Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: W2K Compromise - PipeCmdSrv
From: H C <keydet89 () yahoo com>
Date: Mon, 21 Oct 2002 05:19:30 -0700 (PDT)
Two quick questions:

1.  What does this have to do w/ PipeCmdSrv?

2.  If at one point you say, "Obviously it had came
from downloading the chinese language pack, but was it
a MyIE program or did i have a bootlegged program"
(what's a "bootlegged" program, BTW??), then why do
you follow it by saying, "just wanted to let you know
that in this instance I think the MyIE was how it came
to rest on 
my machine"?  Which is it?



--- sfuston () blomand net wrote:

In-Reply-To:
<20021004233810.16182.qmail () mail securityfocus com>

Ok, well i dont usually do this, post any info ive
collected but I am 
tryin to find information back as well. I too had an
experience with the 
PipeCmdSvr, and im still not sure exactly how it
came on my machine. I am 
running win2k Pro.

I downloaded this program called MYIE, an overlay
for the IE web browser. 
During some of my searches I kept getting chinese
web sites in my tabs. I 
was just playing around with some of the settings
and when i clicked on 
the Resource button a prompt came up that said "some
sites may not work 
well without the chinese language pack installed"
"Do you want to install 
the chinese language pack" . Well I did. I know I
know, are you crazy man? 
lol At any rate, it proceeded to install something.
Then I got a message 
from win2k saying that some files would be over
written , did i want to 
continue. Well obviously I responded no, but it
would not let me click no, 
the only way to gain access again to my desktop was
to click yes, which i 
did. When my machine rebooted, it was much much
slower than it had been. 
Subsequent reboots had this litte mirc window coming
up on reboot, and 
while I had used mirc in the past, I had not
reloaded since I had done a 
new install of Win2k.  Thats what got me interested
, so I looked in Task 
Manager to see what was running, and thats when i
ran across the 
Explored.exe program running. Now I am no programmer
or a Windows guru , 
but in 8 years of using windows software Im no
novice either. That threw 
up a flag so i investigated farther. In doing a
search for Explored.exe 
online I came up with the
http://golcor.tripod.com/gtbot.htm site, and I 
was able to determine what i had, a trojan no less.
Now I wanted to know 
how and where I got it. Obviously it had came from
downloading the chinese 
language pack, but was it a MyIE program or did i
have a bootlegged 
program. Well to make this long story short, I
looked for other MyIE 
download sites and found one that I deemed to be
safe and installed it. I 
cant get this one to ask me for the chinese language
pack download, so i 
can only assume that I had gotten a hacked program
to start with. Also the 
MyIE executable on the bogus file was 750k and on
the last one i installed 
it was only 450 k. I am assuming thats how I got it.
I did have a mirror 
that I made a week ago so just to be safe I put that
back on after 
renaming all the infected files and moving them into
a folder on another 
drive. 

I still wanted to investigate further, so I started
looking inside some of 
the mirc files that goes along with this trojan.
From some of the 
information gathered I found a "report to "
location. Dalnet. Channel 
#Iamowned. I went there and there were about 12
nicks in the room with the 
Owned(#####) nicks , im guessing bots.

When I reinstalled my mirror, I put Zone Alarm back
on as I have a static 
ip and was a tad worried that someone had my ip
number. Over the next 
couple of hours I got repeated hits (more than 30)
from a site 
66.28.140.212, each time at differnt ports including
telnet. In looking 
this up I found that this ip was registered to
Cogent Communications. Not 
sure how Im going to proceed from here. This is the
first time Ive been 
hacked in 9 years online. 

Im sure this trojan can be enabled in other ways,
but just wanted to let 
you know that in this instance I think the MyIE was
how it came to rest on 
my machine. Unless I have some big problems with it,
I am going to 
continue to use this program as it is almost an
identical user interface 
as opera but using the IE web browser shell. 

I did save all the files that was a part of the
trojan program after 
renaming the extensions, and if anyone would like to
have one or all of 
them I would be happy to send them on. 




----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS
analyzer service.
For more information on this free incident handling,
management 
and tracking system please see:
http://aris.securityfocus.com




__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]