Re: Hacked?

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 01/09/04 

Date: Thu, 8 Jan 2004 21:42:34 -0500

My first guess without more information is that this sounds likely normal.
Sometimes computers where Windows was installed by Dell or another
manufacturer or installed on another network with different IP addresses may
have some kind of pointer to try to contact a computer on that network.
Those are NetBIOS ports, and NetBIOS is somewhat chatty and can generate
traffic at times you would not expect, making network monitoring of it
tricky. Knowing the remote IP address and host name would be helpful
towards making a better guess. Since there is a good chance this is
probably nothing, installing Zone Alarm on the computer in question would be
one way to try to tell which executable is generating the traffic.

"Jeff" <anonymous@discussions.microsoft.com> wrote in message
news:058701c3d565$79c199d0$a101280a@phx.gbl...
> Hello. My ignorance will be vivid here....
>
> I'm currently doing marketing at a small office, but, as
> I'm technically inclined enough to be dangerous, in my
> spare time do the IS support as well. They had an outside
> consultant set up the system, and he had done other
> setups/management when needed, but, is no longer
> available. He'd set up the network with a Symantec
> VPN/Firewall appliance as the external gateway, but had
> opened up ports to a server inside the network which is
> currently hosting the email server (Xmail), DNS, as well
> as a simple web app to do web-mail checking for employees
> from the outside. Also opened ports for ssl, termserver,
> ftp, smtp, and pop3, and another port for remote admin.
>
> Looked a bit insecure for me when I noticed it, so, I
> installed ZoneAlarm on this server inside the network,
> which is currently working. Plans are to move the web
> serving onto another server which will be put into a DMZ.
> After noticing these open ports, I also decided to pay
> more attention to the firewall logs, and noticed not just
> the normal external port scan attack blocks, but also that
> a couple of computers, including the company server, are
> attempting to access outside IPs using closed port calls
> (therefore, the firewall catches and logs them). These
> blocks come with the message 'Block host "" internet
> access', and are typically using ports 139 & 445. Looked
> suspicious, so, I ran an fport scan on the server, and it
> did show ports 139 & 445 open, but, shows that the Pid is
> 8 (the system).....Also did some ethereal scan of the
> network, and it does show that the server is trying to
> access this specific external ip address.
>
> My question is (kudos if you've patiently read everything
> so far), how do I find out what this process is that is
> trying to do these accesses, or am I being overly
> paranoid. As you can most likely tell from this, I'm not
> the most technically adept IT support person, so, I'd also
> appreciate references/suggestions on materials to help me
> out here.
>
> Thanks in advance to all.