SQL Server Forums
Profile | Register | Active Topics | Members | Search | Forum FAQ
 
Register Now and get your question answered!
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 SQL Server 2005 Forums
 SQL Server Administration (2005)
 SQL ISSUE		  New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

trbal
Starting Member

4 Posts
Posted - 05/24/2012 :  03:26:47  Show Profile  Reply with Quote
Hi

Iam running SBS 2003 Std with SP2. AV is eset AV4.Suddenly SQL started behaving strangely ppl were unable to connect to DB. On running process explorer i find sqlserv.exe trying to execute secedit.exe with high cpu usage then starts cmd.exe trying to execute a bat file which creates folders like i4241 in c:\system32 folder then opens up ftp.exe. Eset detected lib32woaqexe and deletes it just that. I have run sophos/malwarebytes/superantispyware etc nothing is detected but process explorer still shows the same sequence of events i have stated above. I had a same issue in a diff site and had to reformat the server.is that the only option.Any help is highly appreciated. I have a screenshot where should i upload it

Lumbago
Norsk Yak Master

Norway
3246 Posts
Posted - 05/24/2012 :  07:45:34  Show Profile  Reply with Quote
Sounds like your a victim of sql injection. Google "how to prevent sql injection" and you'll find very good information about what you need to do. The screenshot can be uploaded to tinypic.com or the like...

- Lumbago
My blog-> http://thefirstsql.com
Go to Top of Page

trbal
Starting Member

4 Posts
Posted - 05/24/2012 :  13:36:31  Show Profile  Reply with Quote
Thx boss

will reinstalling sql solve the issue?
Go to Top of Page

robvolk
Most Valuable Yak

USA
15568 Posts
Posted - 05/24/2012 :  13:39:43  Show Profile  Visit robvolk's Homepage  Reply with Quote
Not if your application still allows SQL injection, you'll just get re-infected. You have to look at your entire architecture to prevent SQL injection.
Go to Top of Page

trbal
Starting Member

4 Posts
Posted - 05/24/2012 :  13:49:55  Show Profile  Reply with Quote
Thx Robvolk

i want upload a screenshot not able to do it in tinypic as it timesout.Any other way i can upload it maybe that will explain the process better.

got it

Thx agian
Edited by - trbal on 05/24/2012 13:51:41
Go to Top of Page

robvolk
Most Valuable Yak

USA
15568 Posts
Posted - 05/24/2012 :  15:26:36  Show Profile  Visit robvolk's Homepage  Reply with Quote
First thing I recommend doing is disabling xp_cmdshell on your SQL Server. You can do that with the following SQL:
EXEC sp_configure 'show advanced options', '1';
reconfigure;
EXEC sp_configure 'xp_cmdshell', '0';
reconfigure;
Next you should kill any cmd.exe process on the server, which you can do from the command line with:
taskkill /IM cmd.exe
Note that will also kill the command window you run it in. You should recheck task manager to ensure all CMD.EXEs have terminated. If they spring up again, you've got a virus and you'll probably need to wipe the server and reinstall everything if your antivirus can't remove it.

This still doesn't protect you from SQL injection.

BTW you can also use http://imgur.com as an image host.
Go to Top of Page

trbal
Starting Member

4 Posts
Posted - 05/25/2012 :  02:01:57  Show Profile  Reply with Quote
Thx Rob

I first edited the registry and removed entries from muicache (secedit.exe and cmd.exe).then removed a firewall rule wan to lan which i had created to allow access to db port.now the thing is gone. As i had mentioned earlier the server is running a updated version of eset and i have scanned it with multiple syware/virus/rootkit tools. WIll keep a tab and see if something crops up again.
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
SQL Server Forums © 2000-2009 SQLTeam Publishing, LLC Go To Top Of Page
This page was generated in 0.04 seconds. Powered By: Snitz Forums 2000