SQL Server Forums
Profile | Register | Active Topics | Members | Search | Forum FAQ
 
Register Now and get your question answered!
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 SQL Server 2008 Forums
 Transact-SQL (2008)
 [XP_CMDSHELL] Which DLL's to delete?
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

Aristy
Starting Member

4 Posts

Posted - 07/03/2011 :  21:25:17  Show Profile  Reply with Quote
Hello,

I have a problem with a hacker abusing XP_CMDSHELL power to gain access to my server.

I disabled XP_CMDSHELL, but hacker can enable it back. So, which .DLL files I should be deleting after disabling it, so the hacker cannot enable it again?

I deleted "xplog70.dll". Is it enough or there are more of it?

Thanks alot.

robvolk
Most Valuable Yak

USA
15657 Posts

Posted - 07/03/2011 :  22:14:05  Show Profile  Visit robvolk's Homepage  Reply with Quote
http://msdn.microsoft.com/en-us/library/ms189506.aspx
Go to Top of Page

Lumbago
Norsk Yak Master

Norway
3271 Posts

Posted - 07/04/2011 :  03:57:15  Show Profile  Reply with Quote
More importantly than deleting xp_cmdshell; how is this hacker able to execute this procedure in the first place? Are you sure that it's actually being executed or are you just seeing references to it weblogs or something? If it is in fact executed you are probably open to sql injection and you should *really* look in to fixing it... -> http://en.wikipedia.org/wiki/SQL_injection

- Lumbago
My blog-> http://thefirstsql.com/2011/02/07/regular-expressions-advanced-string-matching-and-new-split-function-sql-server-2008-r2/
Go to Top of Page

Aristy
Starting Member

4 Posts

Posted - 07/04/2011 :  12:21:10  Show Profile  Reply with Quote
The hacker do it with a remote sql access, not granted by sql injection but a buffer overflow.

Go to Top of Page

Aristy
Starting Member

4 Posts

Posted - 07/04/2011 :  23:09:43  Show Profile  Reply with Quote
@robvolk; Robvolk, whenever I want to revoke permissions, it asks for master database, and I cannot edit the permissions of my mssql login user under master database.
If it is possible, can you give me an example of revoking all permissions on "sp_configure" procedure from X user?

Thank you.
Go to Top of Page

Lumbago
Norsk Yak Master

Norway
3271 Posts

Posted - 07/05/2011 :  02:12:42  Show Profile  Reply with Quote
You can try this:

REVOKE EXECUTE ON master.dbo.sp_configure FROM username

However; if the user has server privileges that override the user privileges in the master database (like sysadmin) it will not work.


- Lumbago
My blog-> http://thefirstsql.com/2011/02/07/regular-expressions-advanced-string-matching-and-new-split-function-sql-server-2008-r2/
Go to Top of Page

Aristy
Starting Member

4 Posts

Posted - 07/06/2011 :  12:34:13  Show Profile  Reply with Quote
USE master
GO

REVOKE EXECUTE ON master.dbo.sp_configure FROM AUJ

I do it via SA and; "Cannot find the user 'XXX', because it does not exist or you do not have permission."

How can I solve this? When I write my database name instead, it says it can only be done when the current database is master.
Go to Top of Page

russell
Pyro-ma-ni-yak

USA
5072 Posts

Posted - 07/06/2011 :  12:37:31  Show Profile  Visit russell's Homepage  Reply with Quote
You're focusing on the stored procedure, when you need to focus on tightening your security.

If the user can enable xp_cmdshell, then they can do a lot more.

Figure out how to keep them out of your network.
Go to Top of Page

Jeff Moden
Aged Yak Warrior

USA
649 Posts

Posted - 06/23/2013 :  00:20:08  Show Profile  Reply with Quote
quote:
Originally posted by russell

You're focusing on the stored procedure, when you need to focus on tightening your security.

If the user can enable xp_cmdshell, then they can do a lot more.

Figure out how to keep them out of your network.



+1000. I know this post is two years old but it's good to see that someone else gets this.

--Jeff Moden
RBAR is pronounced "ree-bar" and is a "Modenism" for "Row By Agonizing Row".

First step towards the paradigm shift of writing Set Based code:
"Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column."

When writing schedules, keep the following in mind:
"If you want it real bad, that's the way you'll likely get it."
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
SQL Server Forums © 2000-2009 SQLTeam Publishing, LLC Go To Top Of Page
This page was generated in 0.08 seconds. Powered By: Snitz Forums 2000