SQLckHide.exe and svchost.exe appear to be scanning external IP's for vunerable SQL servers, it also kills the adsl connection

I have discovered a hidden program running on our SBS2000 server hidden in the

e:\recycler\S-1-5-21-1232352603-2125215062-1949299088 directory that has been killing our broadband

connection since 20:40 on 13/4/04. We have traced it to a svchost program that has somehow been

installed in this location,

e:\recycler\S-1-5-21-1232352603-2125215062-1949299088\temp\help\doc\bulletproof

Does anybody had this, or know of it. I have searched the usual google, yahoo, microsoft, symantec,

experts-xchange etc but no joy. This may just be because the file dates are 8/4/04 and it is too

new to appear.

The only way to see the files & folders is to change the view folder options.
A file, 500.bat contains the following lines:-
@ECHO OFF
SQLckHide svchost -i IP1.txt -u 1USER.dic -p 2PASS.dic -o Results.txt -t 60
EXIT

The IP1.txt contains approx 200 IP addresses

1USER.dic contains the SQL username of 'sa'

2PASS.dic contains the password dictionary, very comprehensive

And the output file Results.exe provides the matched IP address, username and SQL sa password

Another file SQLck_Logfile.txt contains all ip addresses, ports and connection results for all of

the attacked systems

The system has also created a new service call winlogon that calls the exe at

e:\recycler\S-1-5-21-1232352603-2125215062-1949299088\temp\help\doc\bulletproof\winlogo.exe

And the registry has been affected.

This has been added to our system within the last 7 days, although the server has not been

restarted for 11 days.

I have managed to remove the offending beast by changing the service to manual and restarting the

server.

I have a zip of all the offending files prior to deleting.
adammaczkaAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
arbertConnect With a Mentor Commented:
I haven't seen anything on this either.  As much as I hate to tell you this, I would open up a support call to Microsoft and report it....
0
 
arbertCommented:
Surely you're blocking port 1433 inbound and outbound too....
0
 
edwardsearchConnect With a Mentor Commented:
It seem to be a virus problem. Do you have latest updates for your OS?
-Edward
0
Build your data science skills into a career

Are you ready to take your data science career to the next step, or break into data science? With Springboard’s Data Science Career Track, you’ll master data science topics, have personalized career guidance, weekly calls with a data science expert, and a job guarantee.

 
danblakeCommented:
The only thing I know of that this should be is Bulletproof FTP (An automated FTP Client..http://www.bpftpserver.com) Could be that they are using a pw cracker and winlogo.exe is probably your virus (Win32.Petlil.A):
http://www.hackhispano.com/foro/showthread.php?t=7588
http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=12197

Its a virus spread by an outloook mail client, its very possible that they have combined this virus / bulletproof FTP and a pw cracker to send out the results to a destination to facilitate a remote crack.
0
 
danblakeCommented:
Do you have antivirus protection ?
0
 
danblakeCommented:
IF you have got a firewall I would strongly recommend checking the firewall for any unknown traffic destinations to see where the data is going to ...
0
 
Suburb-ManConnect With a Mentor Commented:
Most antivirus software are set not to scan recycler. Check AV's (default) exclusion files and folders.
Report/Submit it to Syamantec or NAI and search their knowledge bases.
0
 
danblakeCommented:
I have a zip of all the offending files prior to deleting.
I seriously recommend sending the information to the following address:
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

These guys will work will ALL relevant partys in ensuring this does not happen again.
0
 
adammaczkaAuthor Commented:
I'm not ignoring any of the comments raised by everyone. I appreciate the effort you have all gone to. I have just not been back on site to test/try the options.

We do have Symantec. We do have a so-called firewall, a BT effort, that can't really be touched. And yes Windows is up to date.

I've been looking around and still no references to sqlckhide.

We are aware of other irregularities within the corporate network, so I will keep you posted if they are related.

I will send it to cert.org and symantec today. An will get someone to check A/V for exclusion folders.

Once again THANKYOU all
0
 
danblakeConnect With a Mentor Commented:
I've just recieved a mail from SSWUG, that there is a new virus about similar to the PhatBot virus that looks to be doing the above:
http://www.washingtonpost.com/wp-dyn/articles/A3211-2004Mar17.html
http://isc.sans.org/diary.php?date=2004-04-18

/*Good luck ;-) */
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.