Symptoms of being hacked? Please help!!!

[andyf]

My computer was recently infected by some Torj. and worms after I downloaded a couple of "Free" games using uTorrent. After cleaning using Trend Micro and deleting some files, virus scan shows no more infection. However, my router has not been behaving since.

I use a netopia DSL moden along with an D-Link wireless router. My network consists of one wired desktop, and one wireless laptop. I use WPA with my own SSID and a computer gerenated random passphrase.

My laptop gets disconnected often, the router sometimes reboots itself and then show my laptop as "unknow", but with the correct MAC address.

The rounter log is cleared each time it reboots itself, but I decided to check it before it does this time and I found this:

Sep/15/2008 14:53:09 Unknown Packet!! 67.152.43.17:14972 192.168.1.3:2579 Packet Dropped
Sep/15/2008 09:22:33 Unknown Packet!! 67.152.43.17:14907 192.168.1.3:6486 Packet Dropped

Still getting Unknown Packets after I disabled wireless.

Are these symptoms of being hacked? Please kindly help me!

 

[jdabbs]

Log/malware:
Probably BitTorrent traffic, but you're not off the hook.

If malware was phoning home, you wouldn't be able to tell based solely on packets rejected on the basis of not having a NAT table entry.

You place more faith in AV software than I do; I'd have reformatted to be on the safe side. An hour spent reinstalling is a small price to pay for peace of mind.

Router/wireless:

Compromised PCs are a commodity in the lucrative world of cybercrime. It makes no sense to reduce availability/uptime just to cause you problems; I'd want my systems up as much as possible to send spam.

Your issues with wireless could be explained by interference from other networks or a flaky router. Do a site survey, then based on those results test router stability with no BitTorrent traffic, then with no wireless clients.

 

[scotty]

Personally, I always format after a serious infection, or just about any infection for that matter. No matter how well I can seem to 'clean' the infection, there's usually lingering symptoms. Personally, I would play it on the safe side and format. The couple hours will be worth the peace of mind.

Wireless issues could be something different. Try rebooting the router and perhaps setting a different wireless channel (channel 1, 6, and 11 are preferred).

 

[andyf]

Thank you much guys.

may I ask:

1. beside reformating the HD, what needs to be done to the modem and router?

2. how do I backup my data without backing up the virus? And my external HD is infected already, it will infect the reformatted PCs once I plug it again.

Please advise.

 

[scotty]

Most viruses tend not to affect generic files like .docs, MP3's, etc. Most viruses these days tend to only attack windows system files and the registry, and don't really affect the actual hard drives themselves - just windows and system files. Try to find out exactly what virsus it is, and look it up online. Symantec, Trend Micro, etc all have good virus encyclopedias which should give you all of the technical details of the virus and what it does. One thing you can do is get a live Linux CD like Knoppix or Ubuntu, which will give you a full desktop environment from a bootable CD, where it's then safe to manipulate files or plug in a hard drive. Whenever I have a system that's totally pooched or infected with something, this is usually what I do. From within Linux, you can do Virus scans if need be (AVG for Linux, various online scanners).

Shouldn't have to do anything to your modem or router as far as the virus goes. Not a bad idea to take the opportunity to upgrade your router's firmware to the latest version (avail on the router manufacturer's website). Otherwise, to help fix your connection issues follow some of the advice above.

 

[andyf]

Thanks a lot Scotty.

 

[valentin]

A valuable tool in this case is tcpview, freeware from sysinternals. It will show you the active connections, inbound and outbound, and the ip addresses and ports. When you do not browse internet, you should have very few open connections, and you will be able to identify them by ip / port- e.g. you may have connection to another computer in your net (shared folders), but not to an external ip.

A quick check: You may also have a look at the network activity, when the mtorrent is not on. If the task manager, network tab, shows significant traffic, there is something wrong. Use add columns menu to add bytes sent/sec an bytes recvd / sec. Then use tcpview to see where goes the traffic, and the executable that generates it.

For more analysis, you may also use processexplorer from sysinternals.

Do you have a NAS or a computer that runs web/ftp servers?
My Linkstation has been hacked recently. I had an ftp allowed on the router for outside use, but with weak password. One evening I noticed the disk of the NAS is active w/o anyone home doing anything. Well, someone was leaching files from my ftp. I can show you the log files. If you have web/ftp/ssh open ports on the router and forwarded to computers inside, they are subject to attacks all day long. They try lists of predefined user names and passwords - it is clearly visible in the log file.

I even e-mailed the log files to the owner of one of the domains that an attack came from - no answer at all.


The "free" stuff on the net is almost always packed with trojans, usually in the hack exe that provides serial number. One simple thing to do is to wait for two weeks after the torrent has been available. By that time, most times, it is already clear if it has a virus/trojan inside, and your antivirus is updated to recognize it.

You must use antivirus and you must use an additional tool to monitor for registry changes. I use SpyBot, and it warns me if any application tries to change the registry to run itself every time.

Note that sometimes you even do not need to download to get infected - it is enough to visit certain sites. A good measure is to not go to such kind of sites, or at least do it using firefox + noscript plugin.
________
Girlfriends Pics