Solve : I AM NOT A SERVER-tcp/ip prob ??

1.	Solve : I AM NOT A SERVER-tcp/ip prob ??
Answer» hello,I've been having strange problems with my computer since a 'hacker'gained access.This'hacker' has since been taunting me with cryptic e-mails (from spoofed e-mail addresses)telling me how 'evil' his 'work' is.Sadly I have to agree,so here it is: First symptoms were netbios,mrspc,http probes which were blocked by firewall.Probes are mostly from other (innocent) clients on the same lan as me,but coming in every minute or so.Probes are in fact 'syn' packets. So from my firewall (Black ice from iss security) logs which i examined with 'Ethereal'I discovered that I am sending broadcasts announcing my computer as a netbios,msrpc,http browser SERVER! I've reformatted twice myself and had my local computer store reformat as well,but as soon as I go on line,same problem. Nothing shows up on antivirus progs -norton,nod32.Or on spyware progs.Nothing unusual on hijack this logs either.No root kit found with Sysinternals find rootkit prog.This is probably because no virus/trojan etc. is present,some clever changes have been made somewhere,a truly evil piece of work indeed! As reformatting has not eliminated this,is it possible for the root of this to be in the bios settings? Or something to do with my mac address? I am running XP with all updates on Sempron 3000+, ASRock k7 motherboard,DDr256 mo.Norton antivirus,black ice & at guard firewalls. I've changed isp,changed from ether to ppp,reformatted each time,same result. Any downloads I make are often corrupted,a result i guess of the abnormal amount of 'probe' traffic being generated.Almost a denial of service attack. I've been trying to figure this out for 3 months now,time to ask for help. Any suggestions or ideas would be much appreciated,Thanks. I can post text logs of the broadcast packets if needed.The evidence logs (of the probes)are irrelevant,just a symptom,not the problem. thanks again. Quote (Black ice from iss security) I haven't heard anything good about Black Ice. Try Zone Alarm or Sygate's firewall. What type of network are you on? You say that you are on a LAN. This tells me that there are users on your network which can freely access or see or your PC. Thanks for reply,yes black ice can be a bit paranoid.I've uninstalled black ice & tried zone alarm,with the same result. When I say probes from my lan I mean from the same isp as me-if my isp is Tiscali.fr, the syn probes come from computers with tiscali.fr as their server.This is normal because I have sent a broadcast declaring my computer as a server.I am not on a LAN-my mistake. This all started with me doing downloads from 'dubious' sources (it won't happen to me! ) from which I presume I installed a RAT.The computer was then left online (ether)for a week while I was away elsewhere,which I guess left time for this person to do their dirty work. I'm resigned to the fact I'll have to reformat.Is it possible for the bios settings or flash memory to have been corrupted,so that when I reformat the hard drive I'm just importing the same problem? Again ,any ideas or thoughts on this most welcome, thanks Raptor.P.S. Here's an example packet my computer is sending at the beginning of a connection. As you can see,the 'this is a workstation/server/browser' flags are set.This is sent through udp port 138, the netbios port.Maybe a clue as to where to look? No. Time Source Destination Protocol Info 14 2005-07-28 07:38:24.562500 (my IP) 255.255.255.255 BROWSER Host Announcement , Workstation, Server, NT Workstation, Potential Browser Frame 14 (243 bytes on wire, 243 bytes captured) Arrival Time: Jul 28, 2005 07:38:24.562500000 Time delta from previous packet: 0.000000000 seconds Time since reference or first frame: 1.218750000 seconds Frame Number: 14 Packet Length: 243 bytes Capture Length: 243 bytes Protocols in frame: eth:ip:udp:nbdgm:smb:browser Protocol: UDP (0x11) Header checksum: 0xbad1 (correct) Source: (my ip ) Destination: 255.255.255.255 (255.255.255.255) User Datagram Protocol, Src Port: netbios-dgm (138), Dst Port: netbios-dgm (138) Source port: netbios-dgm (138) Destination port: netbios-dgm (138) Length: 209 Checksum: 0x3ecd (correct) NetBIOS Datagram Service Message Type: Direct_group datagram (17) More fragments follow: No This is first fragment: Yes Node Type: B node (0) Datagram ID: 0x8005 Source IP: my ip. Source Port: 138 Datagram length: 187 bytes Packet offset: 0 bytes Source name: me<20> (Server service) Destination name: MSHOME<1d> (Local Master Browser) SMB (Server Message Block Protocol) SMB Header Server Component: