0

Possible Duplicate:
My server’s been hacked EMERGENCY

I have a compromised machine that is attempting several hundred connections a minute to log into other mssql machines around the world. Event Viewer is showing hundreds of Event ID 18456 errors. It's probably the network service process doing this, the error is below:

Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: XXX.XXX.XXX.XXX]

My machine is trying to log into other machines. I've previously found a system.exe which notes "Running Multi-Thread SQLck v1.0.00 Beta9_1 - written in only socket commands". It used a .dic file of passwords to brute force the SA password of other machines. I've removed that file from the system, but I believe there's another copy in use.

I can't establish what process within MSSQL is firing this process, and how I can stop it.

How can I stop mssql trying to log into things without my say so? There may be servers it needs to log into to (known hosts), but not these Chinese/Brazillian servers.

Edit: tl;dr: my machine is being used to brute force other servers. How do I stop it?

Community
  • 1
grr_arg
  • 1
  • 1
  • 1
    Is the `CLIENT` IP that you've redacted your server's IP, or a remote system? Seems like they're trying to log into your database server, not the other way around; tcp 1433 accessible to the internet is a bad situation. – Shane Madden Nov 09 '11 at 23:16
  • Sorry, yes, the compromised machine is being used as a bruteforce machine, attacking other machines. I want to work out how to stop it. – grr_arg Nov 09 '11 at 23:22
  • 1
    I'll go with "nuke it from orbit and restore to a non-compromised backup". See http://serverfault.com/questions/218005/my-servers-been-hacked-emergency – Shane Madden Nov 09 '11 at 23:26
  • As much as I like blowing things up, this isn't an option. – grr_arg Nov 09 '11 at 23:31
  • @grr_arg This **is** the option. The only option. – mailq Nov 09 '11 at 23:36

1 Answers1

1

It's not neccessarily SQL server spawning the login attempts. Any computer with the SQL Server ODBC drivers or client connectivity components can make a connection to a SQL Server. I would run Microsoft Network Monitor on the server, start a capture, find the login attempts, and look at the process responsible for those attempts in the capture (Microsoft Network Monitor lists the processes involved for all connections).

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • It's only showing as "sqlserver.exe" or "System" as the process. I know that it's within sqlserver.exe. It'd be nice if I could find where on the system it's calling sql server to do it's dirty work. Can I use sp_who or similar? – grr_arg Nov 10 '11 at 03:34
  • sp_who or sp_who2 will show you connections to your SQL Server but won't show you connections from your SQL Server. – joeqwerty Nov 10 '11 at 04:12
  • So, there's no tool to show connections from sql server/ – grr_arg Nov 10 '11 at 05:02
  • No tool specific to SQL Server that I'm aware of. I would take a look at the configuration of SQL Server. Are there any Linked Servers configured? Is any type of replication configured? Are there any jobs or maintenance plans configured? Anything that might trigger SQL to make outbound connections. – joeqwerty Nov 10 '11 at 11:18