Results 1 to 7 of 7
  1. #1
    Uranium Lounger viking33's Avatar
    Join Date
    Jun 2002
    Location
    Cape Cod, Massachusetts, USA
    Posts
    6,308
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: suspected hack attempt (Home)

    -----------------------------------
    but his computer died last week so it is no longer on the connection..
    ----------------------------------

    Did this problem start after his machine was taken off the system? I can't say specifically, but my suspicions are, this may be the problem.
    Have you checked control panel> user accounts to see if there is a unused or invalid user account still there? Might be a start.

    Bob
    BOB
    http://lounge.windowssecrets.com/S/flags/USA.gif http://lounge.windowssecrets.com/S/f...sachusetts.gif


    Long ago, there was a time when men cursed and beat on the ground with sticks. It was called witchcraft.
    Today it is called golf!

  2. #2
    Star Lounger
    Join Date
    Dec 2002
    Location
    Ontario
    Posts
    67
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: suspected hack attempt (Home)

    Bob: Thanks for replying.
    Sorry, I was wrong about my husbands computer, it was a couple of weeks ago that it died. My mind is befuddled <img src=/S/dizzy.gif border=0 alt=dizzy width=15 height=15> because of this annoyance with the hacking. I am pretty sure this has no bearing.
    This all started last night. I have had "success audits" for a very, very long time even when he was online.
    Yes, I have checked user accounts, this was the first place I looked after seeing the first audit failure reports.
    Just me in there. <img src=/S/smile.gif border=0 alt=smile width=15 height=15>

    Chameleon

  3. #3
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: suspected hack attempt (Home)

    Do these events correspond to anything you are doing at the time?

    Some software wants to give credentials to the file system in order to do its job. Some backup software does this; apparently ASP.NET also creates its own credentials when you install the .NET framework. However, the %1 (etc.) values don't help nail down what is doing this.

    It is possible for firewalls to develop cracks if you run software that sends "out first"; firewalls typically allow "responses" back in. Techniques for bypassing filtering include (1) getting a trojan running on your computer; (2) exploiting peer-to-peer file sharing networks; and (3) unpatched vulnerabilities in instant messaging clients.

  4. #4
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: suspected hack attempt (Home)

    Okay, a few more specific comments:

    > I have no password on the computer.
    In my opinion, passwords are a good thing. If you don't have a password, how do you know that others haven't been there all along, but the latest intruders generated a few "failures" because they tried some passwords?

    > With the router, I never configured anything, I have always assumed (!) that once it is connected to my
    > computer it autmatically protects it. Am I wrong in this??

    What router do you have?

    Check your IP address to see if it is in a "private" range. Do Start>Run>cmd and then ipconfig /all and find your IP address. Typically if it starts with 192.168 then your router is performing a kind of rough filtering known as NAT (network address translation) that reduces the likelihood that anyone can actually target your computer.

  5. #5
    Star Lounger
    Join Date
    Dec 2002
    Location
    Ontario
    Posts
    67
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: suspected hack attempt (Home)

    Hi.....Here are the answers to your questions in both replys from you...
    "Do these events correspond to anything you are doing at the time?" ... Yes, if surfing is of any consequence. At sites I frequent all of the time.

    "apparently ASP.NET also" .... No ASP.NET installed.

    "(1) getting a trojan running on your computer; (2) exploiting peer-to-peer file sharing networks; and (3) unpatched vulnerabilities in instant messaging clients." .... (1) have scanned with swatit and online trend micro, no trojans appear to be present. (2) Don't use them (3) don't use them.

    "What router do you have?" .... Network everywhere by linksys

    "Check your IP address to see if it is in a "private" range. Do Start>Run>cmd and then ipconfig /all and find your IP address. Typically if it starts with 192.168 then your router is performing a kind of rough filtering known as NAT".....
    Checked this YES 192.168 etc.

