?
Solved

SQLckHide.exe and svchost.exe appear to be scanning external IP's for vunerable SQL servers, it also kills the adsl connection

Posted on 2004-04-15
12
Medium Priority
?
370 Views
Last Modified: 2007-12-19
I have discovered a hidden program running on our SBS2000 server hidden in the

e:\recycler\S-1-5-21-1232352603-2125215062-1949299088 directory that has been killing our broadband

connection since 20:40 on 13/4/04. We have traced it to a svchost program that has somehow been

installed in this location,

e:\recycler\S-1-5-21-1232352603-2125215062-1949299088\temp\help\doc\bulletproof

Does anybody had this, or know of it. I have searched the usual google, yahoo, microsoft, symantec,

experts-xchange etc but no joy. This may just be because the file dates are 8/4/04 and it is too

new to appear.

The only way to see the files & folders is to change the view folder options.
A file, 500.bat contains the following lines:-
@ECHO OFF
SQLckHide svchost -i IP1.txt -u 1USER.dic -p 2PASS.dic -o Results.txt -t 60
EXIT

The IP1.txt contains approx 200 IP addresses

1USER.dic contains the SQL username of 'sa'

2PASS.dic contains the password dictionary, very comprehensive

And the output file Results.exe provides the matched IP address, username and SQL sa password

Another file SQLck_Logfile.txt contains all ip addresses, ports and connection results for all of

the attacked systems

The system has also created a new service call winlogon that calls the exe at

e:\recycler\S-1-5-21-1232352603-2125215062-1949299088\temp\help\doc\bulletproof\winlogo.exe

And the registry has been affected.

This has been added to our system within the last 7 days, although the server has not been

restarted for 11 days.

I have managed to remove the offending beast by changing the service to manual and restarting the

server.

I have a zip of all the offending files prior to deleting.
0
Comment
Question by:adammaczka
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 
LVL 34

Accepted Solution

by:
arbert earned 500 total points
ID: 10837842
I haven't seen anything on this either.  As much as I hate to tell you this, I would open up a support call to Microsoft and report it....
0
 
LVL 34

Expert Comment

by:arbert
ID: 10837854
Surely you're blocking port 1433 inbound and outbound too....
0
 
LVL 3

Assisted Solution

by:edwardsearch
edwardsearch earned 500 total points
ID: 10839180
It seem to be a virus problem. Do you have latest updates for your OS?
-Edward
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 13

Expert Comment

by:danblake
ID: 10840292
The only thing I know of that this should be is Bulletproof FTP (An automated FTP Client..http://www.bpftpserver.com) Could be that they are using a pw cracker and winlogo.exe is probably your virus (Win32.Petlil.A):
http://www.hackhispano.com/foro/showthread.php?t=7588
http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=12197

Its a virus spread by an outloook mail client, its very possible that they have combined this virus / bulletproof FTP and a pw cracker to send out the results to a destination to facilitate a remote crack.
0
 
LVL 13

Expert Comment

by:danblake
ID: 10840294
Do you have antivirus protection ?
0
 
LVL 13

Expert Comment

by:danblake
ID: 10840328
IF you have got a firewall I would strongly recommend checking the firewall for any unknown traffic destinations to see where the data is going to ...
0
 
LVL 1

Assisted Solution

by:Suburb-Man
Suburb-Man earned 500 total points
ID: 10862208
Most antivirus software are set not to scan recycler. Check AV's (default) exclusion files and folders.
Report/Submit it to Syamantec or NAI and search their knowledge bases.
0
 
LVL 13

Expert Comment

by:danblake
ID: 10862374
I have a zip of all the offending files prior to deleting.
I seriously recommend sending the information to the following address:
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

These guys will work will ALL relevant partys in ensuring this does not happen again.
0
 

Author Comment

by:adammaczka
ID: 10863839
I'm not ignoring any of the comments raised by everyone. I appreciate the effort you have all gone to. I have just not been back on site to test/try the options.

We do have Symantec. We do have a so-called firewall, a BT effort, that can't really be touched. And yes Windows is up to date.

I've been looking around and still no references to sqlckhide.

We are aware of other irregularities within the corporate network, so I will keep you posted if they are related.

I will send it to cert.org and symantec today. An will get someone to check A/V for exclusion folders.

Once again THANKYOU all
0
 
LVL 13

Assisted Solution

by:danblake
danblake earned 500 total points
ID: 10868599
I've just recieved a mail from SSWUG, that there is a new virus about similar to the PhatBot virus that looks to be doing the above:
http://www.washingtonpost.com/wp-dyn/articles/A3211-2004Mar17.html
http://isc.sans.org/diary.php?date=2004-04-18

/*Good luck ;-) */
0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article we will learn how to fix  “Cannot install SQL Server 2014 Service Pack 2: Unable to install windows installer msi file” error ?
In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
Viewers will learn how to use the INSERT statement to insert data into their tables. It will also introduce the NULL statement, to show them what happens when no value is giving for any given column.
Viewers will learn how to use the UPDATE and DELETE statements to change or remove existing data from their tables. Make a table: Update a specific column given a specific row using the UPDATE statement: Remove a set of values using the DELETE s…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question