Solved

SQLckHide.exe and svchost.exe appear to be scanning external IP's for vunerable SQL servers, it also kills the adsl connection

Posted on 2004-04-15
12
358 Views
Last Modified: 2007-12-19
I have discovered a hidden program running on our SBS2000 server hidden in the

e:\recycler\S-1-5-21-1232352603-2125215062-1949299088 directory that has been killing our broadband

connection since 20:40 on 13/4/04. We have traced it to a svchost program that has somehow been

installed in this location,

e:\recycler\S-1-5-21-1232352603-2125215062-1949299088\temp\help\doc\bulletproof

Does anybody had this, or know of it. I have searched the usual google, yahoo, microsoft, symantec,

experts-xchange etc but no joy. This may just be because the file dates are 8/4/04 and it is too

new to appear.

The only way to see the files & folders is to change the view folder options.
A file, 500.bat contains the following lines:-
@ECHO OFF
SQLckHide svchost -i IP1.txt -u 1USER.dic -p 2PASS.dic -o Results.txt -t 60
EXIT

The IP1.txt contains approx 200 IP addresses

1USER.dic contains the SQL username of 'sa'

2PASS.dic contains the password dictionary, very comprehensive

And the output file Results.exe provides the matched IP address, username and SQL sa password

Another file SQLck_Logfile.txt contains all ip addresses, ports and connection results for all of

the attacked systems

The system has also created a new service call winlogon that calls the exe at

e:\recycler\S-1-5-21-1232352603-2125215062-1949299088\temp\help\doc\bulletproof\winlogo.exe

And the registry has been affected.

This has been added to our system within the last 7 days, although the server has not been

restarted for 11 days.

I have managed to remove the offending beast by changing the service to manual and restarting the

server.

I have a zip of all the offending files prior to deleting.
0
Comment
Question by:adammaczka
12 Comments
 
LVL 34

Accepted Solution

by:
arbert earned 125 total points
ID: 10837842
I haven't seen anything on this either.  As much as I hate to tell you this, I would open up a support call to Microsoft and report it....
0
 
LVL 34

Expert Comment

by:arbert
ID: 10837854
Surely you're blocking port 1433 inbound and outbound too....
0
 
LVL 3

Assisted Solution

by:edwardsearch
edwardsearch earned 125 total points
ID: 10839180
It seem to be a virus problem. Do you have latest updates for your OS?
-Edward
0
 
LVL 13

Expert Comment

by:danblake
ID: 10840292
The only thing I know of that this should be is Bulletproof FTP (An automated FTP Client..http://www.bpftpserver.com) Could be that they are using a pw cracker and winlogo.exe is probably your virus (Win32.Petlil.A):
http://www.hackhispano.com/foro/showthread.php?t=7588
http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=12197

Its a virus spread by an outloook mail client, its very possible that they have combined this virus / bulletproof FTP and a pw cracker to send out the results to a destination to facilitate a remote crack.
0
 
LVL 13

Expert Comment

by:danblake
ID: 10840294
Do you have antivirus protection ?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 13

Expert Comment

by:danblake
ID: 10840328
IF you have got a firewall I would strongly recommend checking the firewall for any unknown traffic destinations to see where the data is going to ...
0
 
LVL 1

Assisted Solution

by:Suburb-Man
Suburb-Man earned 125 total points
ID: 10862208
Most antivirus software are set not to scan recycler. Check AV's (default) exclusion files and folders.
Report/Submit it to Syamantec or NAI and search their knowledge bases.
0
 
LVL 13

Expert Comment

by:danblake
ID: 10862374
I have a zip of all the offending files prior to deleting.
I seriously recommend sending the information to the following address:
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

These guys will work will ALL relevant partys in ensuring this does not happen again.
0
 

Author Comment

by:adammaczka
ID: 10863839
I'm not ignoring any of the comments raised by everyone. I appreciate the effort you have all gone to. I have just not been back on site to test/try the options.

We do have Symantec. We do have a so-called firewall, a BT effort, that can't really be touched. And yes Windows is up to date.

I've been looking around and still no references to sqlckhide.

We are aware of other irregularities within the corporate network, so I will keep you posted if they are related.

I will send it to cert.org and symantec today. An will get someone to check A/V for exclusion folders.

Once again THANKYOU all
0
 
LVL 13

Assisted Solution

by:danblake
danblake earned 125 total points
ID: 10868599
I've just recieved a mail from SSWUG, that there is a new virus about similar to the PhatBot virus that looks to be doing the above:
http://www.washingtonpost.com/wp-dyn/articles/A3211-2004Mar17.html
http://isc.sans.org/diary.php?date=2004-04-18

/*Good luck ;-) */
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Performance is the key factor for any successful data integration project, knowing the type of transformation that you’re using is the first step on optimizing the SSIS flow performance, by utilizing the correct transformation or the design alternat…
JSON is being used more and more, besides XML, and you surely wanted to parse the data out into SQL instead of doing it in some Javascript. The below function in SQL Server can do the job for you, returning a quick table with the parsed data.
Via a live example combined with referencing Books Online, show some of the information that can be extracted from the Catalog Views in SQL Server.
Via a live example, show how to backup a database, simulate a failure backup the tail of the database transaction log and perform the restore.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now