SMB SMB Command: Trans (0x25) Error Class: Success (0x00) Reserved: 00 Error Code: No Error Flags: 0x00 Flags: 0x0000 .... .... .... ..0. = One Way Transaction: Two way transaction .... .... .... ...0 = Disconnect TID: Do NOT disconnect TID Timeout: 1 second Reserved: 0000 Parameter Count: 0 Parameter Offset: 0 Data Count: 33 Data Offset: 86 SETUP Count: 3 Reserved: 00 Byte Count (BCC): 50 Transaction Name: \MAILSLOT\BROWSE SMB MailSlot Protocol Opcode: Write Mail Slot (1) Priority: 0 Class: Unreliable & Broadcast (2) Size: 50 Mailslot Name: \MAILSLOT\BROWSE Microsoft Windows Browser Protocol Command: Host Announcement (0x01) Update Count: 0 Update Periodicity: 4 minutes Host Name: me OS Major Version: 5 OS Minor Version: 1 Server Type: 0x00011003 .... .... .... .... .... .... .... ...1 = Workstation: This is a Workstation .... .... .... .... .... .... .... ..1. = Server: This is a Server .... .... .... .... .... .... .... .0.. = SQL: This is NOT an SQL server .... .... .... .... .... .... .... 0... = DOMAIN Controller: This is NOT a Domain Controller .... .... .... .... .... .... ...0 .... = Backup Controller: This is NOT a Backup Controller .... .... .... .... .... .... ..0. .... = Time Source: This is NOT a Time Source .... .... .... .... .... .... .0.. .... = Apple: This is NOT an Apple host .... .... .... .... .... .... 0... .... = Novell: This is NOT a Novell server .... .... .... .... .... ...0 .... .... = Member: This is NOT a Domain Member server .... .... .... .... .... ..0. .... .... = Print: This is NOT a Print Queue server .... .... .... .... .... .0.. .... .... = Dialin: This is NOT a Dialin server .... .... .... .... .... 0... .... .... = Xenix: This is NOT a Xenix server .... .... .... .... ...1 .... .... .... = NT Workstation: This is an NT Workstation .... .... .... .... ..0. .... .... .... = WfW: This is NOT a WfW host .... .... .... .... 0... .... .... .... = NT Server: This is NOT an NT Server .... .... .... ...1 .... .... .... .... = Potential Browser: This is a Potential Browser .... .... .... ..0. .... .... .... .... = Backup Browser: This is NOT a Backup Browser .... .... .... .0.. .... .... .... .... = Master Browser: This is NOT a Master Browser .... .... .... 0... .... .... .... .... = Domain Master Browser: This is NOT a Domain Master Browser .... .... ...0 .... .... .... .... .... = OSF: This is NOT an OSF host .... .... ..0. .... .... .... .... .... = VMS: This is NOT a VMS host .... .... .0.. .... .... .... .... .... = Windows 95+: This is NOT a Windows 95 or above host .0.. .... .... .... .... .... .... .... = Local: This is NOT a local list only request 0... .... .... .... .... .... .... .... = Domain Enum: This is NOT a Domain Enum request Browser Protocol Major Version: 15 Browser Protocol Minor Version: 1 Signature: 0xaa55 Host Comment: Shut some ports wwdc http://www.wilderssecurity.com/showthread.php?t=25485 Quote Again ,any ideas or thoughts on this most welcome, thanks Raptor. Disable processor ID. I believe only Pentium III processors have got one. You may wish to buy a new Network Interface Card as they all have a fixed MAC adress. I do not know if this will resolve your problem, but they are both methods to recognize a machine. Quote Is it possible for the bios settings or flash memory to have been corrupted I do not think this is possible if the user wasn't sitting behind the PC.o.k.,thanks. I'll try this & let you know how it turns out. It would be good to know how and why this is happening,but I guess I'll have to be content just to get rid of this very strange problem. It's a shame the person responsible couldn't put their well developed knowledge to better use. Thanks again About the Bios/flash memory question,could this broadcast command have come from a 'bad'or intercepted (IP or TCP spoofed) download or e-mail ? Is this impossible or just unheard of ? -Noone has had physical access to my computer. Also,if I WANTED for my box to act as a server,where would the broadcast command come from -can I find the offending piece of script somewhere in the registry ? Is there a legitimate application which can be used to make an XP box a server ?-Lazy question,I'll look on microsoft.com myself! Thanks for the link to the WWdc prog,ports are closed but I have to wait till the TTL of my last broadcast has expired - 3 days- to see if this works. I hope this strange problem has sparked your INTEREST as much as me.It's put me on a very STEEP learning curve.-Anyone ever hear of anything like this before? I'll bet not. XP can be set to act as a server but don't ask me where. I'll poke around a little.

