Results 1 to 9 of 9

Thread: Was I hacked?

  1. #1
    keithvaz Guest

    Default Was I hacked?

    Hi,
    I've had some security concerns recently so I installed ZA. It worked fine at first with settings set to High, but then one time I couldn't connect to a wireless network which I had previously used without a problem. I had the same problem with a second network which I had also used with settings on High.
    After restarting the modem and trying other things without success, I reduced the settings to Medium, and this allowed me to connect. A few days later I happened to open My Network Connections, and saw about 15 folders in there. All of them disappeared after a second or two except one called Administrator, which disappeared after about another second.
    There was, or should have been, nobody else on the network at the time
    - I was the only person in that building. The day after this incident, I was able to connect to the same network, and the other one that I had had issues with,
    with the security settings on High. I have frequently opened My Network Places since this incident, with the ZA at various settings or even swithched off, and nothing has shown up.
    What is the most likely explanation for this?
    Thanks,Keith

    Operating System:Windows XP Home Edition
    Software Version:7.0
    Product Name:ZoneAlarm (Free)

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Was I hacked?


    <blockquote><hr>KeithVaz wrote:
    Hi,
    I've had some security concerns recently so I installed ZA. It worked fine at first with settings set to High, but then one time I couldn't connect to a wireless network which I had previously used without a problem. I had the same problem with a second network which I had also used with settings on High.
    After restarting the modem and trying other things without success, I reduced the settings to Medium, and this allowed me to connect. A few days later I happened to open My Network Connections, and saw about 15 folders in there. All of them disappeared after a second or two except one called Administrator, which disappeared after about another second.
    There was, or should have been, nobody else on the network at the time
    - I was the only person in that building. The day after this incident, I was able to connect to the same network, and the other one that I had had issues with,
    with the security settings on High. I have frequently opened My Network Places since this incident, with the ZA at various settings or even swithched off, and nothing has shown up.
    What is the most likely explanation for this?
    Thanks,Keith

    Operating System:
    Windows XP Home Edition
    Software Version:
    7.0
    Product Name:
    ZoneAlarm (Free)

    <hr></blockquote>


    Check the firewall logs for the network connection events...this will show what and where happened.
    Anything else would be guessing on my part.

    Using wep or wap for the wireless and have the computer MAC locked in the wireless router?
    Changed the default password and login for the router?
    Updated the router's firmware?
    Checked to see if the router is suing the correct dns IPs (if it does dns lookups for the lan connected devices)?
    Got the SPI enabled and no changes made to the router?
    If yes to all of these questions, then maybe not hacked.

    Does the ipconfig show the correct dhcp/gateway and dns servers?
    If yes, then then not hacked.

    It could be (an explaination), there were several wireless connection available at that time... and maybe this is an answer.
    It could be the ZA was misconfigured and networking issues happened and this could be the answer.

    Have your tried this with the ZA?
    Make sure your DNS and DHCP server IP's are in your Firewall's Trusted zone. Finding DNS and DCHP servers, etc

    1. Go to Run and type in command and hit 'ok', and in the command then type in ipconfig /all then press the enter key. In the returned data list will be a line DNS and DHCP Servers with the IP address(s) listed out to the side. Make sure there is a space between the ipconfig and the /all, and the font is the same (no capitals).
    2. In ZA on your machine on the Firewall, open the Zones tab, click Add and then select IP Address. Make sure the Zone is set to Trusted. Add the DNS IP(s) .
    3. Click OK and Apply. Then do the same for the DHCP server.
    4. The localhost (127.0.0.1) must be listed as Trusted.
    5. The Generic Host Process (svchost.exe) as seen in the Zone Alarm's Program's list must have server rights for the Trusted Zone.
    Plus it must have both Trusted and Internet Access.
    6. The Trusted slider should be at the middle level.

    Extra help is found at Guru Hoov site for the DNS/DHCP.


    Oldsod.
    Best regards.
    oldsod

  3. #3
    keithvaz Guest

    Default Re: Was I hacked?

