Hacker or Stupid Computer?

[r1zeek]

Just now, i was happily talking to my friends on MSN when my firewall crashed (which i have never know it to do) it told me it had had a runtime error in C++. Now im running the pro version of Zonealarm and its been pretty good to me. I looked into the logs after the said crash and all the the logs have gone, every single one. The logs are completley empty. usually they are filled with port blocking stuff.
When i ran Netstat it had extra connections to ips i've never seen (i could see the ones going to msn, i wasnt on hexus or any other web page and i had a netbios session which is my network (i presume as its always there)
Did I get hacked or am I being paranoid?

[Dave_07]

ZA seems to have a break in it's armour somwhere, as people (i've noticed) have found a way to crash the Vsmon to weaken it and then bash away at you directly.
peeps can use/go through MSN to can get ya ip and so then attack.

Zone Labs won't admit theres a prob tho, or they don't know about it.
The logs going bye bye, is classic of what ever it is they are doing to ZA.

[Stoo]

I binned ZA long ago and went with a hardware firewall..

[Paul Adams]

What's your version of ZA Pro?
Latest is 5.0.590.043.

And all the logs in "C:\WINDOWS\Internet Logs" are gone?
Did you get any message about a corrupt .RDB file at any point? (Or checked in your event log?)

Might be worth trying to get hold of a freeware undeletion tool to see if the last log could be recovered, if they are indeed gone.

What were the ports in question that you saw open using netstat?
That should give a clue as to the direction and nature of the connections...

[Stoo]

there's a netstat -b option which will list the application which opened the port too..

[Stoo]

just did that on this system..

Code:

C:\Documents and Settings\Stoo>netstat -a -b

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    tangent:smtp           tangent:0              LISTENING       3324
  [adr.exe]

  TCP    tangent:http           tangent:0              LISTENING       1524
  [Apache.exe]

  TCP    tangent:http           tangent:0              LISTENING       1348
  [Apache.exe]

  TCP    tangent:epmap          tangent:0              LISTENING       892
  c:\windows\system32\WS2_32.dll
  C:\WINDOWS\system32\RPCRT4.dll
  c:\windows\system32\rpcss.dll
  C:\WINDOWS\system32\svchost.exe
  -- unknown component(s) --
  [svchost.exe]

  TCP    tangent:microsoft-ds   tangent:0              LISTENING       4
  [System]

  TCP    tangent:3280           tangent:0              LISTENING       1544
  [DUService.exe]

  TCP    tangent:3306           tangent:0              LISTENING       1840
  [mysqld-nt.exe]

  TCP    tangent:4002           tangent:0              LISTENING       1484
  [DCPFLICS.exe]

  TCP    tangent:4222           tangent:0              LISTENING       456
  [sfmgr.exe]

  TCP    tangent:5679           tangent:0              LISTENING       3188
  [WCESCOMM.EXE]

  TCP    tangent:40019          tangent:0              LISTENING       1544
  [DUService.exe]

  TCP    tangent:1029           tangent:0              LISTENING       2588
  [alg.exe]

  TCP    tangent:31595          tangent:0              LISTENING       3240
  [WebProxy.exe]

  TCP    tangent:netbios-ssn    tangent:0              LISTENING       4
  [System]

  TCP    tangent:1979           localhost:1980         ESTABLISHED     2124
  [firefox.exe]

  TCP    tangent:1980           localhost:1979         ESTABLISHED     2124
  [firefox.exe]

  TCP    tangent:2492           baym-cs153.msgr.hotmail.com:1863  ESTABLISHED
  3360
  [msnmsgr.exe]

  TCP    tangent:2834           localhost:http         CLOSE_WAIT      3360
  [msnmsgr.exe]

  TCP    tangent:3467           deepthought.34sp.com:http  TIME_WAIT       0
  UDP    tangent:isakmp         *:*                                    636
  [lsass.exe]

  UDP    tangent:1326           *:*                                    1004
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    tangent:1175           *:*                                    1004
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    tangent:4500           *:*                                    636
  [lsass.exe]

  UDP    tangent:1327           *:*                                    1004
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    tangent:2498           *:*                                    3360
  [msnmsgr.exe]

  UDP    tangent:2988           *:*                                    1004
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    tangent:1317           *:*                                    1004
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    tangent:1025           *:*                                    1004
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    tangent:4333           *:*                                    456
  [sfmgr.exe]

  UDP    tangent:1026           *:*                                    1004
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    tangent:microsoft-ds   *:*                                    4
  [System]

  UDP    tangent:1328           *:*                                    1004
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    tangent:18001          *:*                                    3240
  [WebProxy.exe]

  UDP    tangent:ntp            *:*                                    968
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    tangent:1900           *:*                                    1068
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\ssdpsrv.dll
  C:\WINDOWS\system32\ADVAPI32.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    tangent:1255           *:*                                    3360
  [msnmsgr.exe]

  UDP    tangent:1900           *:*                                    1068
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\ssdpsrv.dll
  C:\WINDOWS\system32\ADVAPI32.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    tangent:netbios-dgm    *:*                                    4
  [System]

  UDP    tangent:netbios-ns     *:*                                    4
  [System]

  UDP    tangent:discard        *:*                                    3360
  [msnmsgr.exe]

  UDP    tangent:16265          *:*                                    3360
  [msnmsgr.exe]

  UDP    tangent:ntp            *:*                                    968
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

waaah! that's a lot of junk lol

[Dave_07]

netstat ? Freeware proggy, or run command ?

[Stoo]

run command

[Dave_07]

lol there's also a freeware proggy Googled.. :-)