Answer»

hello,I've been having strange problems with my computer since a 'hacker'gained access.This'hacker' has since been taunting me with cryptic e-mails (from spoofed e-mail addresses)telling me how 'evil' his 'work' is.Sadly I have to agree,so here it is:
First symptoms were netbios,mrspc,http probes which were blocked by firewall.Probes are mostly from other (innocent) clients on the same lan as me,but coming in every minute or so.Probes are in fact 'syn' packets.
So from my firewall (Black ice from iss security) logs which i examined with 'Ethereal'I discovered that I am sending broadcasts announcing my computer as a netbios,msrpc,http browser SERVER!
I've reformatted twice myself and had my local computer store reformat as well,but as soon as I go on line,same problem.
Nothing shows up on antivirus progs -norton,nod32.Or on spyware progs.Nothing unusual on hijack this logs either.No root kit found with Sysinternals find rootkit prog.This is probably because no virus/trojan etc. is present,some clever changes have been made somewhere,a truly evil piece of work indeed!
As reformatting has not eliminated this,is it possible for the root of this to be in the bios settings?
Or something to do with my mac address?
I am running XP with all updates on Sempron 3000+, ASRock k7 motherboard,DDr256 mo.Norton antivirus,black ice & at guard firewalls.
I've changed isp,changed from ether to ppp,reformatted each time,same result.
Any downloads I make are often corrupted,a result i guess of the abnormal amount of 'probe' traffic being generated.Almost a denial of service attack.
I've been trying to figure this out for 3 months now,time to ask for help.
Any suggestions or ideas would be much appreciated,Thanks.
I can post text logs of the broadcast packets if needed.The evidence logs (of the probes)are irrelevant,just a symptom,not the problem.

thanks again. Quote

(Black ice from iss security)

I haven't heard anything good about Black Ice.

Try Zone Alarm or Sygate's firewall.

What type of network are you on? You say that you are on a LAN. This tells me that there are users on your network which can freely access or see or your PC.

Thanks for reply,yes black ice can be a bit paranoid.I've uninstalled black ice & tried zone alarm,with the same result.
When I say probes from my lan I mean from the same isp as me-if my isp is Tiscali.fr, the syn probes come from computers with tiscali.fr as their server.This is normal because I have sent a broadcast declaring my computer as a server.I am not on a LAN-my mistake.
This all started with me doing downloads from 'dubious' sources (it won't happen to me! ) from which I presume I installed a RAT.The computer was then left online (ether)for a week while I was away elsewhere,which I guess left time for this person to do their dirty work.
I'm resigned to the fact I'll have to reformat.Is it possible for the bios settings or flash memory to have been corrupted,so that when I reformat the hard drive I'm just importing the same problem?

Again ,any ideas or thoughts on this most welcome, thanks Raptor.P.S. Here's an example packet my computer is sending at the beginning of a connection.
As you can see,the 'this is a workstation/server/browser' flags are set.This is sent through udp port 138, the netbios port.Maybe a clue as to where to look?

No. Time Source Destination Protocol Info
14 2005-07-28 07:38:24.562500 (my IP) 255.255.255.255 BROWSER Host Announcement , Workstation, Server, NT Workstation, Potential Browser

Frame 14 (243 bytes on wire, 243 bytes captured)
Arrival Time: Jul 28, 2005 07:38:24.562500000
Time delta from previous packet: 0.000000000 seconds
Time since reference or first frame: 1.218750000 seconds
Frame Number: 14
Packet Length: 243 bytes
Capture Length: 243 bytes
Protocols in frame: eth:ip:udp:nbdgm:smb:browser

