[jamby]

I have definitely logged onto P* in the past week. Played last on 12/28.

I haven't logged into Neteller since mid-September.

Quote:

Originally Posted by Harlequin011

.. she hasn't logged into P* for 9 months.

[jamby]

Quads,

Thanks for the excellent detailed post.

I wasn't using the default password, so that's done.

My gaming/applications tab looks very different from yours though. Here's a screen shot. Note that I don't have the UPNP option and that everything on it is disabled. All the other tabs are disabled as well.



I didn't have the latest firmware, but do now.

Remote management is disabled and I can't find the DHCP clients table.

Lastly, UPNP is enabled and sog's earlier post suggested that it shouldn't be so I've disabled it. What does that setting do?

Thanks for all your help.

-jamby

Quote:

Originally Posted by Quads

To check your Firewall, log in with your user name and password to the IP address. (Typically 192.168.x.x) This is one of three firewalls in my network, so it should be similar looking to yours.

If the defaults are set for the password, change them.
Click on "Gaming / Applications and you should have a few tabs under it.

Port Forwarding / Triggering / UPnP / DMZ / and QoS.

Generally speaking, unless you have a **VERY SPECIFIC** requirement, there should be **NO** ports open, forwarded, triggered, etc. within your firewall. There may be some information in there (such as ports listed, port numbers, etc., however they will / should be disabled.

I have / use other servers / applications, etc. which require having particular ports open, or forwarded to other machines on my network, so your screen won't look exactly like mine, but the point being that they should be disabled.

Scroll through each of the sub tabs and verify that each are disabled.

One other thing to check is that your firewall / router is running the most current release from Linksys. Go to their website, and check the current release, and under "Status" tab, you should have the info on which firmware version you are running. If you are running an older version, do the upgrade if / as needed.

Two other things worth a look in your FW would be your DHCP Clients Table. You should be able to identify each each IP address or description of the machines which have an IP address issued to them.

The other thing to make sure of is that remote administration / upgrades / access / etc. is disabled.

[EmptyPocs]

I don't know if you arrived any any security conclusion (I glossed over the last couple pages)(you are in total stealth mode using security software, you have your wireless and/or hardware firewall passworded, updates your OS with secutity patches regularly, and don't frivolusly intsall gunkware?, well OK).

so getting back to basics:

Have you accounted for ANY computers that you used neteller or P* on that may have saved your login and password or have access to you main computer via network?
And isn't it suspicious the $$ went to OTHER poker sites (why?)?
I'd be looking for a rat using one of your old computers if that is at all likely.
And do you know anyone at work that also plays poker online?

[jamby]

I've never played at any online gaming sites on any computer other than the two that I now own and are accounted for.

I'm not aware of anybody at work who indulges in online gaming.

Not sure that it's all that suspicious about the money going to other gaming sites.

Quote:

Originally Posted by EmptyPocs

Have you accounted for ANY computers that you used neteller or P* on that may have saved your login and password or have access to you main computer via network?
And isn't it suspicious the $$ went to OTHER poker sites (why?)?
I'd be looking for a rat using one of your old computers if that is at all likely.
And do you know anyone at work that also plays poker online?

[jamby]

I want to block these IPs as sog suggests below.

Can somebody please tell me how to do that?

Thanks,
jamby

Quote:

Originally Posted by shadesofgrey

Well, if you dont work for coremetrics or use that other website. I would block the ip addresses with your router. they look fishy to me. I mean why would you be connected to them unless you're using them for some reason.

66.179.217.215 -- loads a page that says: "Server: Infda10" Coremetrics - that I P address is owned by Inflow Inc. http://www.availability.sungard.com/inflow/ - they were acquired by sungard today ??!?

66.226.18.171 -- Alchemy Communications, Inc. - http://www.alchemy.net/ - looks like a data service center.

Wierd. I have no clue why they would be connected to your PC.

I mean the other IP addresses listed on netstat were google, CT, and imagshack. So you are definately connected to whatever those IP addresses are.

Try blocking them with your router. And see if a particular service breaks, if not they may be the rat.

[weak]

Quote:

Originally Posted by WolfPack

damn, not only is the guy a crook, but a donk as well. He lost $300 in a day.

or his box is a drone to collect the money from compromised accounts and then lose the money on purpose to cover the tracks...

anyway, write a mail to ntl.com to find out if the ip is a dynamic or static ip. if it's dynamic you'll need the exact time.
then got to the feds and make them find out who the guy is.

[jamby]

I know who the guy is. At least the guy with the Betway account that got $300 of my money.

Quote:

Originally Posted by weak

or his box is a drone to collect the money from compromised accounts and then lose the money on purpose to cover the tracks...

anyway, write a mail to ntl.com to find out if the ip is a dynamic or static ip. if it's dynamic you'll need the exact time.
then got to the feds and make them find out who the guy is.

[jamby]

Here's the IP address of the guy who was logged into my P* account yesterday and withdrew funds to NT: 74.192.229.193.

How do you all look up all this info on IP addresses?

-jamby

[Zentish]

It is extremely suspicious that you know the person that got your funds. Do you know them in "Real Life" or strictly online? Has that person ever been anywhere near your computers or network?

On your router: I think the security tab has an address block feature that can allow you to block addresses.

On your PC: not finding anything doesn't necessarily indicate that there aren't spyware/trojans/keyloggers running. I would seriously consider backing up your data and reloading the operating system, or buying a new hard drive and load the OS onto the new drive and save the current drive for potential forensic analysis.

Some scanning software can be run from a bootable CDROM. I can't remember if you've done that yet. If the machine is compromised, anything that you try to run on it can potentially be "tricked" by stealth techniques. Stealth tools are readily available to do this - see http://news.com.com/FAQ+Sonys+rootki...3-5946760.html
for a bizzare case.

[jamby]

You misunderstand. I don't 'know' them, I know who they are because I've been investigating this for the past 24 hours. I have no clue about this person except that they are a crook.

I see a 'website blocking by url address' option on my router, but nothing to block an IP address.

Quote:

Originally Posted by Zentish

It is extremely suspicious that you know the person that got your funds. Do you know them in "Real Life" or strictly online? Has that person ever been anywhere near your computers or network?...On your router: I think the security tab has an address block feature that can allow you to block addresses.