RE: Help, some one's hacked into my home computer

["Michael J. Ballard" <mjballard () earthlink net>]

Okay....first of all, you don't need to be running a web server to provide
access to your file system. All someone needs to do is run a port scan to
find that you are doing NetBIOS file sharing on an interface with a legal IP
address. Then it is just a matter of adding your IP address and machine name
to the LMHOSTS file on their PC and using "net use G:
\\machinename\sharename" to map a drive directly to your file system.

You need to think about using a firewall device or proxy server between your
PCs and the DSL modem that does NAT (address translation) to prevent the IP
address of your PC from being seen by the outside world. Netwatch, BlackIce
and the likes are nice for reporting attacks, but it is often too late at
that point. With read/write access to your shares, someone could have easily
wiped out every file on your PC. Consider yourself lucky!

Next, Findfast is an indexing utility used by MS Office. It is installed by
default runs at scheduled intervals to take inventory of your drives. The
FFASTUN.* you referred to is normal. I usually take findfast out of the
startup folder whenever I install Office, because it slows your PC down
considerably every time it runs.

Last but not least, you think about using a more robust OS besides Windows
98 if you plan to share files. Windows NT Workstation, Windows 2000, OS/2
Warp, Linux, etc. all allow you to set user-based security on your file
system. Windows 95 and 98 only give you the option of read-only or
read/write and anyone can access them.

Just my $.02 worth,

Mike


 ____________________________________
| Michael J. Ballard                 |
| Master CNE, MCSE, CCNA, ACP        |
| Enterprise Network Engineer        |
| Inacom Information Systems         |
| mballard () inacom-ar com             |
|____________________________________|



-----Original Message-----
From: owner-firewall-wizards () lists nfr net
[mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Richard
Toscano
Sent: Sunday, January 02, 2000 3:03 PM
To: firewall-wizards () nfr net
Subject: Re: Help, some one's hacked into my home computer


Actually, someone did hack my system, and used FINDFAST to scan for
files.  They had open a .MPG movie
I had made from my digital camera.   Here's my setup:  Win98SE with
internet sharing enabled.  I have a local
net and am trying to share the DSL connection amongst my various
machines.  The DSL modem has a fixed IP
and is always connected.  The intruder came in to the host machine and
ran FINDFAST and was accessing
the MPG.  I caught all this a day later.  I guess their connection got
hung.  I used NETWATCH to discover
the connection, and what files they were looking at.

Seeing this, I looked over my system and found FFASTUN.* in both root
directories of my C and D drive.
All files had the same time/date stamp when the intrusion occured.  This
matched the connection time reported
by NETWATCH.

So, Windows 98 SE with internet sharing is allowing people to hack into
systems from the outside.  I don't
have a web server running, so I'm not sure what services they were using
to access my file system.  I did have
the C and D drives setup with full read/write shares!  Ack, not again!

...Doug