June 24, 2002 at 3:05 am
hello -
during the weekend there are spooky things going on on our server (sql 2000 SP1); the db-size of our production-db has increased by min. 500 MB and it is still increasing!
i cannot detect the source of this.
is there a script i can run to see which tables are increasing by which period of time?
secondly i catch sql-queries like
'select xtype, xusertype, type, name from [our_db].dbo.systypes where xusertype > 256 order by xtype
'
what's going on?
our procedures are being called randomly as it seems - even those which are not being used by our application.
i think i'm just losing my head ....
any idea what to do first now?
thanks for a quick answer!!!!
g.
June 24, 2002 at 3:10 am
Hey,
First off, I'd run Performance Monitor. Capture all transactions for that Database. You can filter using DBID (Look that up in Sysdatabases in the master db).
All off the transactions will display the SPID which you can look up in EM to determine who exactly is logged in and performing the transactions.
I'd start from there.
Clive Strong
June 24, 2002 at 3:11 am
Sorry...Its one of those Monday mornings...
Don't use Performance Monitor...Use Profiler!!! My mistake!
Clive Strong
June 24, 2002 at 5:06 am
hi again - and thanks for the replies!
the connection is coming in via one of our two webservers. i cannot make out more than that unfortunately.
g.
June 24, 2002 at 7:00 am
my first question would be , is your SA password is blank? . if so,therez a virus on the prowl
If not a Intrusion detection system might help. Check out for a IDS at http://www.snort.org
HTH
June 24, 2002 at 9:20 am
Nazim is dead on.
Also, at this point you need to get the situation quarantined.
An IDS system would be a great benefit to put into place, but this requires a lot of configuration time that you don't have right now. You need to act fast to get the problem corrected, if that means taking the site down completely, that's probably much better than having your data exploited. You should take the one web server offline to see if the connections settle down. Does your SQL Server have an outside connection or is it only accessable by the web servers? If it does have an outside connection run a "netstat -n" to see what IP addresses are connecting to it besides your web servers. Setup a quick software firewall on the DB server if you don't have a hardware firewall, etc. If it doesn't have an outside connection then you webserver has probably been compromised and someone is using it to attack you DB Server. Did you have all the latest security patches for your web servers (100 or so it seems if they are IIS web servers)? Quarentine any infected boxes and then get the site back up and running with secure, patched servers.
Basically do whatever it takes.
Let us know if you have more questions.
June 24, 2002 at 9:31 am
And please follow up here. I (and others) are curious to find out what is happening.
Steve Jones
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply