.

Am I hacked and is there a defence?

<<

veronca

Newbie
Newbie

Posts: 3

Joined: Thu Mar 03, 2011 4:07 pm

Post Thu Mar 03, 2011 4:10 pm

Am I hacked and is there a defence?

Hello,
I have problems with my PC and internet connection for a long time and I´m definitely unable to solve it.
Perhaps it would be better to show some examples:
4/2010
tracing to server seznam.cz

Microsoft Windows XP [Verze 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:Documents and Settingspc1>tracert 77.75.72.3

Výpis trasy k 77.75.72.3 s nejvýše 30 směrováními

1 1 ms 1 ms 1 ms 10.0.0.138
2 * * * Vypršel časový limit žádosti.
3 * * * Vypršel časový limit žádosti.
4 * * * Vypršel časový limit žádosti.
5 * * * Vypršel časový limit žádosti.
6 * * * Vypršel časový limit žádosti.
7 * * * Vypršel časový limit žádosti.
8 * * * Vypršel časový limit žádosti.
9 * * * Vypršel časový limit žádosti.
10 * * * Vypršel časový limit žádosti.
11 * 43 ms 43 ms www.seznam.cz [77.75.72.3]

Trasování bylo dokončeno.

after I discussed my provider (Telefonica) - according to it´s statement, there was no trouble - the tracing had after few days changed:

Microsoft Windows XP [Verze 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:Documents and Settingspc1>tracert 77.75.72.3

Výpis trasy k www.seznam.cz [77.75.72.3]
s nejvýše 30 směrováními:

1 1 ms 1 ms 1 ms 10.0.0.138
2 * 8 ms 8 ms 194.228.196.8
3 12 ms 12 ms * 88.103.203.33
4 13 ms 12 ms 12 ms 198.18.65.65
5 14 ms 13 ms 14 ms 198.18.10.37
6 13 ms 12 ms 13 ms 194.228.190.158
7 13 ms 12 ms 12 ms 194.228.190.157
8 13 ms 13 ms 14 ms nix.seznam.cz [194.50.100.195]
6 15 ms 13 ms 13 ms www.seznam.cz [77.75.72.3]

now it seems like this:

Microsoft Windows XP [Verze 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\h>tracert 77.75.72.3

Výpis trasy k www.seznam.cz [77.75.72.3]
s nejvýše 30 směrováními:

  1    2 ms    2 ms    2 ms  10.0.0.138
  2    40 ms    40 ms    39 ms  88.103.200.10
  3    47 ms    44 ms    44 ms  88.103.203.33
  4    47 ms    45 ms    44 ms  194.228.190.161
  5    46 ms    45 ms    45 ms  nix.seznam.cz [194.50.100.195]
  6    44 ms    45 ms    45 ms  www.seznam.cz [77.75.72.3]

Trasování bylo dokončeno.

Microsoft Windows XP [Verze 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\h>tracert 77.75.72.3

Výpis trasy k www.seznam.cz [77.75.72.3]
s nejvýše 30 směrováními:

  1    2 ms    2 ms    2 ms  10.0.0.138
  2    40 ms    40 ms    39 ms  88.103.200.10
  3    47 ms    44 ms    44 ms  88.103.203.33
  4    47 ms    45 ms    44 ms  194.228.190.161
  5    46 ms    45 ms    45 ms  nix.seznam.cz [194.50.100.195]
  6    44 ms    45 ms    45 ms  www.seznam.cz [77.75.72.3]

Trasování bylo dokončeno.

Microsoft Windows XP [Verze 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\h>tracert 77.75.72.3

Výpis trasy k www.seznam.cz [77.75.72.3]
s nejvýše 30 směrováními:

  1    2 ms    2 ms    2 ms  10.0.0.138
  2    40 ms    40 ms    39 ms  88.103.200.10
  3    47 ms    44 ms    44 ms  88.103.203.33
  4    47 ms    45 ms    44 ms  194.228.190.161
  5    46 ms    45 ms    45 ms  nix.seznam.cz [194.50.100.195]
  6    44 ms    45 ms    45 ms  www.seznam.cz [77.75.72.3]

Trasování bylo dokončeno.

Time to 10.0.0.138 is sometimes below 1ms.
But there are some others things which threaten me.
For example:
I do manualy clean my disk to cut free more space. I delete all possible temp files from: C:\Documents and Settings\h\Local Settings but when emptying basket it shows it´s not empty and if I try to reampte it shows label asking whether I want to delete file WINDOWS and if I agree then it says it´s it´impossible Dc6 can´t be deleted since it´s currently used: access was denied.
Sometimes it shows file Dc3, Dc23.
Once when started Firefox it started with http://95.168.201.76/ instead of google.com another time it started with http://dp.000.in/.
I used Combofix, avptool, SystemLook, HickjackThis but no problem has been found.
To protect my PC I´m using NOD32 and ZoneAlarm.

                                Thanks for Your help and suggestions

                                                                      Veronca
<<

kriscamaro68

User avatar

Jr. Member
Jr. Member

Posts: 61

Joined: Thu Mar 11, 2010 2:48 pm

Post Thu Mar 03, 2011 5:25 pm

Re: Am I hacked and is there a defence?

Why don't you just back up your data and re-install windows? If you do you need to scan the backed up data for possible malware as well. If your that worried about it that is probably the only way to get rid of a possible infection to the OS.
A+, Net+, Server+, Security+, MCP/XP
<<

WCNA

User avatar

Full Member
Full Member

Posts: 187

Joined: Wed Mar 02, 2011 8:05 am

Location: Florida

Post Thu Mar 03, 2011 6:58 pm

Re: Am I hacked and is there a defence?

The best answer has already been given- wipe the machine and start over.

However if you must:
Compare the traceroute from a different machine on the same switch to see if there's a difference
AND/OR
shut down all connections on the box, run wireshark, determine if any remaining traffic is legitimate. If you still have traffic after that....... wipe the machine  ;D
Last edited by WCNA on Thu Mar 03, 2011 7:01 pm, edited 1 time in total.
ISC2 Associate, WCNA, CWNA, OSCP, Network+
<<

veronca

Newbie
Newbie

Posts: 3

Joined: Thu Mar 03, 2011 4:07 pm

Post Fri Mar 04, 2011 12:14 pm

Re: Am I hacked and is there a defence?

I should mentioned that it´s not the first PC I´m using but troubles like that had appeared in about 24 hours in every one I had connected. I even tryed to secure them with different security soft (different antivirus, firewalls, antispy- antimale-ware) and I reinstalled OS many times but there was no effect.
I was told that it´s like revers DNS attack but I´m not sure.
Do You know some really good soft which is able to detect it?
<<

WCNA

User avatar

Full Member
Full Member

Posts: 187

Joined: Wed Mar 02, 2011 8:05 am

Location: Florida

Post Fri Mar 04, 2011 12:28 pm

Re: Am I hacked and is there a defence?

Detect it? Other than Wireshark, no. In your case, I'd consider deepfreeze from faronics.
ISC2 Associate, WCNA, CWNA, OSCP, Network+
<<

veronca

Newbie
Newbie

Posts: 3

Joined: Thu Mar 03, 2011 4:07 pm

Post Thu Mar 10, 2011 2:14 am

Re: Am I hacked and is there a defence?

veronca wrote:I´ll try it since yesterday while surfing ZoneAlarm showed me alarm: ZoneAlarm has detected a new network with IP (10.0.0.0/255.255.255.0) and added it to the Internet Zone.
Thanks

Return to Incident Response

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software