Solved

Have I been hacked?

Posted on 2004-03-25
23
907 Views
Last Modified: 2011-09-20
The other day, I was playing around with the command prompt, and did a "netstat".

I wasn't expecting anything unsual, but I stumbled upon a connection to hotmail.se. A little research and I found out that .se is an extension for Sweden, and the port belonged to something called "Autodesk Liscense Manager".

I was quite worrried, but I put it out of my head figuring that it might have been from some spyware or something.

However, when I logged onto my computer tonight and started surfing the internet. I got a login-box, like the type you get when you're trying to log into an FTP site, seemingly out of nowhere. It asked for a username and password.
I did a netstat, and this was the result:
http://www.geocities.com/stormy_chan/what.txt

After that, I immediately unplugged my laptop from my home network.
I did some research and found that, again, the port is used by Autodesk License Manager.
Does anyone have any idea what is going on? I'm sure it's bad, whatever it is. I can't seem to find any information on exploits regarding this port...
0
Comment
Question by:lizzieluvsyou
  • 5
  • 5
  • 5
  • +4
23 Comments
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10684324
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10684337
http://techfee.washington.edu/proposals/page8/2004-42
In the spring of 2004, Autodesk will release a new version, Architectural Desktop/Neon – AutoCAD 2004. This version represents a major advance in AutoCAD’s 3D design capacity, as well as significant user interface and productivity improvements. We skipped one AutoCAD upgrade because the improvements didn’t justify the expense. But this new version contains enough improvements to make an upgrade worthwhile. Since AutoCAD uses a network licensing model, we would be able to offer the new version for CAUP students to install on their own computers. The proposed number of licenses is sufficient to meet the anticipated demand.
0
 

Author Comment

by:lizzieluvsyou
ID: 10684362
I've honestly never heard of Autodesk License Manager or AutoCad till today.
Actually, AutoCad sounds distantly familiar, but I still assume that if I had it on my computer, it looks like it would be something I'd know about.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10684376
It may be attached to something other than Autocad. It could be attachet ot some other proccess that uses Autodesk License Manager
0
 
LVL 44

Accepted Solution

by:
CrazyOne earned 168 total points
ID: 10684387
here use this free utility to see if you can finde which process it may be attachet to

Process Explorer
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

Note when you open the program go to the menu View and make sure there is a check mark next to View > Lower Pane View > DLL's if there isn't then click on it.

just click each process one at a time and look at the bottom window note if that file is listed and if it is kill the process that had the files open.

Also do this

Try this

Sart > Run msconfig
Click on the tab marked "Startup"
Click the Disable All button.

If the problem no longer persists then one of the items in the starup is the culprit you just need to track it down.


If you have Win2000 then
MSCONFIG for Win 2000
http://www.insideproject.com/showguide.cfm?guideid=31
http://www.insideproject.com/downloads/msconfig2k/msconfig.zip

StartupCop
http://www.pcmag.com/article2/0,4149,2173,00.asp

AutoRuns
http://www.sysinternals.com/ntw2k/source/misc.shtml#autoruns

Startup Control Panel
http://www.mlin.net/StartupCPL.shtml
and
StartupMonitor
http://www.mlin.net/StartupMonitor.shtml
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 166 total points
ID: 10684443
Autodesk is AutoCAD... 1422, 2080  (1538 too?) are supposidly reservered, however M$ will typicall use anything above 1024 for ephemeral ports. What you have there is a False-Positive (maybe). With M$ they are generally between 1024 and 5000, if you look here you can see that there are many port's "reserved" for other applications within that range of port numbers-  http://www.iana.org/assignments/port-numbers
Ephemeral are port's that windows binds to as the source- when you connect to www.example.com and you do a "netstat -a" you'll typically see your pc with a source port above 1024 and below 5000, connecting to DESTINATION www.example.com:http (port 80) or https (port 443)

I don't know what that geocities garbage is... doesn't look promissing

If you'v been hacked... those could be statically bound ports, you can do this with many back-door programs. To keep yourself safe, you need a firewall, like zonealarm. You also need anti-virus, with M$ there is practically no getting around it. ZA has a free FW that will suit your needs just fine. You should also turn off certain services on your PC.
Remote Registry service needs to be disabled, and stopped.
If you do not connect to a windows network, you can disable the Server service, and NO-ONE can connect remotely to your pc- but don't touch it if you take your laptop to work and plug into a windows domain, you'll need the server service. Also the messenger service can be disabled, this does not affect anything except your ability to get "net send" messages.

If you have XP pro turn on it's firewall, it is a decent step FWD for M$. http://www.microsoft.com/windowsxp/pro/using/howto/networking/icf.asp
if no XP Pro, then get ZoneAlarm. You'll need to scan you PC for viri and backdoors, mcafee has great detection definitions for most of the popular tools and viri out there, notron does well with viri, however I do not think they do as well with detecting "malicious" programs. Ad-aware also can detect some trojans and other annoyances...

