Server Hacked

Question

Server Hacked

David Rich

Right there with Babe

Points: 750
More actions
November 23, 2015 at 4:58 am

#306519

Some one logged into system created a new login with SA privilege and created many jobs.
bat.exe
dbdotas
cook.exe
regs.exe
macs.exe
dbdotas2
kugou2010
sc.exe
Hanako
regsa.exe
ftpbacks.exe
install.exe
javas.exe
task.exe
pdoors.exe
kils.exe
:angry:
how can this happen.. They might have got 'sa' password. Is there a way to track and find who did this.
December 1, 2015 at 1:18 am

This was removed by the editor as SPAM

Viewing 12 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic. Login to reply

Ant-Green SSC Guru Points: 113445 More actions · Answer 1

Check the default trace if it wasn't disabled, but if they did it as SA, all you will get is SA did it from X computer, but the trace may have rolled over as it only stores so much info before removing it.

Would recommend an audit over your SA account, change it to some complex password, limit who has sysadmin rights, limit access to server wide roles etc.

David Rich Right there with Babe Points: 750 More actions · Answer 2

anthony.green (11/23/2015)
Check the default trace if it wasn't disabled, but if they did it as SA, all you will get is SA did it from X computer, but the trace may have rolled over as it only stores so much info before removing it.
Would recommend an audit over your SA account, change it to some complex password, limit who has sysadmin rights, limit access to server wide roles etc.

Thanks Mate.

Already made the changes you mentioned. Seems like they have disabled the trace and not able to find any previous file also.

One of the job was running below code as CmdEXec

cd c:\Progra~1\shengda&for %a in (*.exe) do start %a

Any idea on what exactly this is?

Gail Shaw SSC Guru Points: 1004504 More actions · Answer 3

I'd honestly recommend reinstalling the server. If those executables have been added, it suggests that whoever got access did so at the Windows level. You have no idea if there are back doors installed, malware, keyloggers, etc. Best just to reinstall Windows entirely.

Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

David Rich Right there with Babe Points: 750 More actions · Answer 4

Thanks Gail.. Even i feel the same.

Found this code in one of the jobs

declare @a varchar(8000);

set @a;exec(@a);

Gail Shaw SSC Guru Points: 1004504 More actions · Answer 5

Not touching that with a bargepole (and please can you edit your post in case someone tries to run whatever that is?)

Wipe that machine and get your IT security people to do a full review of the entire network.

Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

simon.letts Hall of Fame Points: 3876 More actions · Answer 6

Was SQL put in single user mode before this? If so maybe someone got Server Admin rights and just added themselves as a SQL Administrator.

mark.williams 37494 SSCommitted Points: 1661 More actions · Answer 7

best practice

rename sa account

Disable login

Just as you would on a windows server, rename the built-in local administrator account

_________________________________________________________________

"The problem with internet quotes is that you cant always depend on their accuracy" -Abraham Lincoln, 1864

Wayne West SSC-Insane Points: 22586 More actions · Answer 8

I would go a bit beyond a reinstall of Windows and SQL Server, at the least do low-level formats of your hard drives and delete partitions. If possible, I would also junk the hard drives and replace them: it is possible to insert malware in to the partition table that will survive a reformat.

There's also been malware found in BIOS, so upgrading/reimaging the BIOS might be a good idea.

Malware has gotten so pernicious that I think we're not far from the point that if a system gets infected that the standard response will be to reformat and physically destroy the disks before junking them, then replace the server. I haven't heard of malware being inserted in to RAM chips or CPUs, it seems like just about everything else can be infected with persistent crap.

-----
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]

Nadrek SSC-Insane Points: 20039 More actions · Answer 9

GilaMonster (11/23/2015)
Not touching that with a bargepole (and please can you edit your post in case someone tries to run whatever that is?)
Wipe that machine and get your IT security people to do a full review of the entire network.

Absolutely - definitely look through the entire network now, particularly for command and control communications, and keep looking for a few weeks.

"Wipe" may vary between a normal three or seven pass complete disk sanitization and physical shredding of the disk, possibly after having a security consultant take a forensic image. Regardless, the fastest thing to do is pull the drives, lock them up, and start over immediately with fresh drives. The current Windows install is nonrecoverable.

soul_reaver_hh Valued Member Points: 69 More actions · Answer 10

hi,

just chnage the password of the sa account from "sa" to any complex password