Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


HAX.BAT found in infection

Posted on 2003-11-05
Medium Priority
Last Modified: 2010-05-18
Anyone ever seen anything like this?
Infection june/july 2003

Looking for information to help this user:

"hax.bat" was placed on the victim machines, and the scheduler was set to invoke it.  Hax.bat was evidently invoked late Oct. 4 or early Oct. 5 and this program installed several things including a keyboard logger (winsecure.exe), vnc server (netsrc.exe), hidden ftp server listening on port 81 and/or 43958, and an account was created called AdminBackupexec, a remote admnistration server called r_server was installed. The last line in the file "hax.bat" was supposed to delete the file, but we found one victim machine on which delete failed, so have a copy of this file.  In addition, virus software and firewall software was stopped.  Activation of the ftp service occurred on Oct. 15.  These systems have also been seen to begin scanning for real servers and apache vulnerabilities. We have not been able to find information on this on the internet

Question by:lrmoore
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +4
LVL 79

Author Comment

ID: 9688145
I'm not directly involved with this outbreak, just trying to lend a hand to figure out where it came from.
Trust me, I know all about the spyware/adware/trojan hunter software and online scanning.
Cleaning up is not the problem. Getting the infection has increased client's awareness of need for multi-layers of protection.

Where did this come from? Has anyone identified this particular strain? I'm looking for someone with direct experience with this particular virus/worm.

There is nothing on the net about this particular infection. Do a google search for "hax.bat" and nada...
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 67

Accepted Solution

sirbounty earned 800 total points
ID: 9688168
Almost sounds like something/one internal. . .
Anyone in IT been told their job's being downsized?

Expert Comment

ID: 9688521
It's can be just backdoor.
Some one created this file and left in the machine.
Try to enable firewall and maybe someone try to connect to programs.

Assisted Solution

TooKoolKris earned 400 total points
ID: 9689241
First of all, it's not necessarily a trojan or a virus. It's simply a batch file that anyone with batch coding skills could create. I'm with Sirbounty on the fact that there is no info on the file out on the Internet and this should reasonably point to an inside job. The programs that you say are being installed, where do they reside? Did the bat file come with all this software as well or was it sent via the FTP created? Do a search on this pc for all text files and examine the ones that look funny. Those key loggers normally keep their logs in text format on the pc before they email them off. See if there is a config file for the key logger as well you might be able to find out where the info is being sent if this person is dumb enough.

Check the IIS logs to see if there are any that exist for connections to the FTP server that was created.

Check the registry to see if there are any records of remote mapping. My guess is if someone from the inside did this it was probably done from across the network and there may be a record of the mapped drive used to copy the file to the pc. I'm assuming you have already gone through the event logs.

LVL 49

Assisted Solution

sunray_2003 earned 400 total points
ID: 9693635

>> Where did this come from

I think it may not be very easy to answer this particular one. Generally , I have seen virus or worm come into the system by exchanging floppy disks from other computers.Now-a-days , with internet being very popular , I would guess it would have entered the system through the network......  Esp if you had read about MS blaster worm , you know the moment you hook your systemt to the network card and the network is already contaminated with the worm, your system shuts down.

That's why at the first place i expected spywares /adwares/pop-ups to bring in that particular virus or worm to your system

Also check to see any p2p programs in the system.......

I am totally leaning towards the side that it a virus or worm .. I am just guessing the worst scenario

The way it is described in your question , I think the same way as TooKoolkris , some bat file made to run at a certain time .....


Expert Comment

ID: 9697362
Is this the same one from the security focus incidents mailing list?
LVL 79

Author Comment

ID: 9697772
Yes. They are right in my backyard and I'd like to help...
LVL 18

Assisted Solution

chicagoan earned 400 total points
ID: 9699522
reminiscent of W32.Tkbot.Worm ... was IRC running on these machines?
take a look at a another report: http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0121.html
LVL 18

Expert Comment

ID: 9730998
Did you make any progress on your new friend?
LVL 79

Author Comment

ID: 9731152
Unfortunately, they have not responded to any of my querries...
Our liason is just back from vacation, so ......

LVL 79

Author Comment

ID: 9782174
No responses from my 'new friend', so I can't get any more information.

It was worth a shot, and I appreciate the responses.

I'm going with the feeling that it was an inside job with a custom script. Since this was a university, perhaps a disgruntled student...

That's my story, and I'm sticking to it!

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How does someone stay on the right and legal side of the hacking world?
With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question