Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 365
  • Last Modified:

SQL Server hacked?

Hello,
We're running a SQL 2000 server on Windows 2000.  Recently, we noticed that "netstat -a" shows alot of MS-SQL-S connections coming from our server going to addresses in Germany and Russia.  I'm afraid we've been hacked using some sort of SQL exploit. I noticed that stopping the SQL service stops the connections, but they start up again as soon as SQL service starts again.  Symantec and Trend antivirus scans show nothing, Spybot shows no spyware. How can I tell what is affecting my server and what can I do about it?

Thanks alot!
0
tech_111
Asked:
tech_111
  • 6
  • 4
  • 3
  • +1
3 Solutions
 
jdlambert1Commented:
Start with your firewall logs and SQL Server's Profiler. You do have a firewall, right?
0
 
jdlambert1Commented:
Check your scheduled jobs. If you have a zillion of them, set SQL Server Agent to not start automatically, then stop and restart SQL Server. If the connections come right back, then one or more of your jobs may be starting them.
0
 
jdlambert1Commented:
Here's another suggestion, if you can shut down SQL Server long enough. Set it and everything except essential O/S services to not start automatically. Reboot, bring up Task Manager and look at the processes for anything suspcious.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
tech_111Author Commented:
Yes, we have a firewall.  But the problem is that the SQL 2000 server is vendor supported and they haven't done much patching.  I think the SQL server is at a lower service pack level.  Does anybody know of any common exploits I can look for to see if I can stop this attack without having to rebuild? There has to be some hidden files or services right?   Also, how risky is installing SQL service packs on a production machine?  We have backed up the database plenty of times, but we don't have the knowledge to put the app back together if something happened to the database.   Thanks!
0
 
jdlambert1Commented:
I'm not up to date on particular weaknesses from specific missing patches, but you can find some good links to SQL Server security issues here: http://www.databasejournal.com/features/mssql/article.php/1467721

Here's some more thoughts. Having a firewall is great, and if it's configured well, it should be logging. If so, you can examine those log files and it may help you determine if the activity is being initiated from outside or inside your network. And if from the outside, which port number it's coming through. If you're lucky, you might be able to solve the problem simply by having the firewall block that port.

Lack of patches to the operating systems could also be a point of attack.

You might also have some hackware running on a local workstation that's been compromised.

I'm surprised no one else has joined this thread yet. Perhaps a lot of folks are still commuting home, and will join it soon...
0
 
tech_111Author Commented:
I've looked at the registry startup keys, the services, and the running processes.  Everything looks normal.  The scheduled jobs are all normal, nothing new has been added.  
0
 
jdlambert1Commented:
I'd go to SQL Profiler next and see what those connections are doing. Going over the firewall logs would be next, but that could be very time consuming, depending on what activities it's logged.
0
 
SjoerdVerweijCommented:
Things to try:

Work through http://support.microsoft.com/?kbid=813440

- Close port 1433, RPC (134 & 135 I think) and NetBIOS on your firewall.
- Stop SQL Server. Start the Server Network Utility. Remove TCP/IP (named pipes only).
- Stop and disable the SQL Server services.
- Run Windows Update and grab all critical updates.
- Install SQL Server Service Pack 3a. Put a password on sa.
- Restart.
- Grab a good virus scanner and run it (preferably in safe mode).
- Sue the living daylights out of your vendor.
0
 
tech_111Author Commented:
Well, it's not the slammer worm.  I scanned with Symantec v9 Corp. and also Trend antivirus.  Also ran the Symantec Slammer worm detection tool.  I'm going to download the Microsoft security tool-kit tomorrow and see what it says.  My problem is though that if I patch the SQL server to the lates version, it'll break the app.  Thanks for all of our input!!
0
 
jdlambert1Commented:
Remember if you've been hacked due to a lack of a patch, applying the patch(es) may close a hole, but not get rid of any malware already on your system.

Make sure your Symantec and Trend files are up-to-date, and like SjoerdVerweij said, restart the server in safe mode, and re-run Symantec & Trend.
0
 
arbertCommented:
"that if I patch the SQL server to the lates version, it'll break the app"


How usable is an application if you can't rely on the integrity of the data????  Sounds like you need to have some "chats" with the vendor....We have a couple of boxes that we're forced to run Window2000 at a certain service pack simply because the vendor can't (yet) support anything higher--you need to make sure these boxes are as isolated as possible from the outisde world....
0
 
SjoerdVerweijCommented:
Brett: I feel you. Citrix is like that. ("OH NO! DON'T INSTALL WINDOWS 2000 SERVICE PACK 4! THE WORLD WILL END!" -- "Ehm, I've been on the beta's, I've read the fix list A-Z -- on an API level --, and unless you were doing some terrible undocumented stuff...."  -- "NO, IT'S MICROSOFT'S FAULT, THEY BROKE STUFF, WOE BE US, WAAAAHHH" -- anyway, you get my point).
0
 
arbertCommented:
Ya, it doesn't matter how much you steer clients away from using crap like that, it seems like that's always the software they choose!!!!
0
 
SjoerdVerweijCommented:
Actually, it's working quite well (350 clients, 11 servers, 20 client PCs). The thing I'm wondering is "what the heck is this offering above and beyond Terminal Services?!" Besides a cracked-out Java management client that doesn't do a gosh-darned thing that is...
0
 
tech_111Author Commented:
Sorry guys, I meant to say that if I patch the SQL Server, it MIGHT break the app and we have no support for it.  I was looking for some thoughts on patching production SQL databases that you guys have done, does it go pretty smoothly?  I think SQL Service Pack 4 is out isn't it?
0
 
arbertCommented:
SQL2000 is sp3a.....

I haven't ever had any problems.  Of course, you always backup the system and the databases first...
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

  • 6
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now