suspected hack attempt

Discussion in 'other firewalls' started by Louise, Feb 9, 2004.

Thread Status:
Not open for further replies.
  1. Louise

    Louise Guest

    Hello
    I have a suspicion that someone (known) has somehow obtained my IP address & is trying to hack me. I have a network everywhere (linksys) router and the XP firewall enabled. On my xp fw security audit records (in event viewer) I have in the past 3 days had (each day) 3 or 4 audit failures (event #529 unknown user name/password, logon type 2). d'oh me thought I had the logging enabled for PFirewall.log. I did not. I do now though. I called lynksys and we updated my firmware midday yesterday. From that point till now, I have so far not had anymore attempts. They mentioned that the xpfw could be conflicting with the router, but, this has been in place for 5 mos. or more now and prior to the other day, there were no audit failures. They said the xpfw should be disabled but, to leave it for a few days to see if the audit failures happen (since updating firmware) so I can have a log in Pfirewall.log.
    My question after that length explaination is this:
    If someone does have my IP address, with the router in place can they gain access, possible via a "dictionary" attack (this from the explaination in the event #529 of what could possibly be happening) .
    I also, would like to find out the IP addy for whomever is doing this. So I don't want to turn the XPfw off just yet anyway if you think this is causing the audit failure messages.
    FWIW I test stealth with the router at pcflank.
    Another FWIW, My ISP says they have dynamic IP's and linksys says I have a static IP?? This I am also confused about as well. (oh yea DSL by the way)
    If I haven' totally confused everyone to this point with my above babble, anyone got any thoughts or help on this?
    thanks
    Louise
     
  2. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    FIrst, Welcome to Wilders!

    Well, there should be no way for them to logon to your network if you have not set one of your computer/s to act as DMZ host. When you do that, one particular machine is visable to the internet at your IP. Otherwise, the IP of your router is a network IP and thus not accessable from the outside.

    I'm pretty sure of this, but let someone else tell me if I'm wrong or not because I'm not exactly a router expert. I'm sure somone else will be along shortly ;)
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Yes, Detox is correct. Your router is not allowing anyone to connect into your system (unless you set your PC up in a DMZ, passing all traffic from the Internet in to it). But, if you did that, you'd know that you did that.

    With a router set up like you have, it is very unlikely that anyone is able to get access to even the logon prompt (network-wise) on your PC, so I suspect that is not going to be a problem.

    As to finding out who did it, don't waste your time. It's not likely that you can find out anything meaningful, especially regarding a very small number of access attempts. (If you want to report a person doing hundreds of access attempts continuously, then you might be able to file a log with their ISP and maybe get action, but for just a few it'd be very hard to prove anything... It could have as easily been a mistake as anything else. (A mis-typed IP address.)

    Your ISP would know for sure what type of IP address you have. The majority of people have dynamic IP addresses, it's just the way things are on the Internet. (Static IP addresses are more costly, in a sense.) On my DSL I have a dynamic IP address. All I have to do to get a new IP address is restart my system. Since you have a router (which probably has your ISP username and password entered into it), you probably merely need to restart the router to get a new "public" IP address...

    If this is the case, which is very likely, then if someone did know your IP address, all you have to do is restart your connection and get a new IP address, and then they won't have your current address anymore, well unless you do something to give it to them. You never did say how/why you think they got your address in the first place...
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Louise

    As has been mentioned, with the router in place, it will stop any inbound connection attempts. Just make sure you have remote administration disabled, no ports forwarded unless absolutely required and change the default password for access to the configuration pages.

    As for the "event #529 unknown user name/password, logon type 2" in the security event log, have you mistyped your user name/password when logging into XP or when changing accounts? Such typos will result in these entries.

    Another source of these type of event log entries I found out after much cyber sleuthing was the cats :eek:. I will usually lock the pc when not in use and if they happen to casually stroll across the keyboard (the cursor by default sitting in the password box) would result in all kinds of these entries :rolleyes: :D.

    Regards,

    CrazyM
     
  5. louise

    louise Guest

    Thanks everyone. All info. has been very helpful.
    No dmz host.

    No typos unfortunately and NO cats. :D
    I believe its a supermod at a site I USED to go to. Quite a few X members have noticed similar incidences the past few weeks. Long story, but suffice to say to many coincidences with too many people from said site. :eek:
    I hear ya. ;) have read that its a waste of time.