    "In my opinion, passwords are a good thing." .... I now, tend to agree. I immediately thought of this after seeing event viewer log #529. I would just go to accounts correct and give a password to where I am classed as administrator???

    Back to you.
    And...Thank you for your help so far... <img src=/S/smile.gif border=0 alt=smile width=15 height=15>

  6. #6
    Star Lounger
    Join Date
    Dec 2002
    Location
    Ontario
    Posts
    67
    Thanks
    0
    Thanked 0 Times in 0 Posts

    suspected hack attempt (Home)

    In the year and a half since I have been using XP, I have been using the Internet connection firewall and a Network Everywhere router from Linksys for protection.
    In that time, I have NEVER had a problem when viewing the security audit in event viewer. It always read "success audit".
    Yesterday, I checked and saw 2 "failure audits" 2 at 7:30 in the evening and 2 again at 9:00.....I have just checked again now, and saw another attempt at 12:00 noon. I have attached the events. they are #'d 529 and 680. They both come one right after another in all 3 attempts. #680 being first each time.
    ------------------------------------------------------------------------------------
    #680
    Details
    Product: Windows Operating System
    ID: 680
    Source: Security
    Version: 5.2
    Symbolic Name: SE_AUDITID_ACCOUNT_LOGON
    Message: Logon attempt by: %1
    Logon account: %2
    Source Workstation: %3
    Error Code: %4


    Explanation
    A program or service attempted to start with the logon credentials specified in the message, which do not match the credentials of the current user. This message is logged for informational purposes only.


    User Action
    No user action is required.
    -----------------------------------------------------------------------------------
    #529
    Details
    Product: Windows Operating System
    ID: 529
    Source: Security
    Version: 5.0
    Component: Security Event Log
    Symbolic Name: SE_AUDITID_UNKNOWN_USER_OR_PWD
    Message: Logon Failure:
    Reason: Unknown user name or bad password
    User Name: %1
    Domain: %2
    Logon Type: %3
    Logon Process: %4
    Authentication Package: %5
    Workstation Name: %6

    Explanation
    This event record indicates an attempt to log on using an unknown user account or a valid user account but with an incorrect password. An unexpected increase in the number of these audits could represent an attempt by someone to find user accounts and passwords (such as a "dictionary" attack, in which a list of words is used by a program to attempt entry).


    User Action
    The person with administrative rights for the computer should establish a threshold limit for attempted log ons. Attempts in excess of the limit should be investigated as a possible attempt to break into the computer..
    --------------------------------------------------------------------------------------

    What is my course of action???????? From the advise of the second log # 529.

    My DSL automatically is connected once I have turned on my computer. I have no password on the computer. My husband was sharing the DSL (no other sharing involved with the router) but his computer died last week so it is no longer on the connection..
    I know that not everyone is a fan of the ICF that comes with XP, but I am hoping that one of you can interpret the above and advise me.
    Am I safe to assume (!) that they cannot get in even though they are trying or What???
    As far as firewalls go, I glaze over when trying to figure them out. With the router, I never configured anything, I have always assumed (!) that once it is connected to my computer it autmatically protects it. Am I wrong in this?? checked out network everywhere's website and could not find anything else that I should have done with it when first installed.
    Any help with this is greatly appreciated.
    Thanks
    Chameleon

  7. #7
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: suspected hack attempt (Home)

    A suggestion for protecting yourself while surfing: Adjust your Internet zone security settings to limit ActiveX control behavior. Tools>Internet Options...>Security, highlight Internet, click Custom Level. Then, for the first five options, choose Prompt, Disable, Disable, Prompt, Enable. It's a bit annoying because now you'll get a Yes/No prompt for all ActiveX controls, including Flash, without being told what they are. But I think these are some of the few types of content that could possibly "log on" to your computer.

    Regarding the password, it's a pain to set up a new profile, so it probably does make the most sense to continue using the one you use now, and set up a password for it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •