Tags:



Have I been hacked?
August 4, 2007 6:31 PM   RSS feed for this thread Subscribe

Have I been hacked?

Today I turned off my main computer and was told by Windows that "other users are logged in, are you sure you want to shut down?" Trouble is, I know none of the other accounts was logged in. The real kicker, however, is that this happened last night on another machine on my network. I have to use WEP to secure my wireless because my print server is old and doesn't use WPA, but it is hard to imagine that someone would be parked within range of my wireless with intent to hack me, especially when my next door neighbor's wireless connection is wide open and unsecured. Is there a benign reason why Windows XP SP2 might think someone else was logged on?

P.S. My virus software is up to date, and my internet habits are not particularly risky (outside of the occaisional BitTorrent download).
posted by Crotalus to computers & internet (16 comments total) 1 user marked this as a favorite
Would it be possible for some sort of spyware acting like some kind of server.. thus making your computer think some one is logged on?
posted by curiousleo at 6:36 PM on August 4, 2007


Are you certain that no shared files/printers had been accessed by another computer on you network since the last boot? I often get this message while rebooting my media server, even if I've done as little as launching a playback application on a remote machine with shared files in its previously loaded playlist.
posted by waxboy at 6:41 PM on August 4, 2007


even if I've done as little as launching a playback application on a remote machine with shared files in its previously loaded playlist

I did this very thing, but the shared files are on my NAS, not the machine that gave the alert. Would this matter?
posted by Crotalus at 6:44 PM on August 4, 2007


Yup, you'd be logging in to your NAS box, not the machine in question.
posted by waxboy at 6:50 PM on August 4, 2007


Are you sure that was the exact error message? Was it locked?

It sounds like someone was connected via remote desktop and when you logged in, it logged them out. If so, you have been compromised somehow. If you cant clean it using antivirus tools I suggest you wipe, reintall windows, and do all the updates.

Most likely no one came in through the wireless, but sent you an embedded virus in a download. Bittorrent can be incredibly risky if you are downloading pirated software, which can and does contain a home made virus/trojan.

See this previous askme for more info.
posted by damn dirty ape at 7:59 PM on August 4, 2007


Err, now that you mention it, thats the error when you shutdown and there is an active SMB share.

Do this. Right click on My Computer, goto Manage, and click on shares. Are all those shares yours? Are they password protected?

Now click on sessions to see active people connected to your computer. Someone may have compromised your WEP and connected to an open share on your PC.
posted by damn dirty ape at 8:01 PM on August 4, 2007 [1 favorite]


It lists C:\ as being shared. It also lists C:\Windows as being shared. There is something else called IPC$ that I have no idea what it is. These ain't mine. HELP!!!!
posted by Crotalus at 8:08 PM on August 4, 2007


those are default windows shares. the root of your HDD(s) is always shared (as C$ or D$ or whatever, depending on your computer) and IPC$ is for sending messages between apps running on different computers. these are configured by Windows itself and cannot (easily) be turned off. turn Windows Firewall on and make sure it's not set to allow incoming file and print sharing.
posted by mrg at 8:14 PM on August 4, 2007


Try this:

Close all applications that you are running.

Choose Start->Run.

In the window that pops up, type:

cmd

Another window will pop up. In that window, type:

netstat -an

This will show all the open connections to and from your computer. You can post the results here for us to look at, or check each IP address listed on samespade.org to see where they are. That will give you a better idea, assuming that any attacker didn't rootkit your system.
posted by procrastination at 8:17 PM on August 4, 2007 [3 favorites]


Oh, and you can ignore any 127.0.01 connections. Those are local to your computer and don't go across the internet.
posted by procrastination at 8:20 PM on August 4, 2007


Everything looks kosher for now with netstat, but it's time for a fresh OS install anyway. I never thought about the possibility of a home brew trojan that could ride along with downloaded software, but this seems to be something that could have happened, and happened recently. Cracking my WEP key would make no sense given the number of free and easy open WiFi networks in my densely populated neighborhood. At any rate, I have some new tricks now if anything like this happens after a fresh OS install.
posted by Crotalus at 8:34 PM on August 4, 2007


You probably dont need to reinstall. It looks like you just have the default shares. Read this on how shares work and changing them.

Also, did you check under sessions? You'll see who/what is connected.
posted by damn dirty ape at 9:46 PM on August 4, 2007


Wait, what? Since when is the root of a Windows drive shared by default? Everything I've ever read has said that's bad.
posted by limeonaire at 9:49 PM on August 4, 2007


I doubt you were compromised and need a fresh OS install. The NAT firewall on your WiFi router blocked any unsolicited connections to your machine.
posted by dendrite at 11:11 PM on August 4, 2007


Lineonaire, the root drive is shared but the protections on the share make it so that the admin password is needed to access it.

It's shared in order to permit remote backup, basically, in corporate networked environments. The default share is not "wide open"; it's locked up tight. (Or as tight as anything Microsoft ever locks up, which probably isn't very.)
posted by Steven C. Den Beste at 2:37 AM on August 5, 2007


This may not be offered by all routers, but if I login to my (NetGear) router, there's an option called "Attached Devices". It lists which computers are currently using the WiFi connection.

This won't tell you if you're hacked, only if someone else is using your connection. But it may be useful.
posted by snarfois at 6:48 AM on August 5, 2007


« Older What plays did you love perfor...   |   I'm hoping you can help me fin... Newer »
This thread is closed to new comments.