Author |
Topic |
mrdougman
Starting Member
3 Posts |
Posted - 2008-02-27 : 12:35:23
|
Every few days I get a table that shows up in my database named TMP31337??. This table has 2 fields/columns labled 'A', and 'X'. Field A contains a sequential #, and field X has user logins in the following format "SA_0x091231238f989df89d8f98asdf989df8989d8f9898df8", etc. The table name is always the same except for the last two characters. I am concerned that my SQL Server has been compromised. This look familiar to anyone. thanks for your helpDoug |
|
visakh16
Very Important crosS Applying yaK Herder
52326 Posts |
Posted - 2008-02-27 : 12:57:44
|
Is there some other third party utility which performs some scheduled processes in your db? |
 |
|
mrdougman
Starting Member
3 Posts |
Posted - 2008-02-27 : 13:19:00
|
That thought occurred to me, that these tables could be generated by a third party utility. That is possible, I suppose, but nothing comes to mind. and the fact that the table has the #31337 in it, a number that seems to have significance, in the hacker community, it started bothering me. |
 |
|
visakh16
Very Important crosS Applying yaK Herder
52326 Posts |
Posted - 2008-02-27 : 13:27:55
|
Ah..that seems to be weird... |
 |
|
spirit1
Cybernetic Yak Master
11752 Posts |
Posted - 2008-02-27 : 14:35:11
|
well run profiler and see who and when creates it._______________________________________________Causing trouble since 1980blog: http://weblogs.sqlteam.com/mladenpSSMS Add-in that does a few things: www.ssmstoolspack.com |
 |
|
tripodal
Constraint Violating Yak Guru
259 Posts |
Posted - 2008-02-28 : 16:56:53
|
If there is a web front end connected to this database, SQL injection is possible. You can trace that in webserver logs. I am only familiar with IIS personally. |
 |
|
mrdougman
Starting Member
3 Posts |
Posted - 2008-02-28 : 17:37:36
|
I checked all the web server logs, no luck. I am running Profiler 24/7 so the next time a table gets created, hopefully I can tell where its coming from.Doug |
 |
|
g10c
Starting Member
2 Posts |
Posted - 2008-03-26 : 21:56:53
|
I can confirm that this is the result of an attacker. I am a security analyst and we have seen this recently. As of yet unidentified attackers seem to be using that table as part of automated scanning technique to inject and execute commands on sql servers. Your IIS logs are probably filled with char(114) and similar where 114 can be any number that is converted to ascii by sql server. If you search your IIS logs for "char(" or similar you are very likely to find hits. Its possible they have already deleted your IIS logs but we have not typically seen cleanup from these attackers so it is unlikely. Let me know if you find the encoded IIS logs. I wrote a perl script that can decode them so you can make sense of what happened. |
 |
|
tripodal
Constraint Violating Yak Guru
259 Posts |
Posted - 2008-03-28 : 14:28:53
|
g10c is the script available somewhere? I hope I never need it still... |
 |
|
g10c
Starting Member
2 Posts |
Posted - 2008-03-28 : 15:16:13
|
I've pasted it in below. I hope you don't need it too but I do hope it's helpful if you do. The perl snippet is pasted below. Its crude but it works mostly. Some minor tweaking to the regex may prove useful if you find variations on the encoding. Good luck.$data_file="bchar_sql_attack_strings_5.16.log";open(DAT, $data_file) || die("Could not open file!");@raw_data=<DAT>;foreach $line (@raw_data){ $line =~ s/\%20/ /g; $line =~ s/\%(..)/chr(hex($1)) /eg; $line =~ s/\+/ /g; $line =~ s/ char\((\d+)\)/chr($1)/eg; print $line . " \n";}close(DAT); |
 |
|
|