0

My server was hacked with the Mirai Botnet, we cleaned the system, Disabled the Server Agent completely and the system is stable and clean BUT...

If I re-open that sql server PC to the internet ( port 1433 ), it gets reinfected..

I experimented with all the logins and found out that if I leave the "BUILTIN\Administrators" login, that's what makes the botnet reinfects it.

The client which infects me is called "Microl Office", it originates from various assumingly hacked PCs, and the strange thing is that it authenticates as "NT AUTHORITY\ANONYMOUS LOGON"...

I deleted the model and msdb and recopied the ones in template in order to clean the server, still the same thing happens if I Leave the Builtin administrators.. soo i guess that botnet added the ANONYMOUS LOGON to the administrators group ?

I reinstalled another instance and different version and still the same thing happens so it's not an SQL issue I think.

Login succeeded for user 'NT AUTHORITY\ANONYMOUS LOGON'. Connection made using Windows authentication. [CLIENT: 138.0.224.232]

Also, if i use the BUILTIN\Users instead, it doesn't login and it fails with an error "Token-based server access validation failed with an infrastructure error" So I think once the server was severely infected, the malware somehow added the anonymous logon to the builtin administrators group

Can anyone tell me how I can see all the added users to the administrators group ? ( and yes the group has only my user as the Admin user when accessed from computer management )

Can anyone please suggest anything in that matter ? ( Windows Server 2003 R2 and SQL SERVER Enterpise 2005 + 2008 sp1 )

options I tried:

  • set LSA blockanonymous to 1
  • set allowanoynomous to 1
  • disable SID translation
  • check the administrators group from computer management

Yes, I know it's an old server, it has been developed for a specific ASP.NET website since 2009 and we tried migrating but didn't work well, so we have to use it. We expose only RDP and SQL (1433)

Community
  • 1
Omarico7
  • 1
  • 1
  • 5
    Your server OS is just shy of 5 years out of support. Start by getting to a supported OS. – user9517 Jun 07 '20 at 20:41
  • 4
    And don't make SQL open to the internet. – mfinni Jun 07 '20 at 20:51
  • I suggest you backup the data (only the data; no configuration) on this system and rebuild and reconfigure it from a wiped hard drive, ideally with a newer OS. It was compromised severely. You cannot trust it. – Slartibartfast Jun 07 '20 at 21:18
  • The built-in Administrator by default. Windows Server 2003 R2 is not considered to be secure. You really should consider upgrading your OS – Ramhound Jun 07 '20 at 22:30
  • 1
    `if i re-open that sql server PC to the internet ( port 1433 ), it gets reinfected` - Ummm... don't do that. – joeqwerty Jun 07 '20 at 23:31
  • well this is a production server and can't be migrated because it's running old ASPNET websites, we tried trust me. also yes it's not secure but we don't expose except RDP and SQL for clients that's it. anyways is there any possible way i can check who are the members of builtin administrators in relative to the SQl server ? not the windows system itself also by the way, a fresh reinstalled windows server in VMware doesn't get infected i tried it.. – Omarico7 Jun 08 '20 at 00:31
  • `We don't expose except RDP and SQL` and those are especially dangerous to expose to the Internet... – Esa Jokinen Jun 08 '20 at 03:44
  • Possible duplicate of [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) –  Jun 12 '20 at 03:21

0 Answers0