Help me stop the hacker...

From: Agustin Chernitsky (agustinchernitskyNOSPAM_at_hotmail.com)
Date: 01/28/04

• Next message: Kevin McDonnell [MSFT]: "RE: Help me stop the hacker..."
• Previous message: Kevin McDonnell [MSFT]: "RE: Permission to start/stop logreader and distribution agent"
• Next in thread: Kevin McDonnell [MSFT]: "RE: Help me stop the hacker..."
• Reply: Kevin McDonnell [MSFT]: "RE: Help me stop the hacker..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 27 Jan 2004 20:30:27 -0300

Hi everyone,
Well, I was hacked 5 days ago. This what I found so far:

1.- Possible hacker entrance (almost confirmed) thru MSSQL using brute force
attack, and a weak password on my side for SA (no comments please).
2.- Hacker copied some files to \System Volume Information\mstemp.tmp\_tmp.
A scanner svhost.exe, a speed tester named sc5m.exe or speed.exe and a
pskill.exe to kill these processes.
3.- My server is behind a FW, still MSSQL ports 1433 is open (now closed).
4.- Even though I changed all my SA and admins passwords, he manages to copy
the same files to: c:\system volume information\mstemp\_tmp.
5.- The hacking seemed to have stopped since I closed the SQL port on the
FW.

Interesting facts:

Every time the hacker executed svhost or sc5m, he was under NT
Authority\System (MSSQL runs under that, but not for long!). The timeline
was the following:

0.- Logged on to MS SQL.
1.- Process 3368* created a new process, 2520, which was CMD. exe
2.- Process 2520 (CMD) created a new process, 3120, which was \System Volume
Information\mstemp.tmp\_tmp\svhost_light.exe
3.- Process 3120 exits.
4.- Process 2520 (CMD) created a new process, 4275, which was \System Volume
Information\mstemp.tmp\_tmp\speed test\speed.exe
5.- Process 4275 exits.
6.- So on, etc, etc.

*A very interesting fact: Process 3368 doesn't exist!! I checked all logs,
and this process was never created or destroyed.

Now, how can we stop this BAMF? Should I reinstall SQL? What about process
3368 (this is what bothers me most)???

Any ideas are welcome!

PS : X-posted to win2000.security

Thanks all!

A.

• Next message: Kevin McDonnell [MSFT]: "RE: Help me stop the hacker..."
• Previous message: Kevin McDonnell [MSFT]: "RE: Permission to start/stop logreader and distribution agent"
• Next in thread: Kevin McDonnell [MSFT]: "RE: Help me stop the hacker..."
• Reply: Kevin McDonnell [MSFT]: "RE: Help me stop the hacker..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Help me stop the hacker... ... 1.- Possible hacker entrance thru MSSQL using brute force ... 3.- My server is behind a FW, still MSSQL ports 1433 is open. ... 0.- Logged on to MS SQL. ... 3.- Process 3120 exits. ... (microsoft.public.win2000.security) RE: Invalid cursor state when using PRINT in MSSQL ... The server and all the SP's I am running this on is MSSQL and not Sybase. ... MS SQL Server help also mentions that you have to call SQLError right after ... (perl.dbi.users) Re: solved mySQL to MSSQL partially now i need a quick TSQL solution to solve the end part ( is ther ... > It is me again the guy that wanted to import a MYSQL dump file into MSSQL ... > change from MYSQL to SQL wich Microsoft`s SQL server seems to understand ... (microsoft.public.sqlserver.programming) Re: empty values in INSERT INTO statement ... The point is that if you don't make it difficult for a hacker, ... he will realize that sql injection is not going to work ... > values for possible SQL injection is pointless. ... Bob Barrows ... (microsoft.public.inetserver.asp.db) Re: How to connect to MSSQL server from HP-UX environment ... connection to MSSQL on WINDOWS platform ... Uncle Sam ... is it possible to connect to MSSQL server by executing ... HP won't have any native capability to connect to MS SQL. ... (comp.databases.ms-sqlserver)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint