?
Solved

HAX.BAT found in infection

Posted on 2003-11-05
13
Medium Priority
?
1,791 Views
Last Modified: 2010-05-18
Anyone ever seen anything like this?
Infection june/july 2003

Looking for information to help this user:

"hax.bat" was placed on the victim machines, and the scheduler was set to invoke it.  Hax.bat was evidently invoked late Oct. 4 or early Oct. 5 and this program installed several things including a keyboard logger (winsecure.exe), vnc server (netsrc.exe), hidden ftp server listening on port 81 and/or 43958, and an account was created called AdminBackupexec, a remote admnistration server called r_server was installed. The last line in the file "hax.bat" was supposed to delete the file, but we found one victim machine on which delete failed, so have a copy of this file.  In addition, virus software and firewall software was stopped.  Activation of the ftp service occurred on Oct. 15.  These systems have also been seen to begin scanning for real servers and apache vulnerabilities. We have not been able to find information on this on the internet

0
Comment
Question by:lrmoore
  • 4
  • 2
  • 2
  • +4
13 Comments
 
LVL 79

Author Comment

by:lrmoore
ID: 9688145
I'm not directly involved with this outbreak, just trying to lend a hand to figure out where it came from.
Trust me, I know all about the spyware/adware/trojan hunter software and online scanning.
Cleaning up is not the problem. Getting the infection has increased client's awareness of need for multi-layers of protection.

Where did this come from? Has anyone identified this particular strain? I'm looking for someone with direct experience with this particular virus/worm.

There is nothing on the net about this particular infection. Do a google search for "hax.bat" and nada...
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 67

Accepted Solution

by:
sirbounty earned 800 total points
ID: 9688168
Almost sounds like something/one internal. . .
Anyone in IT been told their job's being downsized?
0
 

Expert Comment

by:Rikis
ID: 9688521
It's can be just backdoor.
Some one created this file and left in the machine.
Try to enable firewall and maybe someone try to connect to programs.
0
 
LVL 9

Assisted Solution

by:TooKoolKris
TooKoolKris earned 400 total points
ID: 9689241
First of all, it's not necessarily a trojan or a virus. It's simply a batch file that anyone with batch coding skills could create. I'm with Sirbounty on the fact that there is no info on the file out on the Internet and this should reasonably point to an inside job. The programs that you say are being installed, where do they reside? Did the bat file come with all this software as well or was it sent via the FTP created? Do a search on this pc for all text files and examine the ones that look funny. Those key loggers normally keep their logs in text format on the pc before they email them off. See if there is a config file for the key logger as well you might be able to find out where the info is being sent if this person is dumb enough.

Check the IIS logs to see if there are any that exist for connections to the FTP server that was created.

Check the registry to see if there are any records of remote mapping. My guess is if someone from the inside did this it was probably done from across the network and there may be a record of the mapped drive used to copy the file to the pc. I'm assuming you have already gone through the event logs.


0
 
LVL 49

Assisted Solution

by:sunray_2003
sunray_2003 earned 400 total points
ID: 9693635
Irmoore,


>> Where did this come from

I think it may not be very easy to answer this particular one. Generally , I have seen virus or worm come into the system by exchanging floppy disks from other computers.Now-a-days , with internet being very popular , I would guess it would have entered the system through the network......  Esp if you had read about MS blaster worm , you know the moment you hook your systemt to the network card and the network is already contaminated with the worm, your system shuts down.


That's why at the first place i expected spywares /adwares/pop-ups to bring in that particular virus or worm to your system

Also check to see any p2p programs in the system.......

I am totally leaning towards the side that it a virus or worm .. I am just guessing the worst scenario

The way it is described in your question , I think the same way as TooKoolkris , some bat file made to run at a certain time .....

Sunray
0
 
LVL 2

Expert Comment

by:kat120
ID: 9697362
Is this the same one from the security focus incidents mailing list?
Kat
0
 
LVL 79

Author Comment

by:lrmoore
ID: 9697772
Yes. They are right in my backyard and I'd like to help...
0
 
LVL 18

Assisted Solution

by:chicagoan
chicagoan earned 400 total points
ID: 9699522
reminiscent of W32.Tkbot.Worm ... was IRC running on these machines?
take a look at a another report: http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0121.html
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9730998
Did you make any progress on your new friend?
0
 
LVL 79

Author Comment

by:lrmoore
ID: 9731152
Unfortunately, they have not responded to any of my querries...
Our liason is just back from vacation, so ......

0
 
LVL 79

Author Comment

by:lrmoore
ID: 9782174
No responses from my 'new friend', so I can't get any more information.

It was worth a shot, and I appreciate the responses.

I'm going with the feeling that it was an inside job with a custom script. Since this was a university, perhaps a disgruntled student...

That's my story, and I'm sticking to it!
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The onset of year 2018 has been a usual business for IT teams still struggling to find their way out in terms of strengthening their cloud security.
A question that many companies need to answer until May 25th of 2018... Is your company ready for GDPR?
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question