Hi everyone,
Well, I was hacked 5 days ago. This what I found so far:
1.- Possible hacker entrance (almost confirmed) thru MSSQL using brute force
attack, and a weak password on my side for SA (no comments please).
2.- Hacker copied some files to \System Volume Information\mstemp.tmp\_tmp.
A scanner svhost.exe, a speed tester named sc5m.exe or speed.exe and a
pskill.exe to kill these processes.
3.- My server is behind a FW, still MSSQL ports 1433 is open (now closed).
4.- Even though I changed all my SA and admins passwords, he manages to copy
the same files to: c:\system volume information\mstemp\_tmp.
5.- The hacking seemed to have stopped since I closed the SQL port on the
FW.
Interesting facts:
Every time the hacker executed svhost or sc5m, he was under NT
Authority\System (MSSQL runs under that, but not for long!). The timeline
was the following:
0.- Logged on to MS SQL.
1.- Process 3368* created a new process, 2520, which was CMD. exe
2.- Process 2520 (CMD) created a new process, 3120, which was \System Volume
Information\mstemp.tmp\_tmp\svhost_light.exe
3.- Process 3120 exits.
4.- Process 2520 (CMD) created a new process, 4275, which was \System Volume
Information\mstemp.tmp\_tmp\speed test\speed.exe
5.- Process 4275 exits.
6.- So on, etc, etc.
*A very interesting fact: Process 3368 doesn't exist!! I checked all logs,
and this process was never created or destroyed.
Now, how can we stop this BAMF? Should I reinstall SQL? What about process
3368 (this is what bothers me most)?
Any ideas are welcome!
PS : X-posted to win2000.security
Thanks all!
A.You know the machine has been hacked, but you may not be able to uncover
all the
processes, etc. the hacker left behind.
I would recommend rebuilding the machine.(OS) not just re-installing SQL.
Good Information can be found here on this topic.
http://www.cert.org/tech_tips/win-U...compromise.html
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.|||Agustin,
I noticed a similar problem about a week and a half ago. It looks like
the hackers may have come in through Veritas Backup Exec. Curiously
enough, my disk space usage has peeged through the roof. The box that
was hacked has 2.2 TB of drive space, of which 1.6 TB is being used
legitimately. However, Windows reports that all but 60 GB of space are
used, but I can't find the additional used space anywhere. The only
clue I have I found on a whim. I ran Disk Defragmenter to see if
anything would show up, and looked at the report. Sure enough, several
files are listed under the System Volume Information\~tmp\... area.
After resetting permissions on this system folder so that I could peek,
I expected to find files and folders, but nothing was there. So, I'm
stumped. If you happen to hear back from anyone, will you please post
to this newsgroup?
Thanks,
GW
*** Sent via Developersdex http://www.examnotes.net ***
Don't just participate in USENET...get rewarded for it!
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment