I think rather than a sign of something sinister this sounds fairly simple. For example, corrupted and crosslinked files. You say it contained old emails, well maybe this PC was used as a workstation and was upgraded with NT4 server but somehow the corrupted files were crosslinked and ended up in autoexec.bat I use to see this with DOS based PCs. Chris Norris ----- Original Message ----- From: "Matthew S Barnes" <btc1at_private> To: "Incidents" <incidentsat_private> Cc: "Chris Barnes" <cbarnesat_private> Sent: Saturday, September 14, 2002 4:53 PM Subject: Huge Autoexec.bat > Hi all we were working on a system the other day at a client's who called us > in to fix a downed domain controller, his system was blue screening and so > we got there and started poking around the system, we noticed something > weird and wanted to ask if anyone had seen it before. I hadnt ever ... > His autoexec.bat was huuge 26 megabytes to be exact. Now this computer was > running nt 4 sp6a and also a ton of other stuff but none of the stuff in > autoexec.bat as far as i could see was anything related to his systems, i > told him he was probably hacked and that he needed to really treat this like > it was a crime scene and try to save all the data so we could reconstruct > later, well he said he didnt care(no wonder he was hacked ) and told me to > not waste time on it he wouldnt pay me to investigate he would only pay me > to fix it. I did save some of the files I thought were suspicious and was > hoping someone, anyone could point me in a direction to find out what would > make this autoexec.bat so big? is there any known exploits that do this type > of thing? I appreciate all you help > > The autoexec.bat file was full of script's and code and also some old emails > of his from years ago and we never got time to go thru the whole thing just > enuff to make me think it was a total compromise of his system..... > > Sincerely > > Matthew S Barnes > > --- > Outgoing mail is certified Virus Free. > Barnes Technical Consulting 2002 > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.385 / Virus Database: 217 - Release Date: 9/4/2002 > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 18 2002 - 13:20:23 PDT