Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SQL Server hacked?

Posted on 2004-08-11
18
Medium Priority
?
359 Views
Last Modified: 2012-06-21
Hello,
We're running a SQL 2000 server on Windows 2000.  Recently, we noticed that "netstat -a" shows alot of MS-SQL-S connections coming from our server going to addresses in Germany and Russia.  I'm afraid we've been hacked using some sort of SQL exploit. I noticed that stopping the SQL service stops the connections, but they start up again as soon as SQL service starts again.  Symantec and Trend antivirus scans show nothing, Spybot shows no spyware. How can I tell what is affecting my server and what can I do about it?

Thanks alot!
0
Comment
Question by:tech_111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
  • +1
18 Comments
 
LVL 15

Expert Comment

by:jdlambert1
ID: 11779134
Start with your firewall logs and SQL Server's Profiler. You do have a firewall, right?
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 11779162
Check your scheduled jobs. If you have a zillion of them, set SQL Server Agent to not start automatically, then stop and restart SQL Server. If the connections come right back, then one or more of your jobs may be starting them.
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 11779177
Here's another suggestion, if you can shut down SQL Server long enough. Set it and everything except essential O/S services to not start automatically. Reboot, bring up Task Manager and look at the processes for anything suspcious.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:tech_111
ID: 11779181
Yes, we have a firewall.  But the problem is that the SQL 2000 server is vendor supported and they haven't done much patching.  I think the SQL server is at a lower service pack level.  Does anybody know of any common exploits I can look for to see if I can stop this attack without having to rebuild? There has to be some hidden files or services right?   Also, how risky is installing SQL service packs on a production machine?  We have backed up the database plenty of times, but we don't have the knowledge to put the app back together if something happened to the database.   Thanks!
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 11779247
I'm not up to date on particular weaknesses from specific missing patches, but you can find some good links to SQL Server security issues here: http://www.databasejournal.com/features/mssql/article.php/1467721

Here's some more thoughts. Having a firewall is great, and if it's configured well, it should be logging. If so, you can examine those log files and it may help you determine if the activity is being initiated from outside or inside your network. And if from the outside, which port number it's coming through. If you're lucky, you might be able to solve the problem simply by having the firewall block that port.

Lack of patches to the operating systems could also be a point of attack.

You might also have some hackware running on a local workstation that's been compromised.

I'm surprised no one else has joined this thread yet. Perhaps a lot of folks are still commuting home, and will join it soon...
0
 

Author Comment

by:tech_111
ID: 11779282
I've looked at the registry startup keys, the services, and the running processes.  Everything looks normal.  The scheduled jobs are all normal, nothing new has been added.  
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 11779306
I'd go to SQL Profiler next and see what those connections are doing. Going over the firewall logs would be next, but that could be very time consuming, depending on what activities it's logged.
0
 
LVL 18

Expert Comment

by:SjoerdVerweij
ID: 11779327
Things to try:

Work through http://support.microsoft.com/?kbid=813440

- Close port 1433, RPC (134 & 135 I think) and NetBIOS on your firewall.
- Stop SQL Server. Start the Server Network Utility. Remove TCP/IP (named pipes only).
- Stop and disable the SQL Server services.
- Run Windows Update and grab all critical updates.
- Install SQL Server Service Pack 3a. Put a password on sa.
- Restart.
- Grab a good virus scanner and run it (preferably in safe mode).
- Sue the living daylights out of your vendor.
0
 

Author Comment

by:tech_111
ID: 11779407
Well, it's not the slammer worm.  I scanned with Symantec v9 Corp. and also Trend antivirus.  Also ran the Symantec Slammer worm detection tool.  I'm going to download the Microsoft security tool-kit tomorrow and see what it says.  My problem is though that if I patch the SQL server to the lates version, it'll break the app.  Thanks for all of our input!!
0
 
LVL 15

Accepted Solution

by:
jdlambert1 earned 336 total points
ID: 11779430
Remember if you've been hacked due to a lack of a patch, applying the patch(es) may close a hole, but not get rid of any malware already on your system.

Make sure your Symantec and Trend files are up-to-date, and like SjoerdVerweij said, restart the server in safe mode, and re-run Symantec & Trend.
0
 
LVL 34

Expert Comment

by:arbert
ID: 11779482
"that if I patch the SQL server to the lates version, it'll break the app"


How usable is an application if you can't rely on the integrity of the data????  Sounds like you need to have some "chats" with the vendor....We have a couple of boxes that we're forced to run Window2000 at a certain service pack simply because the vendor can't (yet) support anything higher--you need to make sure these boxes are as isolated as possible from the outisde world....
0
 
LVL 18

Expert Comment

by:SjoerdVerweij
ID: 11780530
Brett: I feel you. Citrix is like that. ("OH NO! DON'T INSTALL WINDOWS 2000 SERVICE PACK 4! THE WORLD WILL END!" -- "Ehm, I've been on the beta's, I've read the fix list A-Z -- on an API level --, and unless you were doing some terrible undocumented stuff...."  -- "NO, IT'S MICROSOFT'S FAULT, THEY BROKE STUFF, WOE BE US, WAAAAHHH" -- anyway, you get my point).
0
 
LVL 34

Expert Comment

by:arbert
ID: 11780538
Ya, it doesn't matter how much you steer clients away from using crap like that, it seems like that's always the software they choose!!!!
0
 
LVL 18

Assisted Solution

by:SjoerdVerweij
SjoerdVerweij earned 332 total points
ID: 11780574
Actually, it's working quite well (350 clients, 11 servers, 20 client PCs). The thing I'm wondering is "what the heck is this offering above and beyond Terminal Services?!" Besides a cracked-out Java management client that doesn't do a gosh-darned thing that is...
0
 

Author Comment

by:tech_111
ID: 11786897
Sorry guys, I meant to say that if I patch the SQL Server, it MIGHT break the app and we have no support for it.  I was looking for some thoughts on patching production SQL databases that you guys have done, does it go pretty smoothly?  I think SQL Service Pack 4 is out isn't it?
0
 
LVL 34

Assisted Solution

by:arbert
arbert earned 332 total points
ID: 11787062
SQL2000 is sp3a.....

I haven't ever had any problems.  Of course, you always backup the system and the databases first...
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
When trying to connect from SSMS v17.x to a SQL Server Integration Services 2016 instance or previous version, you get the error “Connecting to the Integration Services service on the computer failed with the following error: 'The specified service …
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
Via a live example, show how to setup several different housekeeping processes for a SQL Server.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question