ZA has the added benefit of helping you track down and or stop new programs from running. If you install ZA, and all of a sudden got the newest virus out there, no company had made a virus definition for it yet it's sooo new, you get this virus- then it tries to spread to other machines via the internet- ZA will prompt you asking "would you like to allow "new-vir.exe" to access the internet?" You would say no, and you could put a check mark for "remember this response" for that program. Then track down that program and delete it.  ZA is a port firewall and a process firewall also. It is "chatty" at first, but once you've got it set up, there is hardly ever a need to change much.
GL!
-rich
0
 
LVL 15

Expert Comment

by:mattisflones
ID: 10684444
Hi lizzieluvsyou,
You have some kind of software from Autodesk, thats why.. no problem!
the txis.com i do not know what is, but it seems harmless.. You have not been hacked 99% sure!

If youre afraid of spyware run:
spybot: http://beam.to/spybotsd
adaware: http://www.lavasoftusa.com/support/download/
Coolwebshredder: http://www.spychecker.com/program/coolwebshredder.html
These three tools take everything!

Mattis
0
 
LVL 15

Expert Comment

by:mattisflones
ID: 10684459
sorry Crazy, my QP is acting up again...
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10684477
:)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10684478
AutoCad is a 3d Computer Aided Design program- making floor plans, 3d modeling and such.... it's for very specific uses. you can serach your HD for "auto*" (auto then astricks) and see if it's there or not. I doubt it- sounds like FP of the empherial ports. Run windows update also- open internet explorer, tools, windows update, click scan then review and install updates.  http://www.microsoft.com/technet/security/tools/mbsahome.mspx MSBSA can help you determine if your system is easy to penetrate also.
-rich
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 18

Assisted Solution

by:chicagoan
chicagoan earned 166 total points
ID: 10686043
fport
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/fport.htm
will map the port to the process that opened it, and you can go from there.
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 10691339
There is a trojan, WinHole, which does use one of the AutoCad License Manager ports 2080.
http://www.glocksoft.com/trojan_list/WinHole.htm

I'm having a hard time understanding why a legitamate AutoCad software utility would be connecting to the sites you are referencing...
0
 

Author Comment

by:lizzieluvsyou
ID: 10693015
Well, I was able to explain away the ftp popup.
I took a look at the sites I visted that day, and on a message board, someone had direct linked an image off of the site swords.com. Which seems to be why it showed up as swords.txis.com on my computer.
However, I'm still getting weird traffic I can't explain, even when I'm not at any webpages.
A few such sites:
unicyclist.com
wx.com
level3.com
jobs.collegerecruiter.com

Tonight I haven't noticed that much outside the norm. I'll try your suggestions and see if anything else develops.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10694377
You probably do have a trojan, or infection. You need AV to scann your machine 1st and foremost. Then get a firewall going etc...
0
 

Author Comment

by:lizzieluvsyou
ID: 10695126
I ran McAfee antivirus on the suspect computer yesterday, but it didn't find anything wrong (it is fully updated).
I'm running an online version of Norton antivirus right now, I'll see if that makes any difference.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10696966
Mcafee has a few seetings that may help you, that aren't on by default... depending on your verion of mcafee-
 http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101142  Use hueristics or the "find potentially unwanted/joke" settings
Remember XP and winME to turn off system restore: http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
Ad-Aware might also turn something up, GL!
-rich
0
 

Author Comment

by:lizzieluvsyou
ID: 10720666
Alright, I'll try that too. I've already run Ad-aware... I had one piece of malware along with the usual junk, but it said it was low-risk, and after I removed it I continued having problems.

Lately, the activity has completely stopped. I didn'y try the extra McAfee settings yet, but all other virus software I've run reports no problems.

I'm really quite confused. Since all the weird activity has stopped, though, I don't think I'll be able to determine what caused it.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 10721701
What did fport report?
0
 
LVL 1

Expert Comment

by:skyflash_de
ID: 11704181

The what.txt you posted above is a GIF file... why did you post it as a .txt file?

Anyway, I dont think you got a trojan, but nevertheless you shouldnt allow anything
to access ports, so get a firewall fast, I recommend Sygate Personal Firewall.

You probably were doing some strange stuff and visiting some strange websites, thats all.
0
 

Author Comment

by:lizzieluvsyou
ID: 11801675
It's a .txt to get around Geocities' image hotlinking limitations.
About going to odd websites -- it would happen even when there were no applications running.

I've gotten a firewall and secured myself a little more, and I haven't had any especially weird goings on.

I did find that the strangest part of it was a false alarm. The log in window that popped up was due to a hot linked image that was in somebody's signature on a messageboard.

As for the stuff that was showing up without me having any apps open, like I said, I have no idea.

The oddest thing that's happened lately was Microsoft Messenger popping up for no reason and asking for me to log in. When I did a netstat, it showed a connection to *.hotmail.com. At least I believe it was something like that. the first part might have looked like "bob13"... I googled it and some other people had reported similiar occurances, so I didn't worry about it.

Thanks for the comment.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 11806405
The extra mcafee settings - will detect "annoying" and "pests" as well as the regular viri- spy-ware often needs no browser open, to pop-up a window- they can open a window for you ;) (very nice of them, don't you think?)  The hotmail (msn passport) stuff can be turned off, setting in the preferences i think.
-rich
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now