    Hi Oldsod,
    Thanks for your help.
    I'm afraid my technical knowledge is not great so I didn't understand all of that. Besides, I am not on that network at the moment so I can't check everything that you suggest.
    I have two DHCP servers and a Loopback adapter in my Trusted Zone, and nothing else. The internet is working fine now.
    What should I look for in the logs? On the date i noticed the folders in my Network Places, xpnetdiag.exe accessed three times (outgoing), twice to one IP address and once to a different one. The first two were to Loopback and the third was to www159.mysearch.com. ZA's zlclient.exe also connected to Mysearch twice. But that wasn't the first time I connected to that network, so maybe any unauthorised access would have been earlier so would be in a different place in the records?
    The network was at my friend's house. She is less security conscious than me, and even less technically competent, so she probably didn't do anything like updating firmware or changing passwords unless it was done automatically.
    I think it is unlikely there were a lot of other networks available at that time, given my location. And besides, why would they all disappear so quickly, and why would they not show up later?
    What sort of misconfiguration and networking issues could have led to the folders showing in My Network Places?
    Thanks,Keith






  4. #4
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Was I hacked?


    <blockquote><hr>KeithVaz wrote:
    Hi Oldsod,
    Thanks for your help.
    I'm afraid my technical knowledge is not great so I didn't understand all of that. Besides, I am not on that network at the moment so I can't check everything that you suggest.
    I have two DHCP servers and a Loopback adapter in my Trusted Zone, and nothing else. The internet is working fine now.
    What should I look for in the logs? On the date i noticed the folders in my Network Places, xpnetdiag.exe accessed three times (outgoing), twice to one IP address and once to a different one. The first two were to Loopback and the third was to www159.mysearch.com. ZA's zlclient.exe also connected to Mysearch twice. But that wasn't the first time I connected to that network, so maybe any unauthorised access would have been earlier so would be in a different place in the records?
    The network was at my friend's house. She is less security conscious than me, and even less technically competent, so she probably didn't do anything like updating firmware or changing passwords unless it was done automatically.
    I think it is unlikely there were a lot of other networks available at that time, given my location. And besides, why would they all disappear so quickly, and why would they not show up later?
    What sort of misconfiguration and networking issues could have led to the folders showing in My Network Places?
    Thanks,Keith






    <hr></blockquote>


    hmmm you may not be hacked, but there is an infection or malware present on your computer..

    Go here for help to remove the malware.
    Sign and open an account at the bleepingcomputer.com forum , then read all of the stickies in the link I just provided and make sure you follow the advice they give in those stickies and then post your HJT logs.
    The expert and experienced advice given to you is all free (no cost) and very effective.
    If you get stuck with the advice they give, they will explain further to make sure you understand the procedures.

    Oldsod.
    Best regards.
    oldsod

  5. #5
    stupefy Guest

    Default Re: Was I hacked? (NO)

