Surely you're blocking port 1433 inbound and outbound too....
Main Topics
Browse All TopicsI have discovered a hidden program running on our SBS2000 server hidden in the
e:\recycler\S-1-5-21-12323
connection since 20:40 on 13/4/04. We have traced it to a svchost program that has somehow been
installed in this location,
e:\recycler\S-1-5-21-12323
Does anybody had this, or know of it. I have searched the usual google, yahoo, microsoft, symantec,
experts-xchange etc but no joy. This may just be because the file dates are 8/4/04 and it is too
new to appear.
The only way to see the files & folders is to change the view folder options.
A file, 500.bat contains the following lines:-
@ECHO OFF
SQLckHide svchost -i IP1.txt -u 1USER.dic -p 2PASS.dic -o Results.txt -t 60
EXIT
The IP1.txt contains approx 200 IP addresses
1USER.dic contains the SQL username of 'sa'
2PASS.dic contains the password dictionary, very comprehensive
And the output file Results.exe provides the matched IP address, username and SQL sa password
Another file SQLck_Logfile.txt contains all ip addresses, ports and connection results for all of
the attacked systems
The system has also created a new service call winlogon that calls the exe at
e:\recycler\S-1-5-21-12323
And the registry has been affected.
This has been added to our system within the last 7 days, although the server has not been
restarted for 11 days.
I have managed to remove the offending beast by changing the service to manual and restarting the
server.
I have a zip of all the offending files prior to deleting.
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
The only thing I know of that this should be is Bulletproof FTP (An automated FTP Client..http://www.bpftpse
http://www.hackhispano.com
http://www3.ca.com/threati
Its a virus spread by an outloook mail client, its very possible that they have combined this virus / bulletproof FTP and a pw cracker to send out the results to a destination to facilitate a remote crack.
I have a zip of all the offending files prior to deleting.
I seriously recommend sending the information to the following address:
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
These guys will work will ALL relevant partys in ensuring this does not happen again.
I'm not ignoring any of the comments raised by everyone. I appreciate the effort you have all gone to. I have just not been back on site to test/try the options.
We do have Symantec. We do have a so-called firewall, a BT effort, that can't really be touched. And yes Windows is up to date.
I've been looking around and still no references to sqlckhide.
We are aware of other irregularities within the corporate network, so I will keep you posted if they are related.
I will send it to cert.org and symantec today. An will get someone to check A/V for exclusion folders.
Once again THANKYOU all
I've just recieved a mail from SSWUG, that there is a new virus about similar to the PhatBot virus that looks to be doing the above:
http://www.washingtonpost.
http://isc.sans.org/diary.
/*Good luck ;-) */
Business Accounts
Answer for Membership
by: arbertPosted on 2004-04-15 at 15:55:33ID: 10837842
I haven't seen anything on this either. As much as I hate to tell you this, I would open up a support call to Microsoft and report it....