K. Long story short: A local business competitor might have used NTLM Authentication to access my station and duplicate its contents, and then erase the drive's docs, xls files, mp3s - the whole works. I guess I'm assuming that this happened. I haven't found any other access point in the proggy logs or the system logs. I have a single access to the computer using NTLM from location 127.0.0.1. I'm assuming that because the computer believes it is communicating with IE the IP addy left is my home addy. No other remote uses were logged. My security log is empty. All restore points were removed.

Q: Can NTLM Authentication be used in this manner - as a hack around password protected, firewalled networks? It's a stupid question I'm sure.

Q: Can I get traffic information from specific ports?

Q: More broad a question - can I get traffic info from my ISP?

:) Thanks for any help you can give.

First things first...what kind of firewall are you using?

NAV was on. Windows XP firewall was off.

I didn't yet have an opportunity to beef up the security on this machine. This is a service industry business - I didn't expect that I'd have to protect from this type of brute force attack, so I only cleaned and updated this station...

I'll offer a bit of info on this:

1: NTLM Is an authentication method typical used by Windows, and is not a way around authenticating. If you have a firewall (physical) such as a "wireless router" you would actually have to have PAT/NAT setup to allow people to connect directly to your machine. You would have to specifically set this up and would have to have a public IP assigned to your machine. Do you have a username and password on your computer?

2. You can see live connection information for your XP machine by going to the command prompt and typing "netstat -a"

3. You ISP will almost certainly not provide you with any traffic info for your connection (they probably aren't doing anything more than setting bandwidth caps and using packet shapers....)

So a few questions for you:
1. How do you connect to the internet (dial up, dsl, cable etc...)
2. Do you have a modem device for your connection
3. Do you have a wireless access point or router (or maybe both) on your home network?

The information you provided is a little less than what would be needed to tell you much more. If you want to save off your event logs (system, application, security) and ship em over I'll have a look at them, but no telling if any info would be in there that would be useful.

It's a general rule that the moment you plug a machine into the internet it should be protected, for XP that includes using a software firewall (builtin or 3rd party), running all of the security updates and turning off remote services you don't need. I work in IT, specifically in Security and Messaging, part of my job is hacking peoples networks to see if I can break in, the steps mentioned above (although used in a much larger scale on corporate networks) are what is recommended for ALL machines being connected to the internet.

On a very general note, it would take a long time to grab all the stuff from your hard drive over a typical internet connection, if you have cable you might be able to upload at 756Kbps (that's bits not bites), at best. So just getting a megabyte (8000 kbits) of data over would take some time. It's very unlikely someone actually was able to pull the contents of your hard drive over unless you were away from your machine for a long time....

If you want to email me to discuss further feel free (kevinmpeters (at) gmail (dot) com.....

NT Lan Manager? 1998 called and they want their OS back. I kid.

Every time I tried to get on here yesterday I got the fucking "Could not connect to the database" error. Bah.

The whole reason that I asked about your firewall situation is because (if you had one) it really would be key here. Your local system log files aren't going to be a whole lot of help...and your ISP isn't going to give you jack shit. But, since it doesn't sound like you have anything set up (other than what is probably built into your modem) it's going to make it much more difficult to figure out if what you think happened actually did happen.

Does the version of NAV you have include a "personal firewall" feature? If so, have you checked those logs?

And yeah...that kevin guy already said what needed to be said about NTLM. It's an auth protocol...not a tool to "bypass" firewalls or anything like that.

You would definitely have to give up some more info if you wanted any real help here, but with what you've said so far, I highly doubt someone hacked in from outside, copied and/or deleted all your files, etc. etc. I'd say it was someone that was physically there in front of the system. Any recently fired employees hanging around or anything? Haha!

First I wanna say that I would never leave my personal stations in this level of neglect. The computer I'm talking about came as part of a business I and my gf purchased a few months ago. I've been a little swamped and never got around to protecting this computer.

Second, this is a busy salon, and if you know cosmetologists you'll know how they've been using the computer...

[aside: I was reading about a hack that used the NT Lan Manager to get past firewalls, etc. which is why I asked about NTLM Auth. Oh, and I'm not a programmer, thus the stupid question. :) ]

karmarec wrote:2. You can see live connection information for your XP machine by going to the command prompt and typing "netstat -a"

Nice. Thanks. I like to know stuff like this. :)

karmarec wrote:3. You ISP will almost certainly not provide you with any traffic info for your connection (they probably aren't doing anything more than setting bandwidth caps and using packet shapers....)

