I know this will lack in detail but I would like to know if this can be done....
I run windows on my gateway, and someone told my sister that they got our IP address through MSN Messenger (not really concerned about that), then they said that they 'Entered' the gateway through port 137, accessed the registry and stole the cd-key.
I do run a firewall on the server, and have done security checks and all the ports I can see (definitely 137) are on stealth status.
Just want to ask is it actually possible to do what I described above?
I'm still waiting to talk to this person again and see how he done it (if it’s true)
Re: Question with port 137
14 years 10 months ago #2032
137 is NetBIOS Name Service, and 139 is NetBIOS Session...
Any half ass firewall will block inbound port 137 and 139 by default. These ports might become an issue if you were sharing files.. something that I assume you aren't doing..
Further more, for them to be able to get your IP address off MSN they would have to have a file transfer get started (there is another way that was recently spoken about on the security lists.. but the new version 6.1 covered that.. not to mention its would be very difficult to execute)
Next.. if someone had access to your machine.. the last thing they would do would be steal the CD-KEY from the registry.
Based on what you've told me, I'd be very highly inclined to think this is bullshit...
As Chris said.. wheres the proof ?
And take it from me, anyone who spends their time with 'hacks' like these are more likely to just delete your files than do anything else.
Just put some heat on them.. tell them your firewall logged the IP address and you've submitted to Dshield as well as sent off a mail to their ISP informing them about the matter.. tell them that you told their IP was listed at Dshield as an offender and the ISP is taking the matter very seriously.
In case you're the paranoid sort, I would just run a portscan over my machine.. from some machine on the other side of the firewall (you can get a friend to do it) and see what you see.
Oh yeah if they stole a CD-key they're also violating piracy laws (or so you can tell 'em )
Oh one more thing, I just had a look at your IP address (the forums let admins and moderators see the IP posted from) and it seems to be assigned to you dynamically... in other words every time you connect you're getting a different IP
I'm assuming you're posting from the supposedly 'compromised' machine. :roll:
You could have a look at the 'Locking Down Win9x' article under the 'Firewalls' section at the top of the site.. I'm not sure how up-to-date it is, but the same basic tenets apply everywhere.
Lemme know if theres anything else you want to know.
I agree with saying that it probably was BS, I ran ALL security tests on grc.com AND sygate security scan and they all came back as my system is going to be safe it can be for a windows based OS.
I run ZoneAlarm on the main server, so if it did get infected with a Trojan, well hopefully ZA would of come up with a popup box telling me this runme.exe program wanted to access the Internet :wink: .
(Just like that stupid email virus subject "I love you (IM not a VIRUS!)" haha I laughed my guts out that day)
Half of the problem is also my sister’s description. In her past using the Internet she did get a Trojan with the old excuse "Heres a screen saver", the bastard was doing the normal stuff kids do i.e. making cd-rom open and close, flip monitor etc... good to know she unplugged the comp straight away before anything else could of been done, so I do think that experience had let her a bit paranoid about if someone says they can get into our gateway, and to make it harder, this person she was talking to is an actual hacker, (i.e. has been banned from using a comp for a few years) or so I have heard.
But from where it stands now I think its total BS. But I do agree with you Chris saying that if he DID get in, it would have been because of MSN Messenger.
Note: Speaking of messenger sahirh, I found that out too with the old version.. Doing a file transfer, then I wondered if it was a direct connection, typed up netstat and there you go someone’s IP address