I believe I have been "hacked". Questions

[axle619]

Hi all.

Before I start my questions, just want to say this is by far my favorite forum. I "read up" on sysopt every chance I get. At least once per day. I gleen so much info from here..it's like my newspaper. I do try and help others when I can, but most of ya beat me to it. Anyway, back to topic.

My experience is mostly in hardware. I build computers for clients and friends, setup up small networks, etc. But I have to be honest that networking is still somewhat a new thing for me. I get the basics of course, but don't know too much in depth.

An example is security and firewalls. To be honest I never paid too much attention to security precautions. I like to reformat my Boxes at least twice per year and I back up all my data religously. I always figured if someone wanted to get into my network and mess stuff up, I have nothing too private and could just reformat and start over from backups. But it never really happened to me. NOW IT HAS! hehe, and ...to be honest...I feel a little violated.

Here is my setup:

Adelphia cable
Motorola surfboard SB4101
Linksys router BEFSR41 ver.2 10/100 wired
3Boxes

Box 1:
AMD XP 1900+ Dual Boot win2000 pro and win98se
One partition is for all Data and is shared on network
Win 98se for games, Win200 Pro for business
Main Box

Box 2:
AMD XP 1700+ Multi boot Win200 pro/win98se/linux redhat 8 (Learning)
Secondary box.
Box3:
PII dual boot win2000pro/win98se
Used primarily for downloading and P2P

Symptoms:
1) on box 1 alone, 1500 ***.eml files. One per folder and named using file and folder names found elsewhere on my comp. most 390 K and try to downlaod somehting just when highlighted. When opened, they open an email (throught Outlooks Express) that has a Sample.exe file about 291K. Obviously I did not open this attachment. Others (about 2%) are over 2MB in size, but same otherwise. Other boxes have similar files.

2) As mentioned, simply single clicking or highlighting these files causes an attempt to download something, and when I cancel, it brings up windows media player to play them. Only by double clicking does OUtlook express open up.

3) Box 3 asked me for my win200Pro CD because system files were missing or changed. (I did it, who cares at this point).

4) Activity lights on my cable modem are eccessive, even when no visable apps running.

5) I know if probably doesn't have anything to do with it, but Messenger service keeps spamming me. I know I just have to disable that, but it is annoying.

Not sure what else. Is this a worm or trojan?

Not sur ewhat I am gonna do, but I think a reformatt, virus software and zone alarm are in store. just wish i knew what I was protecting against.

[sm8000]

I would also download Ad-Aware and look for spyware.

[Jgedeon]

With the eml's it sounds like a virus. But I would check the spyware and ad ware and also check the open ports on the router.

[cypress]

I would isolate one computer from my network and uninstall my a/v then reinstall it and get the latest up dates. Most worms disable your a/v so they aren't seen when you do a virus scan. Then I would rejoin the net and run a virus scan from my known good pc. This might save you doing three fdisk, format, reinstalls.
Hope this helps

[shark_megabyte]

Originally posted by axle619
4) Activity lights on my cable modem are eccessive, even when no visable apps running.

If you're not reformatting right away, then install ZoneAlarm or other firewall now, set to high sensitivity for outgoing traffic. Stop everything suspicious. You don't want to become a pawn in some obsessive loser's DDoS attack (using your machines to flood others).

[Midknyte]

sounds like a virus to me. scan the sucker and see if you can purge it.

btw, don't leave the default password on your router as admin. That's an easy way to leave the door open.