Solved

Have I been hacked?

Posted on 2004-03-25
23
917 Views
Last Modified: 2011-09-20
The other day, I was playing around with the command prompt, and did a "netstat".

I wasn't expecting anything unsual, but I stumbled upon a connection to hotmail.se. A little research and I found out that .se is an extension for Sweden, and the port belonged to something called "Autodesk Liscense Manager".

I was quite worrried, but I put it out of my head figuring that it might have been from some spyware or something.

However, when I logged onto my computer tonight and started surfing the internet. I got a login-box, like the type you get when you're trying to log into an FTP site, seemingly out of nowhere. It asked for a username and password.
I did a netstat, and this was the result:
http://www.geocities.com/stormy_chan/what.txt

After that, I immediately unplugged my laptop from my home network.
I did some research and found that, again, the port is used by Autodesk License Manager.
Does anyone have any idea what is going on? I'm sure it's bad, whatever it is. I can't seem to find any information on exploits regarding this port...
0
Comment
Question by:lizzieluvsyou
  • 5
  • 5
  • 5
  • +4
23 Comments
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10684324
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10684337
http://techfee.washington.edu/proposals/page8/2004-42
In the spring of 2004, Autodesk will release a new version, Architectural Desktop/Neon – AutoCAD 2004. This version represents a major advance in AutoCAD’s 3D design capacity, as well as significant user interface and productivity improvements. We skipped one AutoCAD upgrade because the improvements didn’t justify the expense. But this new version contains enough improvements to make an upgrade worthwhile. Since AutoCAD uses a network licensing model, we would be able to offer the new version for CAUP students to install on their own computers. The proposed number of licenses is sufficient to meet the anticipated demand.
0
 

Author Comment

by:lizzieluvsyou
ID: 10684362
I've honestly never heard of Autodesk License Manager or AutoCad till today.
Actually, AutoCad sounds distantly familiar, but I still assume that if I had it on my computer, it looks like it would be something I'd know about.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 44

Expert Comment

by:CrazyOne
ID: 10684376
It may be attached to something other than Autocad. It could be attachet ot some other proccess that uses Autodesk License Manager
0
 
LVL 44

Accepted Solution

by:
CrazyOne earned 168 total points
ID: 10684387
here use this free utility to see if you can finde which process it may be attachet to

Process Explorer
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

Note when you open the program go to the menu View and make sure there is a check mark next to View > Lower Pane View > DLL's if there isn't then click on it.

just click each process one at a time and look at the bottom window note if that file is listed and if it is kill the process that had the files open.

Also do this

Try this

Sart > Run msconfig
Click on the tab marked "Startup"
Click the Disable All button.

If the problem no longer persists then one of the items in the starup is the culprit you just need to track it down.


If you have Win2000 then
MSCONFIG for Win 2000
http://www.insideproject.com/showguide.cfm?guideid=31
http://www.insideproject.com/downloads/msconfig2k/msconfig.zip

StartupCop
http://www.pcmag.com/article2/0,4149,2173,00.asp

AutoRuns
http://www.sysinternals.com/ntw2k/source/misc.shtml#autoruns

Startup Control Panel
http://www.mlin.net/StartupCPL.shtml
and
StartupMonitor
http://www.mlin.net/StartupMonitor.shtml
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 166 total points
ID: 10684443
Autodesk is AutoCAD... 1422, 2080  (1538 too?) are supposidly reservered, however M$ will typicall use anything above 1024 for ephemeral ports. What you have there is a False-Positive (maybe). With M$ they are generally between 1024 and 5000, if you look here you can see that there are many port's "reserved" for other applications within that range of port numbers-  http://www.iana.org/assignments/port-numbers
Ephemeral are port's that windows binds to as the source- when you connect to www.example.com and you do a "netstat -a" you'll typically see your pc with a source port above 1024 and below 5000, connecting to DESTINATION www.example.com:http (port 80) or https (port 443)

I don't know what that geocities garbage is... doesn't look promissing

If you'v been hacked... those could be statically bound ports, you can do this with many back-door programs. To keep yourself safe, you need a firewall, like zonealarm. You also need anti-virus, with M$ there is practically no getting around it. ZA has a free FW that will suit your needs just fine. You should also turn off certain services on your PC.
Remote Registry service needs to be disabled, and stopped.
If you do not connect to a windows network, you can disable the Server service, and NO-ONE can connect remotely to your pc- but don't touch it if you take your laptop to work and plug into a windows domain, you'll need the server service. Also the messenger service can be disabled, this does not affect anything except your ability to get "net send" messages.

If you have XP pro turn on it's firewall, it is a decent step FWD for M$. http://www.microsoft.com/windowsxp/pro/using/howto/networking/icf.asp 
if no XP Pro, then get ZoneAlarm. You'll need to scan you PC for viri and backdoors, mcafee has great detection definitions for most of the popular tools and viri out there, notron does well with viri, however I do not think they do as well with detecting "malicious" programs. Ad-aware also can detect some trojans and other annoyances...

