Hacked?

[Jeff]

Hello. My ignorance will be vivid here....

I'm currently doing marketing at a small office, but, as
I'm technically inclined enough to be dangerous, in my
spare time do the IS support as well. They had an outside
consultant set up the system, and he had done other
setups/management when needed, but, is no longer
available. He'd set up the network with a Symantec
VPN/Firewall appliance as the external gateway, but had
opened up ports to a server inside the network which is
currently hosting the email server (Xmail), DNS, as well
as a simple web app to do web-mail checking for employees
from the outside. Also opened ports for ssl, termserver,
ftp, smtp, and pop3, and another port for remote admin.

Looked a bit insecure for me when I noticed it, so, I
installed ZoneAlarm on this server inside the network,
which is currently working. Plans are to move the web
serving onto another server which will be put into a DMZ.
After noticing these open ports, I also decided to pay
more attention to the firewall logs, and noticed not just
the normal external port scan attack blocks, but also that
a couple of computers, including the company server, are
attempting to access outside IPs using closed port calls
(therefore, the firewall catches and logs them). These
blocks come with the message 'Block host "" internet
access', and are typically using ports 139 & 445. Looked
suspicious, so, I ran an fport scan on the server, and it
did show ports 139 & 445 open, but, shows that the Pid is
8 (the system).....Also did some ethereal scan of the
network, and it does show that the server is trying to
access this specific external ip address. Network servers
are Win2k, and we have Symantec AV Corporate on all
computers, running in real-time.

My question is (kudos if you've patiently read everything
so far), how do I find out what this process is that is
trying to do these accesses, or am I being overly
paranoid. As you can most likely tell from this, I'm not
the most technically adept IT support person, so, I'd also
appreciate references/suggestions on materials to help me
out here.

Thanks in advance to all.

 

[Ozone]

These ports are some of the most commonly scanned on the Internet. Look at
http://www.dshieldorg/topports.php If you are blocking access to these
ports on your firewall, you should be ok. Just be sure not to open them.
These ports are used by Win2K for SMB and Netbios functions.

Ozone

 

[M. Steven]

Have you thought about going to network solutions site and
look up the IP address through WhoIs? If it is the same IP
address it will go to a specific computer in a company and
if reported to that company, in all due dilligence, they
should check. If ISP to individual, should be able to at
least see if it is a past employee.

 

[Pete]

Do any websurfing from these machines? You probably have
some BOTS installed on them. NAV doesn't stop BOT
attacks...do a search on the internet for "SPYBOT Search
and destroy" by Pepkik ---Actually "Search and Destroy"
should work it's a freebie, and has some great pointer on
the site. If you install it on one of your machines,
update the latest definitions, and run a scan...it's all
free, and you'd be surprised what it finds.

 

[Guest]

Jeff,

There's no hacking going on here, but you could have some
form of malware residing on your hosts.

Traffic originating from those ports is Netbios traffic.
You should not have hosts on your network originating
netbios traffic to the outside world unless you
specifically request it via some app.

If the ip addresses in the destination field seem to
change often and run in sequential order then its
definitely a virus or worm. If it tries to contact
seemingly random addresses it could be a virus/worm or an
app like some peer-to-peer file sharing programs. Most
new p2p protocols go thru http so this isn't likely.