maverick
Well-Known Member
I have an old pc on my network that i use as a server and i found this window open.
-
Join the MyBroadband community
South Africa’s biggest forum. Discuss, discover, and connect with thousands of members.
-
Question of the Day: Do you bet on sports?
Have i been hacked?
- Thread starter maverick
- Start date
Peppercorns
Senior Member
I myself wouldn't really know, but I tell you something, if I found my pc with that Window open, I would be scared s**tless 
Freshy-ZN
Executive Member
doesnt look too good but not sure what it is. Hope it isnt something nasty!
Telkomisaloser
Ninja
Depends what first.bat is
Telkomisaloser
Ninja
OK nope you haven't been hacked since http://fantasmanero.altervista.org/first.bat has a LOT of echo commands
Telkomisaloser
Ninja
p.s. you would be foolish to run all that code
noswal
Executive Member
Perhaps your firewall rules needs checking that allowed that to be downloaded in the first place.
Ok - Myself I would be worried. Worried for 2 reasons:
1) Either someone had access to your PC and ran this script manually
2) You have a trojan that allows people remote access to your system.
I had a look at the bat file and it infact has the potential to do some nast stuff:
Some basic bat stuff
create a file called _sys.ini with some FTP commands (Some crap). This wills the system to download a file called wget.exe,.
More crap
Run the FTP command file created above and download wget.exe
Run WGET.exe and download syspatch.zip and pkunzip.exe.
More Crap
Move the files to the help folder
Yes, more crap
Make a dirrectory, backup your help files and extract the newly downloaded files
CRAP!
Not sure about this one, it looks like it requires user interaction.
Run something from the newly extracted files.
Delete all traces
Start a service??
Here is what the programs default config file looks like
Please, run a virus scan ASAP - there are many free ones available on the web!
1) Either someone had access to your PC and ran this script manually
2) You have a trojan that allows people remote access to your system.
I had a look at the bat file and it infact has the potential to do some nast stuff:
Some basic bat stuff
create a file called _sys.ini with some FTP commands (Some crap). This wills the system to download a file called wget.exe,.
More crap
Run the FTP command file created above and download wget.exe
Run WGET.exe and download syspatch.zip and pkunzip.exe.
More Crap
Move the files to the help folder
Yes, more crap
Make a dirrectory, backup your help files and extract the newly downloaded files
CRAP!
Not sure about this one, it looks like it requires user interaction.
Run something from the newly extracted files.
Delete all traces
Start a service??
Here is what the programs default config file looks like
Please, run a virus scan ASAP - there are many free ones available on the web!
I dont think its creating an FTP server - I think its creating an IRC server???? None of the files are registering as viruses on my PC here at work.
Telkomisaloser
Ninja
maybe a IRC system where you can download and upload files
Thats what I am thinking.
Telkomisaloser
Ninja
and I wouldn't be surprised if the person can modify and delete files as s/he wishes
I took the file to a secure DMZ here at the bank and ran it - the program is:
http://friends.polibuda.info/~grusin/ - The Psotnic Project.
Psotnic is an ircnet bot written in C++. The main goal of "The psotnic project" was to create fast, stable and easy to use bot.
http://friends.polibuda.info/~grusin/ - The Psotnic Project.
Psotnic is an ircnet bot written in C++. The main goal of "The psotnic project" was to create fast, stable and easy to use bot.
noswal
Executive Member
Would that be a spambot?
well, there you have it..
old pc
server
my guess is a CSS vulnerability in IIS (specifically, the UNICODE issues from a few years ago). your web server was hacked.
something like http://yoursite/scripts/../../winnt/system32/cmd.exe/c+dir+c:\200
should give you a directory listing.
if it does, then you found the vulnerability...and to be fair..it is very very old (circa 2002/2003...)but it is the only one I know where you can directly open cmd.exe and force it to do stuff.
go get that machine patched. via windowsupdate
p.s. url above mangled slightly so it doesnt work properly....dont wanna give people any ideas.
Telkomisaloser
Ninja
PHP:
echo [?] I'll open notepad for you to edit config...Press an key!
pause
notepad C:\WINDOWS\Help\CatRoot\conf.txtI don't know WHY he put that code in....
Brandon
Well-Known Member
I agree with ZA_medic, run a virus scan. The "syspatch.zip" downloaded by the script contains THIS.
If nobody has accessed that machine physically, it's been remotely compromised (win2k, some critical patches/updates from m$ were not installed)
If that pc is on a network i'd take a close look at those machines too.
PS. Maybe you should consider turning an old box into a firewall like IPcop??
If nobody has accessed that machine physically, it's been remotely compromised (win2k, some critical patches/updates from m$ were not installed)
If that pc is on a network i'd take a close look at those machines too.
PS. Maybe you should consider turning an old box into a firewall like IPcop??