ZA has the added benefit of helping you track down and or stop new programs from running. If you install ZA, and all of a sudden got the newest virus out there, no company had made a virus definition for it yet it's sooo new, you get this virus- then it tries to spread to other machines via the internet- ZA will prompt you asking "would you like to allow "new-vir.exe" to access the internet?" You would say no, and you could put a check mark for "remember this response" for that program. Then track down that program and delete it.  ZA is a port firewall and a process firewall also. It is "chatty" at first, but once you've got it set up, there is hardly ever a need to change much.
GL!
-rich
0
 
LVL 15

Expert Comment

by:mattisflones
ID: 10684444
Hi lizzieluvsyou,
You have some kind of software from Autodesk, thats why.. no problem!
the txis.com i do not know what is, but it seems harmless.. You have not been hacked 99% sure!

If youre afraid of spyware run:
spybot: http://beam.to/spybotsd
adaware: http://www.lavasoftusa.com/support/download/
Coolwebshredder: http://www.spychecker.com/program/coolwebshredder.html
These three tools take everything!

Mattis
0
 
LVL 15

Expert Comment

by:mattisflones
ID: 10684459
sorry Crazy, my QP is acting up again...
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10684477
:)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10684478
AutoCad is a 3d Computer Aided Design program- making floor plans, 3d modeling and such.... it's for very specific uses. you can serach your HD for "auto*" (auto then astricks) and see if it's there or not. I doubt it- sounds like FP of the empherial ports. Run windows update also- open internet explorer, tools, windows update, click scan then review and install updates.  http://www.microsoft.com/technet/security/tools/mbsahome.mspx MSBSA can help you determine if your system is easy to penetrate also.
-rich
0
 
LVL 18

Assisted Solution

by:chicagoan
chicagoan earned 166 total points
ID: 10686043
fport
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/fport.htm
will map the port to the process that opened it, and you can go from there.
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 10691339
There is a trojan, WinHole, which does use one of the AutoCad License Manager ports 2080.
http://www.glocksoft.com/trojan_list/WinHole.htm

I'm having a hard time understanding why a legitamate AutoCad software utility would be connecting to the sites you are referencing...
0
 

Author Comment

by:lizzieluvsyou
ID: 10693015
Well, I was able to explain away the ftp popup.
I took a look at the sites I visted that day, and on a message board, someone had direct linked an image off of the site swords.com. Which seems to be why it showed up as swords.txis.com on my computer.
However, I'm still getting weird traffic I can't explain, even when I'm not at any webpages.
A few such sites:
unicyclist.com
wx.com
level3.com
jobs.collegerecruiter.com

Tonight I haven't noticed that much outside the norm. I'll try your suggestions and see if anything else develops.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10694377
You probably do have a trojan, or infection. You need AV to scann your machine 1st and foremost. Then get a firewall going etc...
0
 

Author Comment

by:lizzieluvsyou
ID: 10695126
I ran McAfee antivirus on the suspect computer yesterday, but it didn't find anything wrong (it is fully updated).
I'm running an online version of Norton antivirus right now, I'll see if that makes any difference.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10696966
Mcafee has a few seetings that may help you, that aren't on by default... depending on your verion of mcafee-
 http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101142  Use hueristics or the "find potentially unwanted/joke" settings
Remember XP and winME to turn off system restore: http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
Ad-Aware might also turn something up, GL!
-rich
0
 

Author Comment

by:lizzieluvsyou
ID: 10720666
Alright, I'll try that too. I've already run Ad-aware... I had one piece of malware along with the usual junk, but it said it was low-risk, and after I removed it I continued having problems.

Lately, the activity has completely stopped. I didn'y try the extra McAfee settings yet, but all other virus software I've run reports no problems.

I'm really quite confused. Since all the weird activity has stopped, though, I don't think I'll be able to determine what caused it.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 10721701
What did fport report?
0
 
LVL 1

Expert Comment

by:skyflash_de
ID: 11704181

The what.txt you posted above is a GIF file... why did you post it as a .txt file?

Anyway, I dont think you got a trojan, but nevertheless you shouldnt allow anything
to access ports, so get a firewall fast, I recommend Sygate Personal Firewall.

You probably were doing some strange stuff and visiting some strange websites, thats all.
0
 

Author Comment

by:lizzieluvsyou
ID: 11801675
It's a .txt to get around Geocities' image hotlinking limitations.
About going to odd websites -- it would happen even when there were no applications running.

I've gotten a firewall and secured myself a little more, and I haven't had any especially weird goings on.

I did find that the strangest part of it was a false alarm. The log in window that popped up was due to a hot linked image that was in somebody's signature on a messageboard.

As for the stuff that was showing up without me having any apps open, like I said, I have no idea.

The oddest thing that's happened lately was Microsoft Messenger popping up for no reason and asking for me to log in. When I did a netstat, it showed a connection to *.hotmail.com. At least I believe it was something like that. the first part might have looked like "bob13"... I googled it and some other people had reported similiar occurances, so I didn't worry about it.

Thanks for the comment.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 11806405
The extra mcafee settings - will detect "annoying" and "pests" as well as the regular viri- spy-ware often needs no browser open, to pop-up a window- they can open a window for you ;) (very nice of them, don't you think?)  The hotmail (msn passport) stuff can be turned off, setting in the preferences i think.
-rich
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Security Overview Report 8 62
Unauthorized Network Devices Appearing on Home Network 20 140
google exe file 5 73
Suggestion for the first 90 days as sysadmin in new company ? 8 49
One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question