suspected hack attempt

Hello
I have a suspicion that someone (known) has somehow obtained my IP address & is trying to hack me. I have a network everywhere (linksys) router and the XP firewall enabled. On my xp fw security audit records (in event viewer) I have in the past 3 days had (each day) 3 or 4 audit failures (event #529 unknown user name/password, logon type 2). d'oh me thought I had the logging enabled for PFirewall.log. I did not. I do now though. I called lynksys and we updated my firmware midday yesterday. From that point till now, I have so far not had anymore attempts. They mentioned that the xpfw could be conflicting with the router, but, this has been in place for 5 mos. or more now and prior to the other day, there were no audit failures. They said the xpfw should be disabled but, to leave it for a few days to see if the audit failures happen (since updating firmware) so I can have a log in Pfirewall.log.
My question after that length explaination is this:
If someone does have my IP address, with the router in place can they gain access, possible via a "dictionary" attack (this from the explaination in the event #529 of what could possibly be happening) .
I also, would like to find out the IP addy for whomever is doing this. So I don't want to turn the XPfw off just yet anyway if you think this is causing the audit failure messages.
FWIW I test stealth with the router at pcflank.
Another FWIW, My ISP says they have dynamic IP's and linksys says I have a static IP?? This I am also confused about as well. (oh yea DSL by the way)
If I haven' totally confused everyone to this point with my above babble, anyone got any thoughts or help on this?
thanks
Louise

 

FIrst, Welcome to Wilders!

Well, there should be no way for them to logon to your network if you have not set one of your computer/s to act as DMZ host. When you do that, one particular machine is visable to the internet at your IP. Otherwise, the IP of your router is a network IP and thus not accessable from the outside.

I'm pretty sure of this, but let someone else tell me if I'm wrong or not because I'm not exactly a router expert. I'm sure somone else will be along shortly

 

Hi Louise

As has been mentioned, with the router in place, it will stop any inbound connection attempts. Just make sure you have remote administration disabled, no ports forwarded unless absolutely required and change the default password for access to the configuration pages.

As for the "event #529 unknown user name/password, logon type 2" in the security event log, have you mistyped your user name/password when logging into XP or when changing accounts? Such typos will result in these entries.

Another source of these type of event log entries I found out after much cyber sleuthing was the cats . I will usually lock the pc when not in use and if they happen to casually stroll across the keyboard (the cursor by default sitting in the password box) would result in all kinds of these entries .

Regards,

CrazyM

 

Thanks everyone. All info. has been very helpful.
No dmz host.

No typos unfortunately and NO cats.

I believe its a supermod at a site I USED to go to. Quite a few X members have noticed similar incidences the past few weeks. Long story, but suffice to say to many coincidences with too many people from said site.

I hear ya. have read that its a waste of time.

One last thing, that no one addressed. Should I or Should I not turn off the XP firewall?? As stated above, lynksys says XPFW can interfere with the router. How would I even know if it is interfering? What would be the signs?
I do feel a whole lot better after what ya'll have contributed so far. Thanks bunches.
Louise

 

Hi Louise

With no pc in the dmz, and I take it no ports forwarded, no unsolicited inbound connections should have reached your system behind the router.

Well the cats were worth a try . Any other users? Would be nice to track down the failed log in attempts.

I trust you have checked for malware, suspicious outbound traffic?

Your choice, no problem leaving it on. Are you running any other software firewall on your system(s)? If so, you may want to disable the XP firewall in favor of the software firewall.

The XP firewall should not interfere with the router in any way. One thing that may be impacted would be logging utilities for the router if you are or were to use one if available for your model.

Regards,

CrazyM

 

Good Morning

No others users. Sure would be nice. Weird indeed. You will be happy to know that since Midday Sat. when I updated the firmware, there have no more failed audits. Hmmmm....

Yes. Have Adaware, spybot, swatit, Norton Av. Run trendmicro couple times a week as well.
"suspicious outbound traffic"---- How?? MSfw Logs??

Nope.

Good, thanks, it stays on then.

Thanks again for all the input and help.
Louise

 

Forgot to say, TOUCH WOOD!!!!!!!!!!..hope I didn't jinx myself.

 

I am going to scream...Had another audit failure at 4:00 PM est. time. AND Just this a.m. I shut off the logging. Just turned it back on.
Sheesh...see I jinxed myself.
What can I do This is creeping me large.
Louise

 

Hi Louise

Does selecting properties of the logged event give you any more details?

Something from the MS site re troubleshooting:

"When Event 529 is logged, you should look for patterns in the event. Determine if there are several 529 events logged and determine if they all occur in one second or if they occur at specific time intervals. If so, is there a process or service that is running on the computer that is sending incorrect credentials. Look at the Logon Process and Logon Type entries in the log to determine the type of process that is passing incorrect credentials and to determine how the process is logging on."

Regards,

CrazyM

 

Hi

I had read just the other day, that there can be some issues with the audit failures in XPFW being recorded from internal calls from the system. (!?)
Friday for example, I had to use ctl,alt,dlt to call up the task manager. Within that same minute, checked the security log in event viewer and there was another audit failure. The light bulb went on, that these indeed may be caused by an XP glitch that for whatever reason has only started in the past few weeks. I checked the pfirewall log and the log for this instance (from my rudimentary analysis of it) and running NS lookups on the #'s; showed they were not from anything or anyone weird. I'll run a chk dsk and see if that stops them. Somethings gone goofy I think.
Sooo...I am now calming down in thinking its a dictionary attack from outside..touch wood.
I again talked to Linksys on Friday for quite awhile, and they have reassured me that its 99.9% unlikely (touch wood) with my setup that anyone can get access. They again said I should shut the XPFW off. That I'm not sure of, but, I am slowly coming to the realization (yea) that its all internal issues with this and will just try and relax and not be so paranoid about this.
Think at this point, I will take a cie la vie attitude and hope for the best. Touch wood. I don't keep anything on this computer that can't be seen by someone else or anything that can't be restored from my backup's If I have to reinstall (touch wood, touch wood) so....cie la vie.
Thank you all for your input and time spent with this. You're the best.
Louise.

P.S. can ya tell by all the times I "touch wood" that I MAY be a tad superstitious.

 

Hello


You may want to give WallWatcher a try with your linksys router.

I sure like it. It even logs stuff happening with your router when your computer is on and your are not logged on to your computer.


con

 

con
Thanks for the info. Took a quick look at it, seems like a good program. When I get a bit more time I'll check it out more. Just might give it a whirl.

Louise