how can i check if my pc is hacked?
it's coz i have 70mb uploaded yesterday on my DU meter stats
and i didn't upload anything.
and its been like that the whole month :(
thx in advance

btw, every time i start windows i have "raidenftpd.exe" on
windows task manager..what is this?

MMeira

get some surveillance progs that checks for anomalies in your system.
Like filemon from sysinternals.com and Taskinfo2003 from iarsn.com
with these you could easily see if there is malicous progs that u dont recognize running on your system. Get adaware and spybot to clean up registry from trojans and the such for sure too. btw raidenftpd.exe seem to be some kind of russian ftp prog. search and delete it out of the sky if u dont use it.

hmmm
i have adaware and deleted all the worms i and trojans i had
gonna get me the other proggies
thx a lot blck

MMeira

Keep in mind that if you download allot, some packages bounce back and that's counted as upload. Let's say you download 700 MB, then your upload could be a few MB.

Do you have some peer to peer programs like kazaa, etc,... Those could also explain the upload.

John <-))

nope Johnny
i don't download that much coz i have d/l and u/l limits
that's why i'm concerned...i have 2 gb u/l limit :(
and i'm at 900 mb yet, i don't know how this happens

MMeira

Raidenftpd is an ftpserver, used by them 1337 h4X0rs ;)
If you didn't install it, I think you've been hacked.

It's a good ftp server that lets you adminstrate the server from within the ftpprotocol by sending SITE commands to the server. It also have lots of plugins for autochecking sfv files & stuff.

//kewl_kidd

have u install an ftp-server by your own???
Cos raidenftpd is an ftp-server.
If u have not done this by yourself, someone else did it by an kind of horse...
This means he is capable to access your data and share stuff like movies using your account. I suggest - if u haven't install that proggy by yourself - to delete it directly.
Maybe try firstly to look in a kind of a logbook of that server (made some search of it on your PC with "Search") - look after smth like "log" and take a look which ports has been used. U can also use netstat in a DOS window to look after opened ports...
Also run an firewall and look out after those certain ports you've found @ the logbook... Be sure to close them all...

Remark: there are lots of proggies using different ports (for example Messenger. Don't be afraid of these, but try to find out which ports are used for which programs (the use of an firewall is very usefull for this goal...)

Hope this will help,

Scoopie

open a dos box and type "cmd", after that type "netstat -a"

Then you can see what connections are going on :-)

Easy does it. Little trick :-)

nope, i didn't install such program
didn't know it even exist....
i checked with netstats
what should i do now?
i can send u some screenshot if u'd like...

btw, in search for "raidenftpd" it only finds raidenftpd.pid

MMeira

search for raidenftp and delete all .exe's u find.. U've probably been hacked indeed.. Some guys were able to hack ur pc.. install a FTP server on ur machine.. and are now downloading like maniacs from ur pc.. They are also able to delete all stuff on there so get rid of it asap..

PS. They probably renamed the servername of the .exe so u won't find it easily.. the .pif file is probably the config file.. Telling the user accounts and on what port it's running.. What about making a screeenshot of the results of netstat -a

We can look at which port it is running etc..

Better install a firewall like Zone Alarm or similar which asks wether u want a program to access the internet.. Be sure to block the program.. Then at least u're safe for now..

i have zone alarm pro!
dang! how could this happen?!
the problem is when i search for raidenftpd it only find:
"raidenftpd.pid", nothing else
i can send screenshots per e-mail if u'd like

MMeira

send them to the e-mail address which can be found in my profile :)

I'll have a look

oh.. and kill raidenftpd.exe in the taskmanager..

That way u will see it won't upload anymore.. (u'll see the uploading stops in DUmeter)

I have said this before ...zone alarm is very good ... but if u have the netbios port open.. there is a way to trick ZA..
anyway

go to start --->run--->type regedit
hit F3 and make a search for raiden there.. delete all you can find

p.s. If u don't have port 138,139 open then do this...clean all permissions in ZA and let the program ask you everytime a program is supposedd to connect to the internet..maybe you had that on auto !

I am sure u're hacked since I just received the screenshots... The FTP is hidden in the cursor directory of windows..

The problem with Raiden is that it can run as a service >>> bypassing the firewall maybe?

one time hackers were using my pc to do a ping -f (or ping of death) and my upspeed is only 16k but my DUMeter said i was upping at 70k lol

if u use Taskinfo2003, u will see the path to the exe file, and delete it from there

btw np

found the f*ck!!!
it was a hidden folder
lots of sh*t about raidenftp in my windows/cursor directory!
gonna delete that crap, but first gonna check if i check his ip
anybody interested in giving him a lesson?
i would be greatful

thx for all the help

MMeira

its somethin about

"--- X's PIMP SeRVER ---.user.2003071610"...

MMeira

giving him a lesson? hmm dunno how to h4x0r.. lol

don't retaliate, it doesn't help anything.. it's better to report it to his ISP :)

but remember, people on this board are making dumps too, so in theory it could be someone from DS ;)  (but it's probably not)

Dude.. use the f00king "netstat -a"

Dude...i already uninstalled raidenftp!!!  lol
the problem is...the folder is now empty
but i can't delete it anyhow
coz it says that some stupid file (which i can't find inside the folder)
is still being used by a process.
but which process? have no clue

MMeira

i think the problem is solved now
thx to all of you  :)

MMeira

Hidden IP 2003071610
converted to real IP 119.100.114.122

SmartWhois Performed

96.0.0.0 - 126.255.255.255
Internet Assigned Numbers Authority
4676 Admiralty Way, Suite 330
Marina del Rey, CA, 90292-6695
US


But like 3k said.. either report him or leave it..
anyway the chance is that he will try to do it again.. if he did it easily the first time..

get Netstat Live from AnalogX
great tool and will let you know whats going on and when

http://www.analogx.com/contents/download/network/nsl.htm