Security Incidents mailing list archives

looking for help

From: "Joyce Looger" <loogerj () email uah edu>
Date: Tue, 4 Nov 2003 07:06:28 -0600

We have recently discovered several hacked machines on our campus and have
so far not been able to determine what vulnerability has been exploited. We
have not been able to find references to this anywhere we have looked.

The original breakin evidently occurred in June or on July 1st.  A file
called "hax.bat" was placed on the victim machines, and the scheduler was
set to invoke it.  Hax.bat was evidently invoked late Oct. 4 or early Oct. 5
and this program installed several things including a keyboard logger
(winsecure.exe), vnc server (netsrc.exe), hidden ftp server listening on
port 81 and/or 43958, and an account was created called AdminBackupexec, a
remote admnistration server called r_server was installed. The last line in
the file
"hax.bat" was supposed to delete the file, but we found one victim machine
on which delete failed, so have a copy of this file.
 In addition, virus software and firewall software was stopped.  Activation
of the ftp service occurred on Oct. 15.  These systems have also been seen
to begin scanning for real servers and apache vulnerabilities.
We have not been able to find information on this on the internet, and since
the original breakin seems to have been June or July, we do not have
sufficient logs going back that far.  We also don't have the expertise that
others have.  If anyone has a clue about this, we would appreciate any
tidbit of information.
Joyce Looger, Tony Wenden, Jerry Brown
Computer and Network Services
Universiy of Alabama in Huntsville
824-2607


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------

Current thread:

looking for help Joyce Looger (Nov 04)
- Re: looking for help Harlan Carvey (Nov 05)
- <Possible follow-ups>
- Re: looking for help tina helbig (Nov 05)
  - Re: looking for help Harlan Carvey (Nov 05)
- RE: looking for help Gilmore, Corey (DPC) (Nov 05)