This boggles my mind. I know the storage would be insanely costly, but how exactly does the government catch good hackers? I assume they don't. With notebooks being essentially disposable...

karmarec wrote:So a few questions for you:
1. How do you connect to the internet (dial up, dsl, cable etc...)
2. Do you have a modem device for your connection
3. Do you have a wireless access point or router (or maybe both) on your home network?

1. The computer in question is using dsl on a dedicated line. Don't look at me that way. :) Lol. I didn't set it up.

2. Dsl modem with the wireless deactivated.

karmarec wrote:The information you provided is a little less than what would be needed to tell you much more. If you want to save off your event logs (system, application, security) and ship em over I'll have a look at them, but no telling if any info would be in there that would be useful.

That would be great. I have sys and app logs, and an empty security log. I'll email you soon. Very generous of you to offer. :)

karmarec wrote:On a very general note, it would take a long time to grab all the stuff from your hard drive over a typical internet connection, if you have cable you might be able to upload at 756Kbps (that's bits not bites), at best. So just getting a megabyte (8000 kbits) of data over would take some time. It's very unlikely someone actually was able to pull the contents of your hard drive over unless you were away from your machine for a long time....

Very good to know. I immediately was reminded of how long it takes for uploads on my wireless, so this makes prefect sense to me. The computer was on all the time, for a scheduling proggy that the girls use...

busbus wrote:NT Lan Manager? 1998 called and they want their OS back. I kid.

How's Madison this time of year? I understand it's a little brisk. :P :)

ChristopherM wrote:The whole reason that I asked about your firewall situation is because (if you had one) it really would be key here. Your local system log files aren't going to be a whole lot of help...and your ISP isn't going to give you jack shit. But, since it doesn't sound like you have anything set up (other than what is probably built into your modem) it's going to make it much more difficult to figure out if what you think happened actually did happen.

Yeah. You guys are painting a picture. I'm starting to think that under the circumstances someone actually came into the business and took the files that they wanted and deleted everything else. I was thinking about how I would delete a bunch of files, and I came up with a search for a string of file suffixes something like, '*.mp3,*.doc,*.xls,*.html...' selecting and deleting all found. I haven't tested it because I'm not entirely stupid. :) Lol. Just kinda stupid. It could be done inside 10 minutes right?

ChristopherM wrote:Does the version of NAV you have include a "personal firewall" feature? If so, have you checked those logs?

Nope. No firewall logs.

Today I'm installing Norton Internet Security, a key-logger, all proggy updates, all windows updates, etc. Gunna add 512 RAM, vista, and a wireless router. Gunna change the carrier too. Passwords, etc.

ChristopherM wrote:You would definitely have to give up some more info if you wanted any real help here, but with what you've said so far, I highly doubt someone hacked in from outside, copied and/or deleted all your files, etc. etc. I'd say it was someone that was physically there in front of the system. Any recently fired employees hanging around or anything? Haha!

Like I said, we just bought this salon, and we got it at a very good price. The previous owner is apparently experiencing seller's remorse. Also, she's not a very nice person.

Thanks guys! I'm starting to get a better picture here.

Is the computer connected directly to the DSL modem, and logging into PPPoE, or is the DSL modem also acting as a router and logging into PPPoE for you?

The reason I ask, is that if your computer just connects to the internet itself it will have a public IP address, and will get hammered by bad stuff all day long. Open up a command prompt and enter "IPCONFIG" and hit enter. If the address is 192.168.x.x or 10.x.x.x or 172.16.x.x, you're behind a router. Anything else and you need to get a router. You can get a nice Linksys for about $60.

Also, if you're putting vista and all that on there this probably is already being done, but I'd be sure to format the hard drive and install the OS fresh. For the love of pete don't upgrade the OS because that is a horrible experience. Also, who knows what kind of backdoor trojans and spyware and whatever else is on there--just from the employees surfing the web. Format it and start fresh.

Ok, So I didn't say this (cause I work for a M$ partner), but whatever you do DO NOT PUT VISTA ON YOUR MACHINE. This is less of an issue if it is a desktop, mobile machines+vista=BAD. It's not really Vista's fault, if you put it and only it on a machine with a nice video card, fast hard drive and plenty or RAM, it's good. The moment you start adding 3rd party anything, be it power management drivers or applications, shit goes down hill quickly.
Last there is a program called PC File Recovery, it allows you to recover deleted files sometimes.... this is iffy. BUt when files are deleted the references to them are just removed from the FAT table, the data isn't actually gone until the 0's and 1's are overwritten by other 0's and 1's.

Hope it helps. If you send logs, make sure to send me a date/time of when you think stuff happened so I don't have to read as much

ubercat wrote:Second, this is a busy salon, and if you know cosmetologists

The idea of you owning a salon simultaneously scares me and tickles me.

Awesome.