Re: sql hacked

From: Hernán Castelo (hcastelo_at_cedi.frba.utn.edu.ar)
Date: 06/29/04

  • Next message: kjvt: "Re: Sync SQLServer Agent password with domain" 
    Date: Tue, 29 Jun 2004 16:58:36 -0300

    this is a summary of the log files
    please tell me if you recognize
    some entry

    THanks

    web/ sec
    ------------
    681 on IWAM
    529 on DCOMSCM thru IWAM
    612 policy changed
    514 on LSAsrv.dkk, kerberos.dll, schannell, msv1_0:NTLM ...
    518 on RASSFM

    web/ sec
    ------------
    4 IIS stopped
    4156 MSDTC info CM "session idle timeout over, tearing down the session"
    4156 MSDTC client "session idle timeout over, tearing down the session"
    1704 SceCli "policy change applied"
    4097 MSDTC started ...

    web/ sys
    ------------
    36 w3svc can't load /LM/w3SVC/2/Root
    10004 DCOM "overlaped I/O" thru IWAM

    sql /sec log:
    ------------
    529, 680 on sql service account
    515 on rasman
    514 on LSAsrv.dkk, kerberos.dll, schannell, msv1_0:NTLM ...

    sql/ sys log:
    ------------
    64 by w32time
    7000 - can't start SCM service contol manager
    7001 - sql not available - SqlServerAgent

    sql/ app log
    ------------
    208 - SqlSrvAg can't do backup
    17177 MsSqlSrv not available
    4097 MSDTC SVC not available 

    -- 
atte,
Hernán Castelo
SGA - UTN - FRBA
  "Hernán Castelo" <hcastelo@cedi.frba.utn.edu.ar> escribió en el mensaje news:udrlniRXEHA.2840@TK2MSFTNGP11.phx.gbl...
  hi
  someone was hacked my site
  i have 2 servers :
  web--> IIS 5 / w2k adv Srv IIS lockdown
  sql--> SQL2k / w2k adv Srv
  i found the web srv doing "beeps"
  soon i found it serves html pages
  but don't serves asp with an error like
  "Error in the server application"
  sql srv lost sa password
  and don't recognize the local admin
  then i can't access to sql applications
  except of that,
  servers appears to work normal
  the web srv log is saying
  that attacked the iwam_
  and many "login misses" under DCOMSCM
  and then, "login hits"
  the sql srv log says
  attacks to sql_server_agent acount
  i go now to restore
  my backup and images
  but
  what can i do to prevent the next attack ?
  how can i protect better the site ?
  thanks
  -- 
  atte,
  Hernán
  • Next message: kjvt: "Re: Sync SQLServer Agent password with domain"

    Relevant Pages

    • Re: help: site hacked
      ... 529 on DCOMSCM thru IWAM ... 4156 MSDTC info CM "session idle timeout over, ... 7001 - sql not available - SqlServerAgent ...
      (microsoft.public.security)
    • Re: over writing default IWAM_<machinename> in ii4.0
      ... I'm not sure what you mean by "overwrite the IWAM account." ... If this is a SQL server database with a SQL security account setup within ... > to interative user using steps: ...
      (microsoft.public.inetserver.iis.security)
    • RE: SSL wont work under Domain User account. MS Fix buletin does not
      ... Have you added the "domain User" to the sysadmin SQL role. ... > My goal is to be able to use SSL when connecting to SQL Server via Query ... I also want to keep the SQL Server installation under a "Domain ... > Srv, Win 2000 Srv. ...
      (microsoft.public.sqlserver.security)