Solved

HAX.BAT found in infection

Posted on 2003-11-05
13
1,740 Views
Last Modified: 2010-05-18
Anyone ever seen anything like this?
Infection june/july 2003

Looking for information to help this user:

"hax.bat" was placed on the victim machines, and the scheduler was set to invoke it.  Hax.bat was evidently invoked late Oct. 4 or early Oct. 5 and this program installed several things including a keyboard logger (winsecure.exe), vnc server (netsrc.exe), hidden ftp server listening on port 81 and/or 43958, and an account was created called AdminBackupexec, a remote admnistration server called r_server was installed. The last line in the file "hax.bat" was supposed to delete the file, but we found one victim machine on which delete failed, so have a copy of this file.  In addition, virus software and firewall software was stopped.  Activation of the ftp service occurred on Oct. 15.  These systems have also been seen to begin scanning for real servers and apache vulnerabilities. We have not been able to find information on this on the internet

0
Comment
Question by:lrmoore
  • 4
  • 2
  • 2
  • +4
13 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9688057
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 9688077
0
 
LVL 79

Author Comment

by:lrmoore
ID: 9688145
I'm not directly involved with this outbreak, just trying to lend a hand to figure out where it came from.
Trust me, I know all about the spyware/adware/trojan hunter software and online scanning.
Cleaning up is not the problem. Getting the infection has increased client's awareness of need for multi-layers of protection.

Where did this come from? Has anyone identified this particular strain? I'm looking for someone with direct experience with this particular virus/worm.

There is nothing on the net about this particular infection. Do a google search for "hax.bat" and nada...
0
How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

 
LVL 67

Accepted Solution

by:
sirbounty earned 200 total points
ID: 9688168
Almost sounds like something/one internal. . .
Anyone in IT been told their job's being downsized?
0
 

Expert Comment

by:Rikis
ID: 9688521
It's can be just backdoor.
Some one created this file and left in the machine.
Try to enable firewall and maybe someone try to connect to programs.
0
 
LVL 9

Assisted Solution

by:TooKoolKris
TooKoolKris earned 100 total points
ID: 9689241
First of all, it's not necessarily a trojan or a virus. It's simply a batch file that anyone with batch coding skills could create. I'm with Sirbounty on the fact that there is no info on the file out on the Internet and this should reasonably point to an inside job. The programs that you say are being installed, where do they reside? Did the bat file come with all this software as well or was it sent via the FTP created? Do a search on this pc for all text files and examine the ones that look funny. Those key loggers normally keep their logs in text format on the pc before they email them off. See if there is a config file for the key logger as well you might be able to find out where the info is being sent if this person is dumb enough.

Check the IIS logs to see if there are any that exist for connections to the FTP server that was created.

Check the registry to see if there are any records of remote mapping. My guess is if someone from the inside did this it was probably done from across the network and there may be a record of the mapped drive used to copy the file to the pc. I'm assuming you have already gone through the event logs.


0
 
LVL 49

Assisted Solution

by:sunray_2003
sunray_2003 earned 100 total points
ID: 9693635
Irmoore,


>> Where did this come from

I think it may not be very easy to answer this particular one. Generally , I have seen virus or worm come into the system by exchanging floppy disks from other computers.Now-a-days , with internet being very popular , I would guess it would have entered the system through the network......  Esp if you had read about MS blaster worm , you know the moment you hook your systemt to the network card and the network is already contaminated with the worm, your system shuts down.


That's why at the first place i expected spywares /adwares/pop-ups to bring in that particular virus or worm to your system

Also check to see any p2p programs in the system.......

I am totally leaning towards the side that it a virus or worm .. I am just guessing the worst scenario

The way it is described in your question , I think the same way as TooKoolkris , some bat file made to run at a certain time .....

Sunray
0
 
LVL 2

Expert Comment

by:kat120
ID: 9697362
Is this the same one from the security focus incidents mailing list?
Kat
0
 
LVL 79

Author Comment

by:lrmoore
ID: 9697772
Yes. They are right in my backyard and I'd like to help...
0
 
LVL 18

Assisted Solution

by:chicagoan
chicagoan earned 100 total points
ID: 9699522
reminiscent of W32.Tkbot.Worm ... was IRC running on these machines?
take a look at a another report: http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0121.html
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9730998
Did you make any progress on your new friend?
0
 
LVL 79

Author Comment

by:lrmoore
ID: 9731152
Unfortunately, they have not responded to any of my querries...
Our liason is just back from vacation, so ......

0
 
LVL 79

Author Comment

by:lrmoore
ID: 9782174
No responses from my 'new friend', so I can't get any more information.

It was worth a shot, and I appreciate the responses.

I'm going with the feeling that it was an inside job with a custom script. Since this was a university, perhaps a disgruntled student...

That's my story, and I'm sticking to it!
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
Smart phones, smart watches, Bluetooth-connected devices—the IoT is all around us. In this article, we take a look at the security implications of our highly connected world.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question