PDA

View Full Version : Hackers??



Veale
26-09-2003, 09:23 AM
Morning,

Having a bit of trouble when on the internet at the moment. It started when I was in Christchurch, I would log onto xtra, start surfing and notice that my bytes sent went going at over 10kbs on a dialup connection. I had no file sharing software going so I was suspicious. I installed zone alarm pro and the problem stopped.

I am now back on the coast and logged in last nite and it has started back up again. Info being sent is gong at between 10-15kbs and i am unable to receive any bytes at all. This time zone alarm is not helping. The only way I can stop it is to stop internet traffic thru Zone alarm, but this stops my incoming traffic as well.

Who knows what is disappearing? Although zone alarm did mention something about "DLLhost" or something along those lines.

This is starting to get on my nerves, any ideas?

Cheers, Veale

pompeymike
26-09-2003, 09:38 AM
if you open up a command box and type: netstat
it should give you a list of all addresses that you are currently connected to.

Mike

Susan B
26-09-2003, 09:50 AM
You are right to be suspicious but it could be something benign.

A search on Google brings up quite a bit about DLLhost, with one reference being to a DLLHOST.EXE virus. Have you run an up-to-date anti-virus scanner since this problem started?

I would also recommend running Adaware and Spybot - make sure you have them up-to-date as well.

If none of these scans solve the problem let us know and tell us what version of Windows you are running.

Veale
26-09-2003, 09:58 AM
Already have adaware and spybot, doesn't show up anything out of the ordinary.

Virus scanners aren't completely up to date so will do that next.

I am using XP and no I haven't installed SP1 and would prefer not too.

Veale

Susan B
26-09-2003, 10:09 AM
I don't use Zone Alarm but I would have thought it would be able to tell you more about what is going out and where to. Someone else may be able to advise you there but in the meantime trying the netstat thing as Mike (I think it was Mike - can't see now) suggested will show you where you are connected to. Post the results on here if you can't figure out what any of the addresses are for.

agent
26-09-2003, 10:17 AM
If you can backup the rules about internet access that ZoneAlarm has, then I would try first using ZoneAlarm to clamp down on all internet access (ie, don't allow it), then delete all the rules. If you're lucky, then you should get a popup from ZoneAlarm about what is trying to access the internet. Or you could get away with just deleting the last few rules in ZoneAlarms list, if this occurence has only been happening for a day.

BIFF
26-09-2003, 02:56 PM
If you are using W2K or XP you may have the Welchia worm. You can get a free Welchia scanning tool from Symantec here:
http://www.symantec.com/avcenter/FixWelch.exe

PoWa
26-09-2003, 04:10 PM
Yes delete anything that looks suspicious in the firewall rules. Stuff with dll, host, svc, .exe are dodgy.