions for this, what to do in this case. I am running windows 2000 Adv server,and internet sharing is disabled and also i m on workgroup not on domain so the domain administrator have no access, and most of the time i disable client for microsoft network nad Netbios.

thanks in advance.
Hey people,

No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts refunded.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Zenlion420
EE Page Editor
PAQed, with points refunded (30)

Computer101
E-E Admin

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial