Korean Job Discussion Forums

[the saint]

Left the computer, as usual, connected to shareaza overnight. Turned the monitor off and toodled off to bed.

Woke up to see a black screen with the message you get when you try to boot with a non-system floppy in. You know... please insert a system disk or whatever... and boot away...

Thought "uh oh"...

Checked there were no floppies in there and tried to reboot. Thing keeps booting back to this message. Flick the power off to escape. Try to reboot when the disks have spun down and it forces me to safe mode but then won't do anything but reboot back to the safe mode screen message each time I try.

Try some advanced engineering.... i.e. head for safe mode once more and press a lot of F keys while this is happening. It works. I'm into safe mode. I update norton and do a virus scan - nothing. Check the Norton logs - nothing. Check the firewall logs - nothing except that I notice that the logs all end around 1'30am with nothing unusual in them... i.e. the usual bunch of nasties attempting to get in and being blocked that you get on a Thrunet connection. However, there is a record that at one point says "Intrusion detection disabled" and then shortly after "Intrusion detection enabled" again. But this is obviously before the system froze up.

Anyway, reboot to normal and everything is fine... except that whenever I shut down it takes a lot longer than before to shut down.

I have not been running anything dodgy and have a brand new legal copy of Norton Internet Security installed. I virus scan like I'm paranoid and nothing like this has ever happened. The system is less than two months old.

What happened?

[wylde]

i get weird shit like that sometimes... i just load up (w2k)into the last working config when booting.. update my gear, run adaware and scan for viruses.. i figure that if these guys are smart enough to get past the latest update of mcafee there is nothing i can do to stop them..

i too have had my mcafee firewall turned off overnight... bit concerning but.. as i say.. if it is a hack and these guys are smart enough to bypass the latest stuff.. what ya gunna do?

[Demophobe]

Wow...quite the story.

I have no idea what may have happened, although it does sound like someone got in by disabling Norton, which soon re-enabled itself, and perhaps this caused a freeze.

Someone was probably in your comp....I don't want to jump to conclusions, but there are a lot of script kiddies in Korea. I dunno....doesn't sound like they got to do much before the system froze.

Does Norton check outbound traffic like Zonealarm? I mean, can you tell when some program is accessing the net?

[wylde]

even if it does.. what ya gunna do?

[wylde]

just say, for arguments sake,, he is a joker...if he can get around the firewall once what is gunna stop him again?

although the above shit has happened to me no files have moved up or down.


i wouldn't lose sleep over it saint

stuff can tell when it has accessed the net but it shouldn't with a firewall running and without you OKing it..

if someone bypasses the firewall.. question stands.. what ya gunna do?

chill mate, relax

[Demophobe]

Well, there is a lot he can do.

First, contact Norton about known vulnerabilities. Send them the log files.

Second, if Norton checks for progs having internet access, he can block the perhaps trojan that was run remotely on his system. He van learn about ports and which ones the hackers like most, then he can close off all ports except for his P2P program port.

Next, check the I.P logs in Norton (assuming it has them) and send the IP list of connections to thrunet, or wherever they reslove. Yes, they may be proxies that these idiots hide behind, but it's worth a try.

Switch firewalls. Heard a lot of negative things about Norton. Try running two in concert with each other. Back in my days of mischief, I ran Zonealarm with Blck Ice Defender. Very often, this can lead to conflicts and problems on the computer, although I had none.

He can get a hardware firewall/router for his cable connection. This is a solid defense. Software firewalls are limited...hardware firewalls will stop these little punks.

Change ISPs. May be tough where he lives, but look into it. Thrunet blows....I like KT. Don't want to start a silly "I like_____" war....just my opinion.

The problem may have been a vulnerability of Shareza or whatever it's called. Do some googleing for others with similar problems...also find out (as I said) what ports it uses for incoming and outbound traffic. MKaybe they are exploitable.

In an ideal world, you would have a "P2P" computer....an old crappy box just for downloading. Wouldn't cost much to put one together and keep your new system off the polluted networks.

Personally, if someone is hacking my computer, I would find it very, very difficult to just chill. You will have to do something about it, not just say "oh well".

It will happen again. I know you are not ok with that.

[wylde]

i have been outta things like this for years and years...

[the saint]

Thanks guys... interesting.

Left it on again last night. Slightly different story. All fine until what seems like 2:46 am when the system froze. I woke up to a black screen and a mouse icon. Nothing more. At least the icon moved when I moved the mouse but that was it. Held my breath and it rebooted fine this time. It is also now shutting down at normal speed.

I went and checked every log that Norton provides (and yes it does do an application log). There was no activity logged for any application.

Check out these two logs though...

First up, the firewall log.

Firstly thall those blocked things are actually connections to the Gnutella network on port 6346. I've now configured the firewall to allow Shareaza that port for communication so it is open. I wonder what the Rule "Microsoft... blah blah blah stealthed" thing is though. Is that someone scanning my ports?

Then, the intrusion detection log...

This shows that I have continual MS_RPC_DCOM_Heap_BO attacks on port 135. I've run DCOMbobulator and I've tested this port and know it is stealthed but the attacks are continual and will consume CPU time.

Most of this activity, when I can trace it, originates from Thrunet itself - other subscribers I presume. I'm about to head home to the UK for the summer but in the autumn, I'm seriously considering changing to Megapass or KT (if they do my area) cos this is a pain in the butt.

[the saint]

Wylde, there are some good points there. I'm more of a "chill"er I guess, partly because I don't have the tech capabilties to do much more than I am.

Your idea for an IP changer was very good. Any free ones you'd recommend?

Demo... I understand what you are saying but I simply don't have time for this. Your idea to search for shareaza hiccups is good though.

[wylde]

no. sorry mate.

just spend some time searching for what's about.. check the crack/serial pages to see which program and version they have cracked and download the same program/version..

i can't offer much help with the logs either.. thats the type of stuff i would suggesting sending away to norton.. hopefully you'll get results..

good luck!

[Zenpickle]

Something similar happened to me when I got a new computer and hooked it up to the internet. The next day it did the same thing and then the hard drive started reporting bad sectors.

My conclusion is that my firewall was not too good or wasn't updated. So after exchanging my hard drives for new ones (they were under warranty), I set up my computer again, using Sygate's Personal Firewall.

I haven't had a problem since.

Two of us at our school have noticed that our computers have gotten a lot more outside attacks here than when we were in North America. I notice that I lot of my attacks originate in Busan.