    ZoneAlarm Forum Volunteer Community Help
    The Master Browser Service Failed To Receive An Updated List From The Master Browser Computer
    All of the Icons and Folders visible in My Network Places are Only Shortcuts to Network Shares.
    When the Network Shares are No Longer Available the Shortcut Icons will Drop Off the Network, in other words,
    the Shortcut Icons will disappear from My Network Places.
    The Master Browser Service is responsible for populating the My Network Places with all of the Network Shares that
    are available to Any One Network. Only One Computer in Any One Network can Serve as an Master Browser for That
    Network. It is the Master Browser Computer that Maintains and Updates the Network Shares to all the computers
    connected to That Network. When an computer first connects to an Network, that computer is an Guest to That Network.
    An election for Master Browser takes place. Usually, but not always, the computer connected to the Network the
    longest is elected Master Browser for That Network. The Elected Master Browser then Populates and or updates the
    My Network Places on all the computers connected to That Network with Shortcut Icons to all the Network Shares that
    are available to That One Network. The Guest Computers' My Network Places is also populated and or updated with the
    Shortcuts to That Networks Shares. This process can take up to twenty minutes or longer to complete before any
    Shortcut Icons to Network Shares appear in My Network Places or access to Network Shares are available to the
    Guest Computer. Removing the Guest Computer from That Network to Another Network starts the entire process over on
    the New Network Connection. Any Network Shares on The Previous Network are No Longer Available and will Drop Off
    the Network, in other words, the Shortcut Icons to the Network Shares of The Previous Network will Disappear from
    My Network Places and after the election for Master Browser on the New Network takes place, the My Network Places
    of the Guest Computer will then be populated with New Shortcut Icons to the Network Shares of the Current Network.
    Removing the Guest Computer from this New Network back to The Previous Network or Any Other Network will again
    start the entire process over.
    Placing the Trusted Zone Security Level to High, or
    Placing the Internet Zone Security Level to High, will prevent any access to Network Shares and the Shortcut Icons
    in My Network Places will Drop Off the Network, in other words, the Shortcut Icons in My Network Places will
    Disappear from My Network Places. The Network Shares are No Longer Available or No Longer Exist.
    Private Networks, such as the one at your friends house:
    The Firewall/Main/Trusted Zone Security Level Must Be Set To Medium and the
    Private Network Listing in Firewall/Zones Must Be Set To Trusted if Network Sharing is Desired or Required.
    The My Network Places before or after twenty minutes or more, will then be populated by the Master Browser.
    Public Networks, such as in an Coffee Shoppe:
    The Firewall/Main/Internet Zone Security Level Must Be Set To High and the
    Public Network Listing in Firewall/Zones Must Be Set To Internet if Network Sharing is Not Desired or Required.
    The My Network Places Will Never Be Populated by the Master Browser. Sharing is Not Permitted.
    START/Control Panel/Administrative Tools/Computer Management/Event Viewer/
    Examining these Logs will reveal that the Browser Service failed to obtain an updated list from the Master Browser.
    QUOTE/
    After restarting the modem and trying other things without success, I reduced the settings to Medium,
    and this allowed me to connect. A few days later I happened to open My Network Connections, and saw about 15 folders
    in there. All of them disappeared after a second or two except one called Administrator, which disappeared after
    about another second.
    \END QUOTE
    When the Firewall/Main/Trusted Zone Security Level is set to Medium or
    When the Firewall/Main/Internet Zone Security Level is set to Medium:
    Once connected to an Network the Master Browser for That Network will populate the My Network Places of the
    Guest Computer with Shortcut Icons to That Networks Shares. Also, clicking on Any Network Shares, or any connections
    to Network Shares, will automatically add an Shortcut Icon for That Network Share to My Network Places.
    Any Network Shares that are Not Available or No Longer Exist will Drop Off the Network, in other words,
    the Shortcut Icons will disappear from My Network Places.
    Changing Networks, Switching Firewall/Main/Trusted Zone Security Level to High, or
    Switching Firewall/Main/Internet Zone Security to High, or No Connection to Any Network, will trigger this event of
    disappearing Network Shortcut Icons in My Network Places.
    QUOTE/
    There was, or should have been, nobody else on the network at the time - I was the only person in that building.
    The day after this incident, I was able to connect to the same network, and the other one that I had had issues
    with, with the security settings on High. I have frequently opened My Network Places since this incident,
    with the ZA at various settings or even swithched off, and nothing has shown up.What is the most likely explanation for this?
    \END QUOTE
    When the Firewall/Main/Trusted Zone Security Level is set to High or
    When the Firewall/Main/Internet Zone Security Level is set to High:
    Once connected to an Network the Master Browser for That Network Can Not Populate the My Network Places of the
    Guest Computer with Shortcut Icons to That Networks Shares. Sharing is Not Permitted.
    Changing the Firewall/Main/Trusted Zone Security Level back to Medium, or
    Changing the Firewall/Main/Internet Zone Security Level back to Medium, or Disabling Both, can then take the
    Master Browser of That Network up to twenty minutes or more to populate the Guest Computers' My Network Places with
    Shortcut Icons to That Networks Shares.