Protocol: UDP (0x11)
Header checksum: 0xbad1 (correct)
Source: (my ip )
Destination: 255.255.255.255 (255.255.255.255)
User Datagram Protocol, Src Port: netbios-dgm (138), Dst Port: netbios-dgm (138)
Source port: netbios-dgm (138)
Destination port: netbios-dgm (138)
Length: 209
Checksum: 0x3ecd (correct)
NetBIOS Datagram Service
Message Type: Direct_group datagram (17)
More fragments follow: No
This is first fragment: Yes
Node Type: B node (0)
Datagram ID: 0x8005
Source IP: my ip.
Source Port: 138
Datagram length: 187 bytes
Packet offset: 0 bytes
Source name: me<20> (Server service)
Destination name: MSHOME<1d> (Local Master Browser)
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
SMB Command: Trans (0x25)
Error Class: Success (0x00)
Reserved: 00
Error Code: No Error
Flags: 0x00
Flags: 0x0000
.... .... .... ..0. = One Way Transaction: Two way transaction
.... .... .... ...0 = Disconnect TID: Do NOT disconnect TID
Timeout: 1 second
Reserved: 0000
Parameter Count: 0
Parameter Offset: 0
Data Count: 33
Data Offset: 86
SETUP Count: 3
Reserved: 00
Byte Count (BCC): 50
Transaction Name: \MAILSLOT\BROWSE
SMB MailSlot Protocol
Opcode: Write Mail Slot (1)
Priority: 0
Class: Unreliable & Broadcast (2)
Size: 50
Mailslot Name: \MAILSLOT\BROWSE
Microsoft Windows Browser Protocol
Command: Host Announcement (0x01)
Update Count: 0
Update Periodicity: 4 minutes
Host Name: me
OS Major Version: 5
OS Minor Version: 1
Server Type: 0x00011003
.... .... .... .... .... .... .... ...1 = Workstation: This is a Workstation
.... .... .... .... .... .... .... ..1. = Server: This is a Server
.... .... .... .... .... .... .... .0.. = SQL: This is NOT an SQL server
.... .... .... .... .... .... .... 0... = DOMAIN Controller: This is NOT a Domain Controller
.... .... .... .... .... .... ...0 .... = Backup Controller: This is NOT a Backup Controller
.... .... .... .... .... .... ..0. .... = Time Source: This is NOT a Time Source
.... .... .... .... .... .... .0.. .... = Apple: This is NOT an Apple host
.... .... .... .... .... .... 0... .... = Novell: This is NOT a Novell server
.... .... .... .... .... ...0 .... .... = Member: This is NOT a Domain Member server
.... .... .... .... .... ..0. .... .... = Print: This is NOT a Print Queue server
.... .... .... .... .... .0.. .... .... = Dialin: This is NOT a Dialin server
.... .... .... .... .... 0... .... .... = Xenix: This is NOT a Xenix server
.... .... .... .... ...1 .... .... .... = NT Workstation: This is an NT Workstation
.... .... .... .... ..0. .... .... .... = WfW: This is NOT a WfW host
.... .... .... .... 0... .... .... .... = NT Server: This is NOT an NT Server
.... .... .... ...1 .... .... .... .... = Potential Browser: This is a Potential Browser
.... .... .... ..0. .... .... .... .... = Backup Browser: This is NOT a Backup Browser
.... .... .... .0.. .... .... .... .... = Master Browser: This is NOT a Master Browser
.... .... .... 0... .... .... .... .... = Domain Master Browser: This is NOT a Domain Master Browser
.... .... ...0 .... .... .... .... .... = OSF: This is NOT an OSF host
.... .... ..0. .... .... .... .... .... = VMS: This is NOT a VMS host
.... .... .0.. .... .... .... .... .... = Windows 95+: This is NOT a Windows 95 or above host
.0.. .... .... .... .... .... .... .... = Local: This is NOT a local list only request
0... .... .... .... .... .... .... .... = Domain Enum: This is NOT a Domain Enum request
Browser Protocol Major Version: 15
Browser Protocol Minor Version: 1
Signature: 0xaa55
Host Comment:

Shut some ports wwdc
http://www.wilderssecurity.com/showthread.php?t=25485 Quote

Again ,any ideas or thoughts on this most welcome, thanks Raptor.

Disable processor ID. I believe only Pentium III processors have got one.

You may wish to buy a new Network Interface Card as they all have a fixed MAC adress.

I do not know if this will resolve your problem, but they are both methods to recognize a machine.

Quote

Is it possible for the bios settings or flash memory to have been corrupted

I do not think this is possible if the user wasn't sitting behind the PC.o.k.,thanks.
I'll try this & let you know how it turns out.
It would be good to know how and why this is happening,but I guess I'll have to be content just to get rid of this very strange problem.
It's a shame the person responsible couldn't put their well developed knowledge to better use.
Thanks again About the Bios/flash memory question,could this broadcast command have come from a 'bad'or intercepted (IP or TCP spoofed) download or e-mail ? Is this impossible or just unheard of ? -Noone has had physical access to my computer.
Also,if I WANTED for my box to act as a server,where would the broadcast command come from -can I find the offending piece of script somewhere in the registry ?
Is there a legitimate application which can be used to make an XP box a server ?-Lazy question,I'll look on microsoft.com myself!
Thanks for the link to the WWdc prog,ports are closed but I have to wait till the TTL of my last broadcast has expired - 3 days- to see if this works.
I hope this strange problem has sparked your INTEREST as much as me.It's put me on a very STEEP learning curve.-Anyone ever hear of anything like this before? I'll bet not.

XP can be set to act as a server but don't ask me where. I'll poke around a little.

Solve : I AM NOT A SERVER-tcp/ip prob ??

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment