[jamby]

Turns out this message is too big for one post, so I'm going to split it.

Here's part #1

Here are the Shield's Up test results.

The 1st thing I checked was for 'file sharing':
Shields UP! is checking YOUR computer's Internet
connection security . . . currently located at IP:

67.173.37.253

Please Stand By. . .
Attempting connection to your computer. . .
Shields UP! is now attempting to contact the Hidden Internet Server within your PC. It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. And that it may be serving up all or many of your personal files for reading, writing, modification and even deletion by anyone, anywhere, on the Internet!Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.
Next I checked the 'common ports':

Checking the Most Common and
Troublesome Internet Ports
This Internet Common Ports Probe attempts to establish standard TCP Internet connections with a collection of standard, well-known, and often vulnerable or troublesome Internet ports on YOUR computer. Since this is being done from our server, successful connections demonstrate which of your ports are "open" or visible and soliciting connections from passing Internet port scanners. Your computer at IP:

67.173.37.253
Is being profiled. Please stand by. . .






Total elapsed testing time: 4.998 seconds




Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.

end of part #1

[jamby]

Here's part #2 of my reply to sog:

Next I checked 'all service ports':
CT won't allow me to post the results because they're huge, but it came back all 'green' and 'stealth', which I take it is very good.

Next was 'messenger spam':
None of the four spam messages were received as popups as described, so that appeared to be a 'pass' like the other tests before it.

Next I did the 'browser headers' test:

Here's the header in secure mode:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*Accept-Language: en-usConnection: Keep-AliveHost: www.grc.comReferer: http://www.grc.com/x/ne.dll?rh1dkyd2User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; ImageShack Toolbar 3.0.3)Cookie: temp=harnvmihrpasn; perm=egnbnmnf03nknContent-Length: 31Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheFirstParty: https://www.grc.comThirdParty: https://www.grctech.comSecure: https://www.grc.comNonsecure: http://www.grc.comSession: fwj1hwxo5vp0eHere's the output when I switch to non-secure mode:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*Accept-Language: en-usConnection: Keep-AliveHost: www.grc.comUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; ImageShack Toolbar 3.0.3)Cookie: temp=44scdmnr13r2e; perm=uqjphdzy1duvhContent-Length: 30Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheFirstParty: http://www.grc.comThirdParty: http://www.grctech.comSecure: https://www.grc.comNonsecure: http://www.grc.comSession: ly1dgk0vcdwvdNot too sure what that test indicates.

I have a cable modem and a wireless home network with a Linkysys Wireless-G 2.4 GHZ router. It's a secure network.

I've looked at my firewall settings and all the programs look OK to me. Not sure exactly what to look for though. Can you tell me how to tell if the upnp is enabled or not? I'm unsure. Thanks again for all your help on this.

-jamby

[JM]

Andi, what's the IP address of the offender?

[shadesofgrey]

Jamby - Thats looks secure to me.

The only suspect things I see are the IP addresses from netstat:

66.179.217.215 -- loads a page that says: "Server: Infda10" Coremetrics
66.226.18.171 -- This IP address can not be used for browsing

Neither of those IP addresses are the one you got from NT or P*s are they?

[jamby]

P* didn't give me the offender's IP address, only the ID that had used it.

What do you make of it?

Quote:

Originally Posted by shadesofgrey

Jamby - Thats looks secure to me.

The only suspect things I see are the IP addresses from netstat:

66.179.217.215 -- loads a page that says: "Server: Infda10" Coremetrics
66.226.18.171 -- This IP address can not be used for browsing

Neither of those IP addresses are the one you got from NT or P*s are they?

[HanahanStan]

Andi sorry to hear about this. Hopefully they can find the SOB, nail his butt and get your funds back.

[Quads]

To check your Firewall, log in with your user name and password to the IP address. (Typically 192.168.x.x) This is one of three firewalls in my network, so it should be similar looking to yours.

If the defaults are set for the password, change them.

http://img293.imageshack.us/img293/3...ksysudpza2.jpg


Click on "Gaming / Applications and you should have a few tabs under it.

Port Forwarding / Triggering / UPnP / DMZ / and QoS.

Generally speaking, unless you have a **VERY SPECIFIC** requirement, there should be **NO** ports open, forwarded, triggered, etc. within your firewall. There may be some information in there (such as ports listed, port numbers, etc., however they will / should be disabled.

I have / use other servers / applications, etc. which require having particular ports open, or forwarded to other machines on my network, so your screen won't look exactly like mine, but the point being that they should be disabled.

Scroll through each of the sub tabs and verify that each are disabled.

One other thing to check is that your firewall / router is running the most current release from Linksys. Go to their website, and check the current release, and under "Status" tab, you should have the info on which firmware version you are running. If you are running an older version, do the upgrade if / as needed.

Two other things worth a look in your FW would be your DHCP Clients Table. You should be able to identify each each IP address or description of the machines which have an IP address issued to them.

The other thing to make sure of is that remote administration / upgrades / access / etc. is disabled.

Good luck- Hope this helps.

[littlebu]

Man that sucks. I hope everything works out for you. I just changed my password just in case since you just transferred funds for those show em's. If they have your account history I'm sure they saw that transaction.

Side note: I had someone steal my debit card # before and my bank was very good about stopping the transactions and refunding the money that was taken once it was relized. GL.

[shadesofgrey]

Quote:

Originally Posted by jamby

P* didn't give me the offender's IP address, only the ID that had used it.

What do you make of it?

Well, if you dont work for coremetrics or use that other website. I would block the ip addresses with your router. they look fishy to me. I mean why would you be connected to them unless you're using them for some reason.

66.179.217.215 -- loads a page that says: "Server: Infda10" Coremetrics - that I P address is owned by Inflow Inc. http://www.availability.sungard.com/inflow/ - they were acquired by sungard today ??!?

66.226.18.171 -- Alchemy Communications, Inc. - http://www.alchemy.net/ - looks like a data service center.

Wierd. I have no clue why they would be connected to your PC.

I mean the other IP addresses listed on netstat were google, CT, and imagshack. So you are definately connected to whatever those IP addresses are.

Try blocking them with your router. And see if a particular service breaks, if not they may be the rat.

[Zentish]

I keep thinking through the vector of your credential compromise, and the simplest explanation would seem that someone got your P* credentials and worked backwards to your netteller account.

I have to assume that the P* client encrypts all it's internet traffic and the only way for someone to obtain your credentials is at one end or the other, your PC or the P* servers.

If the P* authentication systems were compromised, your account and $1000 would be small time compared to what someone could go after. So again, everything points to it being on your side of things.

Your computer and network appears to be secure, although there are a lot of ways these scumbag bot nets can hide themselves on a windows box. Is it possible that you logged on to P* from some other computer or on some other network? Are there other computers on your network that may be compromised?