  6. #6
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Was I hacked? (NO)


    <blockquote><hr>stupefy wrote:
    ZoneAlarm Forum Volunteer Community Help
    The Master Browser Service Failed To Receive An Updated List From The Master Browser Computer
    All of the Icons and Folders visible in My Network Places are Only Shortcuts to Network Shares.
    When the Network Shares are No Longer Available the Shortcut Icons will Drop Off the Network, in other words,
    the Shortcut Icons will disappear from My Network Places.
    The Master Browser Service is responsible for populating the My Network Places with all of the Network Shares that
    are available to Any One Network. Only One Computer in Any One Network can Serve as an Master Browser for That
    Network. It is the Master Browser Computer that Maintains and Updates the Network Shares to all the computers
    connected to That Network. When an computer first connects to an Network, that computer is an Guest to That Network.
    An election for Master Browser takes place. Usually, but not always, the computer connected to the Network the
    longest is elected Master Browser for That Network. The Elected Master Browser then Populates and or updates the
    My Network Places on all the computers connected to That Network with Shortcut Icons to all the Network Shares that
    are available to That One Network. The Guest Computers' My Network Places is also populated and or updated with the
    Shortcuts to That Networks Shares. This process can take up to twenty minutes or longer to complete before any
    Shortcut Icons to Network Shares appear in My Network Places or access to Network Shares are available to the
    Guest Computer. Removing the Guest Computer from That Network to Another Network starts the entire process over on
    the New Network Connection. Any Network Shares on The Previous Network are No Longer Available and will Drop Off
    the Network, in other words, the Shortcut Icons to the Network Shares of The Previous Network will Disappear from
    My Network Places and after the election for Master Browser on the New Network takes place, the My Network Places
    of the Guest Computer will then be populated with New Shortcut Icons to the Network Shares of the Current Network.
    Removing the Guest Computer from this New Network back to The Previous Network or Any Other Network will again
    start the entire process over.
    Placing the Trusted Zone Security Level to High, or
    Placing the Internet Zone Security Level to High, will prevent any access to Network Shares and the Shortcut Icons
    in My Network Places will Drop Off the Network, in other words, the Shortcut Icons in My Network Places will
    Disappear from My Network Places. The Network Shares are No Longer Available or No Longer Exist.
    Private Networks, such as the one at your friends house:
    The Firewall/Main/Trusted Zone Security Level Must Be Set To Medium and the
    Private Network Listing in Firewall/Zones Must Be Set To Trusted if Network Sharing is Desired or Required.
    The My Network Places before or after twenty minutes or more, will then be populated by the Master Browser.
    Public Networks, such as in an Coffee Shoppe:
    The Firewall/Main/Internet Zone Security Level Must Be Set To High and the
    Public Network Listing in Firewall/Zones Must Be Set To Internet if Network Sharing is Not Desired or Required.
    The My Network Places Will Never Be Populated by the Master Browser. Sharing is Not Permitted.
    START/Control Panel/Administrative Tools/Computer Management/Event Viewer/
    Examining these Logs will reveal that the Browser Service failed to obtain an updated list from the Master Browser.
    QUOTE/
    After restarting the modem and trying other things without success, I reduced the settings to Medium,
    and this allowed me to connect. A few days later I happened to open My Network Connections, and saw about 15 folders
    in there. All of them disappeared after a second or two except one called Administrator, which disappeared after
    about another second.
    \END QUOTE
    When the Firewall/Main/Trusted Zone Security Level is set to Medium or
    When the Firewall/Main/Internet Zone Security Level is set to Medium:
    Once connected to an Network the Master Browser for That Network will populate the My Network Places of the
    Guest Computer with Shortcut Icons to That Networks Shares. Also, clicking on Any Network Shares, or any connections
    to Network Shares, will automatically add an Shortcut Icon for That Network Share to My Network Places.
    Any Network Shares that are Not Available or No Longer Exist will Drop Off the Network, in other words,
    the Shortcut Icons will disappear from My Network Places.
    Changing Networks, Switching Firewall/Main/Trusted Zone Security Level to High, or
    Switching Firewall/Main/Internet Zone Security to High, or No Connection to Any Network, will trigger this event of
    disappearing Network Shortcut Icons in My Network Places.
    QUOTE/
    There was, or should have been, nobody else on the network at the time - I was the only person in that building.
    The day after this incident, I was able to connect to the same network, and the other one that I had had issues
    with, with the security settings on High. I have frequently opened My Network Places since this incident,
    with the ZA at various settings or even swithched off, and nothing has shown up.What is the most likely explanation for this?
    \END QUOTE
    When the Firewall/Main/Trusted Zone Security Level is set to High or
    When the Firewall/Main/Internet Zone Security Level is set to High:
    Once connected to an Network the Master Browser for That Network Can Not Populate the My Network Places of the
    Guest Computer with Shortcut Icons to That Networks Shares. Sharing is Not Permitted.
    Changing the Firewall/Main/Trusted Zone Security Level back to Medium, or
    Changing the Firewall/Main/Internet Zone Security Level back to Medium, or Disabling Both, can then take the
    Master Browser of That Network up to twenty minutes or more to populate the Guest Computers' My Network Places with
    Shortcut Icons to That Networks Shares.

