[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

SQLckHide.exe and svchost.exe appear to be scanning external IP's for vunerable SQL servers, it also kills the adsl connection

Posted on 2004-04-15
12
Medium Priority
?
377 Views
Last Modified: 2007-12-19
I have discovered a hidden program running on our SBS2000 server hidden in the

e:\recycler\S-1-5-21-1232352603-2125215062-1949299088 directory that has been killing our broadband

connection since 20:40 on 13/4/04. We have traced it to a svchost program that has somehow been

installed in this location,

e:\recycler\S-1-5-21-1232352603-2125215062-1949299088\temp\help\doc\bulletproof

Does anybody had this, or know of it. I have searched the usual google, yahoo, microsoft, symantec,

experts-xchange etc but no joy. This may just be because the file dates are 8/4/04 and it is too

new to appear.

The only way to see the files & folders is to change the view folder options.
A file, 500.bat contains the following lines:-
@ECHO OFF
SQLckHide svchost -i IP1.txt -u 1USER.dic -p 2PASS.dic -o Results.txt -t 60
EXIT

The IP1.txt contains approx 200 IP addresses

1USER.dic contains the SQL username of 'sa'

2PASS.dic contains the password dictionary, very comprehensive

And the output file Results.exe provides the matched IP address, username and SQL sa password

Another file SQLck_Logfile.txt contains all ip addresses, ports and connection results for all of

the attacked systems

The system has also created a new service call winlogon that calls the exe at

e:\recycler\S-1-5-21-1232352603-2125215062-1949299088\temp\help\doc\bulletproof\winlogo.exe

And the registry has been affected.

This has been added to our system within the last 7 days, although the server has not been

restarted for 11 days.

I have managed to remove the offending beast by changing the service to manual and restarting the

server.

I have a zip of all the offending files prior to deleting.
0
Comment
Question by:adammaczka
10 Comments
 
LVL 34

Accepted Solution

by:
arbert earned 500 total points
ID: 10837842
I haven't seen anything on this either.  As much as I hate to tell you this, I would open up a support call to Microsoft and report it....
0
 
LVL 34

Expert Comment

by:arbert
ID: 10837854
Surely you're blocking port 1433 inbound and outbound too....
0
 
LVL 3

Assisted Solution

by:edwardsearch
edwardsearch earned 500 total points
ID: 10839180
It seem to be a virus problem. Do you have latest updates for your OS?
-Edward
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
LVL 13

Expert Comment

by:danblake
ID: 10840292
The only thing I know of that this should be is Bulletproof FTP (An automated FTP Client..http://www.bpftpserver.com) Could be that they are using a pw cracker and winlogo.exe is probably your virus (Win32.Petlil.A):
http://www.hackhispano.com/foro/showthread.php?t=7588
http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=12197

Its a virus spread by an outloook mail client, its very possible that they have combined this virus / bulletproof FTP and a pw cracker to send out the results to a destination to facilitate a remote crack.
0
 
LVL 13

Expert Comment

by:danblake
ID: 10840294
Do you have antivirus protection ?
0
 
LVL 13

Expert Comment

by:danblake
ID: 10840328
IF you have got a firewall I would strongly recommend checking the firewall for any unknown traffic destinations to see where the data is going to ...
0
 
LVL 1

Assisted Solution

by:Suburb-Man
Suburb-Man earned 500 total points
ID: 10862208
Most antivirus software are set not to scan recycler. Check AV's (default) exclusion files and folders.
Report/Submit it to Syamantec or NAI and search their knowledge bases.
0
 
LVL 13

Expert Comment

by:danblake
ID: 10862374
I have a zip of all the offending files prior to deleting.
I seriously recommend sending the information to the following address:
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

These guys will work will ALL relevant partys in ensuring this does not happen again.
0
 

Author Comment

by:adammaczka
ID: 10863839
I'm not ignoring any of the comments raised by everyone. I appreciate the effort you have all gone to. I have just not been back on site to test/try the options.

We do have Symantec. We do have a so-called firewall, a BT effort, that can't really be touched. And yes Windows is up to date.

I've been looking around and still no references to sqlckhide.

We are aware of other irregularities within the corporate network, so I will keep you posted if they are related.

I will send it to cert.org and symantec today. An will get someone to check A/V for exclusion folders.

Once again THANKYOU all
0
 
LVL 13

Assisted Solution

by:danblake
danblake earned 500 total points
ID: 10868599
I've just recieved a mail from SSWUG, that there is a new virus about similar to the PhatBot virus that looks to be doing the above:
http://www.washingtonpost.com/wp-dyn/articles/A3211-2004Mar17.html
http://isc.sans.org/diary.php?date=2004-04-18

/*Good luck ;-) */
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This shares a stored procedure to retrieve permissions for a given user on the current database or across all databases on a server.
MSSQL DB-maintenance also needs implementation of multiple activities. However, unprecedented errors can hamper the database management. In that case, deploying Stellar SQL Database Toolkit ensures fast and accurate database and backup repair as wel…
Via a live example, show how to set up a backup for SQL Server using a Maintenance Plan and how to schedule the job into SQL Server Agent.
Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question