    One last thing, that no one addressed. Should I or Should I not turn off the XP firewall?? As stated above, lynksys says XPFW can interfere with the router. How would I even know if it is interfering? What would be the signs?
    I do feel a whole lot better after what ya'll have contributed so far. Thanks bunches. :D
    Louise
     
  6. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Louise

    With no pc in the dmz, and I take it no ports forwarded, no unsolicited inbound connections should have reached your system behind the router.

    Well the cats were worth a try ;). Any other users? Would be nice to track down the failed log in attempts.

    I trust you have checked for malware, suspicious outbound traffic?

    Your choice, no problem leaving it on. Are you running any other software firewall on your system(s)? If so, you may want to disable the XP firewall in favor of the software firewall.

    The XP firewall should not interfere with the router in any way. One thing that may be impacted would be logging utilities for the router if you are or were to use one if available for your model.

    Regards,

    CrazyM
     
  7. louise

    louise Guest

    Good Morning :)
    No others users. Sure would be nice. Weird indeed. You will be happy to know that since Midday Sat. when I updated the firmware, there have no more failed audits. Hmmmm....o_O
    Yes. Have Adaware, spybot, swatit, Norton Av. Run trendmicro couple times a week as well.
    "suspicious outbound traffic"---- How?? MSfw Logs??
    Nope.

    Good, thanks, it stays on then. :)

    Thanks again for all the input and help.
    Louise
     
  8. louise

    louise Guest

    Forgot to say, TOUCH WOOD!!!!!!!!!!..hope I didn't jinx myself. :D
     
  9. louise

    louise Guest

    I am going to scream...Had another audit failure at 4:00 PM est. time. AND Just this a.m. I shut off the logging. Just turned it back on.
    Sheesh...see I jinxed myself. :eek:
    What can I doo_O This is creeping me large.
    Louise
     
  10. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Louise

    Does selecting properties of the logged event give you any more details?

    Something from the MS site re troubleshooting:

    "When Event 529 is logged, you should look for patterns in the event. Determine if there are several 529 events logged and determine if they all occur in one second or if they occur at specific time intervals. If so, is there a process or service that is running on the computer that is sending incorrect credentials. Look at the Logon Process and Logon Type entries in the log to determine the type of process that is passing incorrect credentials and to determine how the process is logging on."

    Regards,

    CrazyM
     
  11. Louise

    Louise Guest

    Hi

    I had read just the other day, that there can be some issues with the audit failures in XPFW being recorded from internal calls from the system. (!?)
    Friday for example, I had to use ctl,alt,dlt to call up the task manager. Within that same minute, checked the security log in event viewer and there was another audit failure. The light bulb went on, that these indeed may be caused by an XP glitch that for whatever reason has only started in the past few weeks. I checked the pfirewall log and the log for this instance (from my rudimentary analysis of it) and running NS lookups on the #'s; showed they were not from anything or anyone weird. I'll run a chk dsk and see if that stops them. Somethings gone goofy I think. :eek:
    Sooo...I am now calming down in thinking its a dictionary attack from outside..touch wood.
    I again talked to Linksys on Friday for quite awhile, and they have reassured me that its 99.9% unlikely (touch wood) with my setup that anyone can get access. They again said I should shut the XPFW off. That I'm not sure of, but, I am slowly coming to the realization (yea) that its all internal issues with this and will just try and relax and not be so paranoid about this. :D
    Think at this point, I will take a cie la vie attitude and hope for the best. Touch wood. I don't keep anything on this computer that can't be seen by someone else or anything that can't be restored from my backup's If I have to reinstall (touch wood, touch wood) so....cie la vie.
    Thank you all for your input and time spent with this. You're the best.
    Louise.

    P.S. can ya tell by all the times I "touch wood" that I MAY be a tad superstitious. :rolleyes: :D
     
  12. controler

    controler Guest

    Hello


    You may want to give WallWatcher a try with your linksys router.

    I sure like it. It even logs stuff happening with your router when your computer is on and your are not logged on to your computer.


    con
     
  13. Louise

    Louise Guest

    con
    Thanks for the info. Took a quick look at it, seems like a good program. When I get a bit more time I'll check it out more. Just might give it a whirl.

    Louise :)
     
Loading...
Thread Status:
Not open for further replies.