[Nihility]

I've recently suspected that a roommate of mine has been spying on my activity / or on my computer.
I recently bought a VPN to encrypt the data being sent, and checked out Wireshark to make sure it was indeed encrypted.
Everything seems great with that, and then I saw this:

Link to Capture SS: http://i46.tinypic.com/1yon6u.jpg

His network IP is 192.168.0.71, mine is 192.168.1.80
I've been trying to do all of the research that I can, but I'm not 100% clear what he's actually trying to accomplish with this.
I've seen it a few times in the past hour.

What is the path \IPC$, and srvsvc?
What is the SMBServer he's accessing?
What are these netbios-ssn packets?

I also see 192.168.1.80 to 224.0.0.22 "membership report / Join Group 239.255.255.250" on occasion. Not sure if that is normal.

I just want help identifying what this group of packets is trying to accomplish.
Also, what else I can do to completely block any unwanted connection attemps from inside my network, ontop of my VPN.

Thank you.

[aks56h]

he is trying to hack into your computer! Trying installing zone alarm firewall

[lunarlander]

What version of Windows are you using? If you're on Vista or Windows 7, go to Network > Properties and set your Network to Public instead of Home or Work.

To get rid of IPC$, go to Services.msc and disable the Server service.

The SMB server is your File and Printer Sharing. Go to Network and Sharing Center > Local Area Connection > Properties and uncheck File and Printer Sharing For MS Networks.

All of the above assumes that you are not sharing any folders or printers for other to use. If you are sharing a printer, consider buying a wireless laser printer, mine only cost $75.

[Nihility]

I'm currently using XP.
Since posting I got Zone Alarm firewall, and those packets have been denied completely.
I'm seeing different packets from his IP to mine now, relating to __MSBROWSE__.
I'm also getting a "multiple names on the network" error, even after changing my computer's name and restarting.

I read that there is a vulnerability with WINS and multiple names allowing for remote access.
I have no idea if he is connecting or not, and I'm unsure what to do about this.

I've taken the steps suggested so far, thank you both.

[lunarlander]

Quote:

I read that there is a vulnerability with WINS and multiple names allowing for remote access.

Can you provide a link to that article ? Lets see if it affects you or not.

[Nihility]

I re-read and I dont think it affects XP. Either way I've uninstalled the netbios and blocked all related ports with outpost. I think I'm fine for now.

[lunarlander]

Glad you solved the problem. If you need more XP security guidelines, have a look through my blog project on securing XP at the link below.