RE: Malicious files on the sql server found

SSC Guru

Points: 1003865

April 3, 2014 at 4:28 pm

K. Brian Kelley (4/3/2014)
Then you've been working with the wrong security/networking teams. IDS/IPS is typically monitoring network traffic not running on the host. It'll see the xp_cmdshell going across the network and alert. This isn't new functionality. It's been around for YEARS. Free IDS like Snort have detected it for years.

I get that. My point is that the attack cited on this thread didn't use xp_CmdShell. Having it turned off did nothing to prevent this attack which did everything that one could do with xp_CmdShell.

--Jeff Moden

RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

Change is inevitable... Change for the better is not.

Helpful Links:
How to post code problems
How to Post Performance Problems
Create a Tally Function (fnTally)