    <hr></blockquote>


    Not too sure how master browser and computer browser fit into this ....many have the computer borwser service disaabled by deafult with the windows xp sp2 and sp3.
    Only needed for servers on a private domain network not for the average home user or ZA user.

    Oldsod.
    Best regards.
    oldsod

  7. #7
    stupefy Guest

    Default Re: Was I hacked? (NO)

    ZoneAlarm Forum Volunteer Community Help
    The Computer Browser Service Is For NetBIOS Name Resolution.
    If Stopped Or Disabled In The Local Host, Browsing The Local Network From That Computer Is Not Possible.

    The Computer Browser Service (and NetBT, which it uses), Is Enabled By Default whenever any of the following
    Operating Systems are installed.....And Can Not Be Stopped Or Disabled:

    Microsoft Windows Vista (Including Service Pack 1 and Service Pack 2 (SP2 to be released in the 2nd quarter 2009))
    Microsoft Windows XP (Including Service Pack 1, Service Pack 2, and Service Pack 3)
    Microsoft Windows 2000
    Microsoft Windows Millennium Edition
    Microsoft Windows 98
    The Computer Browser Service is essential for computers running Windows 98 or Windows Millennium Edition to browse
    for resources and it is required in Windows Server 2003, Windows XP, and Windows 2000 for using applications such as
    My Network Places, Windows Explorer, and the Net View Command.....read more at the Microsoft Links Below:

    How Computer Browser Service Works:
    http://technet.microsoft.com/en-us/l.../cc737661.aspx
    Description of the Microsoft Computer Browser Service:
    http://support.microsoft.com/kb/188001
    Appendix C Computer Browser Service
    http://technet.microsoft.com/en-us/l.../bb726989.aspx
    New Networking Features in Windows Server 2008 and Windows Vista:
    http://technet.microsoft.com/en-us/l.../bb726965.aspx
    If you cannot access shared files and folders or browse computers in the workgroup with Windows XP:
    This document clearly reveals that the Computer Browser Service can not be stopped or disabled:

    http://support.microsoft.com/kb/318030
    In Regards to ZoneAlarm and the Computer Browser Service:
    If ZoneAlarm Firewall/Main/Internet Zone Security/ -is set to High, and
    If ZoneAlarm Firewall/Zones/Public Network/ -is set to Internet, or
    If ZoneAlarm Firewall/Zones/Private Network/ is set to Internet, then
    The Computer Browser Service will fail to update My Network Places, File and Printer Sharing will not be available.
    If ZoneAlarm Firewall/Main/Internet Zone Security/ -is set to Medium or Off, and
    If ZoneAlarm Firewall/Zones/Public Network/ -is set to Internet, or
    If ZoneAlarm Firewall/Zones/Private Network/ -is set to Internet, then
    The Computer Browser Service will update My Network Places, File and Printer Sharing will be available.
    If ZoneAlarm Firewall/Main/Trusted Zone Security/ -is set to High, and
    If ZoneAlarm Firewall/Zones/Public Network/ -is set to Trusted, or
    If ZoneAlarm Firewall/Zones/Private Network/ is set to Trusted, then
    The Computer Browser Service will fail to update My Network Places, File and Printer Sharing will not be available.
    If ZoneAlarm Firewall/Main/Trusted Zone Security/ -is set to Medium or Off, and
    If ZoneAlarm Firewall/Zones/Public Network/ -is set to Trusted, or
    If ZoneAlarm Firewall/Zones/Private Network/ -is set to Trusted, then
    The Computer Browser Service will update My Network Places, File and Printer Sharing will be available.
    NOTE: In an Home Network, all the computers in the Workgroup are equal, in other words, all the computers in an
    Home Network Workgroup are Both Clients and Servers. When an computer shares its resources, that computer is an
    Server. When an computer uses resources from another computer (the server) that computer is an Client.
    This is called an Peer-to-Peer Network, even if the computers are behind an Router.
    Microsoft Windows Networks need at least One Share on Every Computer in the Network before Networking can occur.
    The Shared Folder: &quot;Shared Documents&quot; in C:\Documents and Settings\All Users\Shared Documents\ -provides this
    One Share by Default. However, Simple File Sharing also needs to be Enabled. Running the Microsoft Network Setup
    Wizard or the Microsoft Wireless Network Setup Wizard from Control Panel will Enable Simple File Sharing.
    NOTE: Vista Service Pack 2 was released today Wednesday, 29 April 2009 06:39 to the MSDN Members Only:
    MSDN stands for Microsoft Developer Network:
    http://msdn.microsoft.com/en-us/default.aspx

  8. #8
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Was I hacked?

    Netbios and file and pronter sharing works fine without the Computer Browser Service and yes this can be disabled and stopped.
    Most people and home users never use or need theis service as they usually are not running servers on their network.
    Computer browser is orientated towards business and enterprise networks, not the average home network.

    Nor is the Computer Browser Service a requirement for network connections to a gateway, the domain name lookup server or for the local and inter nets.

    See Windows Services jpeg:



    It is only required for a server(s) on a domain network.
    Not for establishling connections on a network.

    Not really involved with the poster situation as the computer browser does not come into this situation (or any other ZoneAlarm networking issues).

    Oldsod.
    Best regards.
    oldsod

  9. #9
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Was I hacked?

    Also informing users to set the zones sliders to the Off level means there is no firewalling performed.
    No recommended for security reasons.


    "NOTE: In an Home Network, all the computers in the Workgroup are equal, in other words, all the computers in an
    Home Network Workgroup are Both Clients and Servers. When an computer shares its resources, that computer is an
    Server. When an computer uses resources from another computer (the server) that computer is an Client.
    This is called an Peer-to-Peer Network, even if the computers are behind an Router.
    Microsoft Windows Networks need at least One Share on Every Computer in the Network before Networking can occur.
    The Shared Folder: "Shared Documents" in C:\Documents and Settings\All Users\Shared Documents\ -provides this
    One Share by Default. However, Simple File Sharing also needs to be Enabled. Running the Microsoft Network Setup
    Wizard or the Microsoft Wireless Network Setup Wizard from Control Panel will Enable Simple File Sharing."

    Reading your own previously provided links...this is wrong.
    Only in a peer to peer network are all of the compiters of the workgroup equal.
    Most home users never use this arrangement.
    Not always are the computers in a home network equal..not all have access and some are accesed.


    Computer browser is needed when there are dedicated computer(s) declared to be 'server' of that domain for that entire domain network...and if that browser at that moment can not fulfil it's role, then another possible second and third choices for the server will be instead used.
    Thus the selected computer to be the 'browser' is held in limbo and the role can be shared.
    But only needed for a enterprise or business network, not for the home network.

    Kind of wish you would post this material on other firewall/networking forums for the software firewall issues .
    You may be surprised by the replies.

    Oldsod.

    Message Edited by Oldsod on 04-29-2009 04:30 AM
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •