Hag4r
Dec 6 2003, 06:12 PM
Hi,
I recently worked myself in problems. I was talking to a guy at irc, and he asked me to ping him with a command: /ctcp nickname PING, dumb and unsuspicous as i was, i did it, then he said something like: transferred winmgnt.exe in 2,33 sec. So i was wondering, if he could have send that file to my computer after i typed that command, pinged him ??
After that, i ve found a file called winmgnt.exe on my disc, in c:\RECYCLER\blabla.
And what does that file do? anyone knows it?
regards
mrBob
Dec 6 2003, 07:08 PM
winmgnt.exe usually is the hacked serv-u ftp server
so actually he has full control over your pc cuz he can upload/download and execute ANY file
and /ctcp [nick] PING means that you we're requesting a file from that nickname..
SLiM577
Dec 6 2003, 07:24 PM
yea wingmt.exe is most likely serv-u dude
mrBob
Dec 6 2003, 07:31 PM
btw, also found a servudaemon.ini in there?
and servustartuplog.txt
UnDeRTaKeR
Dec 6 2003, 09:13 PM
As my friend said mrBob
| QUOTE |
btw, also found a servudaemon.ini in there?
and servustartuplog.txt |
i wondered if he could execute the file..
SlippyG
Dec 7 2003, 12:28 AM
First of all I'd like to thank the original poster for not referring to the Internet
Relay Chat service as 'mIRC' - Nice to know that some people still recognise
that IRC is an open protocol that predates the popular windows app. I still
shudder everytime someone asks about 'mIRC servers'
| QUOTE (mrBob @ Dec 6 2003, 07:08 PM) |
winmgnt.exe usually is the hacked serv-u ftp server
so actually he has full control over your pc cuz he can upload/download and execute ANY file
and /ctcp [nick] PING means that you we're requesting a file from that nickname.. |
I'm not sure what you're trying to say here. The common command
/CTCP {nickname} PING|FINGER|VERSION|TIME|USERINFO|CLIENTINFO
is a well known IRC command despite not being documented in RFC1459.
I suggest you read the CTCP (Client to Client Protocol) specification which
will help clarify what these /CTCP messages mean, and how they are used.
To send these CTCP messages we (Or our IRC client) simply quotes them
into standard RFC1459 PRIVMSG's.
Heres what the CTCP specification says about its 'PING' messages:
| QUOTE (Taken from CTCP documentation) |
PING
====
Ping is used to measure the time delay between clients on the IRC
network. A ping query is encoded in a privmsg, and has the form:
\001PING timestamp\001
where `timestamp' is the current time encoded in any form the querying
client finds convienent. The replying client sends back an identical
message inside a notice:
\001PING timestamp\001
The querying client can then subtract the recieved timestamp from the
current time to obtain the delay between clients over the IRC network.
|
To say that this 'means you we're requesting a file from' the user involved
doesn't make any kind of sense to me. Would you care to elaborate on
what you meant by this ?
Perhaps if you read
RFC 1459 and the
CTCP Spec it may remind you
C'mon people - lets try to be accurate.
S.G.
dissolutions
Dec 7 2003, 01:56 AM
I have a question.
What IRC Client were you using? What Version?
KoStIsTR
Dec 7 2003, 09:34 AM
I'll make a suggestion but i'm not to sure about it.... Maybe this guy had a xdcc bot and as trigger had this one : /ctcp nickname PING ?? so when Hag4r typed the xdcc bot send him the file. For happening all of this though Hag4r you must had dcc autoget-file and the target folder was c:\RECYCLER\blabla , Or maybe that was a file that gave him somehow control to your pc and then he moved to c:\recy.... . That's just a suggestion so if i'm wrong i want to here your corrections.
KoStIsTR
Hag4r
Dec 7 2003, 03:34 PM
ty first for all the replies, I think( *hope* actually lol) it was a false, alarm. I installed a good firewall, so normally i could track in any malicious data is sent to outside.
| QUOTE |
| What IRC Client were you using? What Version? |
im using just mIRC, v 6.12
| QUOTE |
btw, also found a servudaemon.ini in there?
and servustartuplog.txt |
i havent found any servudaemon.ini, servustartuplog in that folder, only a winmgnt.bat and winmgnt.dll
and i have autosend disabled, and there is certainly not the exstentions .dat .exe .dll
in the dcc unignore folder...
regards
KoStIsTR
Dec 8 2003, 12:33 PM
lol so much replies for nothing
Next time plz search a little bit more before asking something like that
jonfinley
Jan 29 2004, 07:26 PM
If you check on Symantec's site, winmgnt "MAY" be the BackDoor.Hale trojan.
Symantec security responceJon
KaZslo
Feb 3 2004, 04:04 AM
Or the Troj/PAdmin Trojan:
http://www.sophos.com/virusinfo/analyses/trojhalea.htmlAlso, check if port 1200 is now open on your computer.
x303
Feb 23 2004, 03:04 PM
Is it available to cut-off unwanted comands in mIRC?
So u can use it without worrieing about hacks, and so on?
jubbly
Mar 12 2004, 11:28 AM
winmgnt.exe could be whatever you want it to be if your in charge of renaming your file
I suggest you look into the bat and dll file using a text editor incase they are renamed files to fool you. They may be renamed ini files or it'll give you some clue as to what they are and how to get rid of whatever it done.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
