OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Chris Norris (cnorris_at_continental-microwave.co.uk)
Date: Wed Sep 18 2002 - 05:27:07 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I think rather than a sign of something sinister this sounds fairly simple.
    For example, corrupted and crosslinked files. You say it contained old
    emails, well maybe this PC was used as a workstation and was upgraded with
    NT4 server but somehow the corrupted files were crosslinked and ended up in
    autoexec.bat
    I use to see this with DOS based PCs.

    Chris Norris
    ----- Original Message -----
    From: "Matthew S Barnes" <btc1alltel.net>
    To: "Incidents" <incidentssecurityfocus.com>
    Cc: "Chris Barnes" <cbarnesbfinity.net>
    Sent: Saturday, September 14, 2002 4:53 PM
    Subject: Huge Autoexec.bat

    > Hi all we were working on a system the other day at a client's who called
    us
    > in to fix a downed domain controller, his system was blue screening and so
    > we got there and started poking around the system, we noticed something
    > weird and wanted to ask if anyone had seen it before. I hadnt ever ...
    > His autoexec.bat was huuge 26 megabytes to be exact. Now this computer was
    > running nt 4 sp6a and also a ton of other stuff but none of the stuff in
    > autoexec.bat as far as i could see was anything related to his systems, i
    > told him he was probably hacked and that he needed to really treat this
    like
    > it was a crime scene and try to save all the data so we could reconstruct
    > later, well he said he didnt care(no wonder he was hacked ) and told me to
    > not waste time on it he wouldnt pay me to investigate he would only pay me
    > to fix it. I did save some of the files I thought were suspicious and was
    > hoping someone, anyone could point me in a direction to find out what
    would
    > make this autoexec.bat so big? is there any known exploits that do this
    type
    > of thing? I appreciate all you help
    >
    > The autoexec.bat file was full of script's and code and also some old
    emails
    > of his from years ago and we never got time to go thru the whole thing
    just
    > enuff to make me think it was a total compromise of his system.....
    >
    > Sincerely
    >
    > Matthew S Barnes
    >
    > ---
    > Outgoing mail is certified Virus Free.
    > Barnes Technical Consulting 2002
    > Checked by AVG anti-virus system (http://www.grisoft.com).
    > Version: 6.0.385 / Virus Database: 217 - Release Date: 9/4/2002
    >
    >
    > -------------------------------------------------------------------------- 

    --
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

    ----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com