Security Incidents mailing list archives
looking for help
From: "Joyce Looger" <loogerj () email uah edu>
Date: Tue, 4 Nov 2003 07:06:28 -0600
We have recently discovered several hacked machines on our campus and have so far not been able to determine what vulnerability has been exploited. We have not been able to find references to this anywhere we have looked. The original breakin evidently occurred in June or on July 1st. A file called "hax.bat" was placed on the victim machines, and the scheduler was set to invoke it. Hax.bat was evidently invoked late Oct. 4 or early Oct. 5 and this program installed several things including a keyboard logger (winsecure.exe), vnc server (netsrc.exe), hidden ftp server listening on port 81 and/or 43958, and an account was created called AdminBackupexec, a remote admnistration server called r_server was installed. The last line in the file "hax.bat" was supposed to delete the file, but we found one victim machine on which delete failed, so have a copy of this file. In addition, virus software and firewall software was stopped. Activation of the ftp service occurred on Oct. 15. These systems have also been seen to begin scanning for real servers and apache vulnerabilities. We have not been able to find information on this on the internet, and since the original breakin seems to have been June or July, we do not have sufficient logs going back that far. We also don't have the expertise that others have. If anyone has a clue about this, we would appreciate any tidbit of information. Joyce Looger, Tony Wenden, Jerry Brown Computer and Network Services Universiy of Alabama in Huntsville 824-2607 --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- looking for help Joyce Looger (Nov 04)
- Re: looking for help Harlan Carvey (Nov 05)
- <Possible follow-ups>
- Re: looking for help tina helbig (Nov 05)
- Re: looking for help Harlan Carvey (Nov 05)
- RE: looking for help Gilmore, Corey (DPC) (Nov 05)