Security Incidents mailing list archives
Re: W2K Compromise - PipeCmdSrv
From: H C <keydet89 () yahoo com>
Date: Mon, 21 Oct 2002 05:19:30 -0700 (PDT)
Two quick questions: 1. What does this have to do w/ PipeCmdSrv? 2. If at one point you say, "Obviously it had came from downloading the chinese language pack, but was it a MyIE program or did i have a bootlegged program" (what's a "bootlegged" program, BTW??), then why do you follow it by saying, "just wanted to let you know that in this instance I think the MyIE was how it came to rest on my machine"? Which is it? --- sfuston () blomand net wrote:
In-Reply-To: <20021004233810.16182.qmail () mail securityfocus com> Ok, well i dont usually do this, post any info ive collected but I am tryin to find information back as well. I too had an experience with the PipeCmdSvr, and im still not sure exactly how it came on my machine. I am running win2k Pro. I downloaded this program called MYIE, an overlay for the IE web browser. During some of my searches I kept getting chinese web sites in my tabs. I was just playing around with some of the settings and when i clicked on the Resource button a prompt came up that said "some sites may not work well without the chinese language pack installed" "Do you want to install the chinese language pack" . Well I did. I know I know, are you crazy man? lol At any rate, it proceeded to install something. Then I got a message from win2k saying that some files would be over written , did i want to continue. Well obviously I responded no, but it would not let me click no, the only way to gain access again to my desktop was to click yes, which i did. When my machine rebooted, it was much much slower than it had been. Subsequent reboots had this litte mirc window coming up on reboot, and while I had used mirc in the past, I had not reloaded since I had done a new install of Win2k. Thats what got me interested , so I looked in Task Manager to see what was running, and thats when i ran across the Explored.exe program running. Now I am no programmer or a Windows guru , but in 8 years of using windows software Im no novice either. That threw up a flag so i investigated farther. In doing a search for Explored.exe online I came up with the http://golcor.tripod.com/gtbot.htm site, and I was able to determine what i had, a trojan no less. Now I wanted to know how and where I got it. Obviously it had came from downloading the chinese language pack, but was it a MyIE program or did i have a bootlegged program. Well to make this long story short, I looked for other MyIE download sites and found one that I deemed to be safe and installed it. I cant get this one to ask me for the chinese language pack download, so i can only assume that I had gotten a hacked program to start with. Also the MyIE executable on the bogus file was 750k and on the last one i installed it was only 450 k. I am assuming thats how I got it. I did have a mirror that I made a week ago so just to be safe I put that back on after renaming all the infected files and moving them into a folder on another drive. I still wanted to investigate further, so I started looking inside some of the mirc files that goes along with this trojan. From some of the information gathered I found a "report to " location. Dalnet. Channel #Iamowned. I went there and there were about 12 nicks in the room with the Owned(#####) nicks , im guessing bots. When I reinstalled my mirror, I put Zone Alarm back on as I have a static ip and was a tad worried that someone had my ip number. Over the next couple of hours I got repeated hits (more than 30) from a site 66.28.140.212, each time at differnt ports including telnet. In looking this up I found that this ip was registered to Cogent Communications. Not sure how Im going to proceed from here. This is the first time Ive been hacked in 9 years online. Im sure this trojan can be enabled in other ways, but just wanted to let you know that in this instance I think the MyIE was how it came to rest on my machine. Unless I have some big problems with it, I am going to continue to use this program as it is almost an identical user interface as opera but using the IE web browser shell. I did save all the files that was a part of the trojan program after renaming the extensions, and if anyone would like to have one or all of them I would be happy to send them on.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
__________________________________________________ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- W2K Compromise - PipeCmdSrv Philip (Oct 01)
- <Possible follow-ups>
- Re: W2K Compromise - PipeCmdSrv Curt Wilson (Oct 05)
- Re: W2K Compromise - PipeCmdSrv Erik Sperling Johansen (Oct 05)
- Re: W2K Compromise - PipeCmdSrv woofz (Oct 07)
- Re: W2K Compromise - PipeCmdSrv woofz (Oct 08)
- Re: W2K Compromise - PipeCmdSrv sfuston (Oct 20)
- Re: W2K Compromise - PipeCmdSrv H C (Oct 21)