Solved

SQL Server hacked?

Posted on 2004-08-11
18
347 Views
Last Modified: 2012-06-21
Hello,
We're running a SQL 2000 server on Windows 2000.  Recently, we noticed that "netstat -a" shows alot of MS-SQL-S connections coming from our server going to addresses in Germany and Russia.  I'm afraid we've been hacked using some sort of SQL exploit. I noticed that stopping the SQL service stops the connections, but they start up again as soon as SQL service starts again.  Symantec and Trend antivirus scans show nothing, Spybot shows no spyware. How can I tell what is affecting my server and what can I do about it?

Thanks alot!
0
Comment
Question by:tech_111
  • 6
  • 4
  • 3
  • +1
18 Comments
 
LVL 15

Expert Comment

by:jdlambert1
ID: 11779134
Start with your firewall logs and SQL Server's Profiler. You do have a firewall, right?
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 11779162
Check your scheduled jobs. If you have a zillion of them, set SQL Server Agent to not start automatically, then stop and restart SQL Server. If the connections come right back, then one or more of your jobs may be starting them.
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 11779177
Here's another suggestion, if you can shut down SQL Server long enough. Set it and everything except essential O/S services to not start automatically. Reboot, bring up Task Manager and look at the processes for anything suspcious.
0
 

Author Comment

by:tech_111
ID: 11779181
Yes, we have a firewall.  But the problem is that the SQL 2000 server is vendor supported and they haven't done much patching.  I think the SQL server is at a lower service pack level.  Does anybody know of any common exploits I can look for to see if I can stop this attack without having to rebuild? There has to be some hidden files or services right?   Also, how risky is installing SQL service packs on a production machine?  We have backed up the database plenty of times, but we don't have the knowledge to put the app back together if something happened to the database.   Thanks!
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 11779247
I'm not up to date on particular weaknesses from specific missing patches, but you can find some good links to SQL Server security issues here: http://www.databasejournal.com/features/mssql/article.php/1467721

Here's some more thoughts. Having a firewall is great, and if it's configured well, it should be logging. If so, you can examine those log files and it may help you determine if the activity is being initiated from outside or inside your network. And if from the outside, which port number it's coming through. If you're lucky, you might be able to solve the problem simply by having the firewall block that port.

Lack of patches to the operating systems could also be a point of attack.

You might also have some hackware running on a local workstation that's been compromised.

I'm surprised no one else has joined this thread yet. Perhaps a lot of folks are still commuting home, and will join it soon...
0
 

Author Comment

by:tech_111
ID: 11779282
I've looked at the registry startup keys, the services, and the running processes.  Everything looks normal.  The scheduled jobs are all normal, nothing new has been added.  
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 11779306
I'd go to SQL Profiler next and see what those connections are doing. Going over the firewall logs would be next, but that could be very time consuming, depending on what activities it's logged.
0
 
LVL 18

Expert Comment

by:SjoerdVerweij
ID: 11779327
Things to try:

Work through http://support.microsoft.com/?kbid=813440

- Close port 1433, RPC (134 & 135 I think) and NetBIOS on your firewall.
- Stop SQL Server. Start the Server Network Utility. Remove TCP/IP (named pipes only).
- Stop and disable the SQL Server services.
- Run Windows Update and grab all critical updates.
- Install SQL Server Service Pack 3a. Put a password on sa.
- Restart.
- Grab a good virus scanner and run it (preferably in safe mode).
- Sue the living daylights out of your vendor.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:tech_111
ID: 11779407
Well, it's not the slammer worm.  I scanned with Symantec v9 Corp. and also Trend antivirus.  Also ran the Symantec Slammer worm detection tool.  I'm going to download the Microsoft security tool-kit tomorrow and see what it says.  My problem is though that if I patch the SQL server to the lates version, it'll break the app.  Thanks for all of our input!!
0
 
LVL 15

Accepted Solution

by:
jdlambert1 earned 84 total points
ID: 11779430
Remember if you've been hacked due to a lack of a patch, applying the patch(es) may close a hole, but not get rid of any malware already on your system.

Make sure your Symantec and Trend files are up-to-date, and like SjoerdVerweij said, restart the server in safe mode, and re-run Symantec & Trend.
0
 
LVL 34

Expert Comment

by:arbert
ID: 11779482
"that if I patch the SQL server to the lates version, it'll break the app"


How usable is an application if you can't rely on the integrity of the data????  Sounds like you need to have some "chats" with the vendor....We have a couple of boxes that we're forced to run Window2000 at a certain service pack simply because the vendor can't (yet) support anything higher--you need to make sure these boxes are as isolated as possible from the outisde world....
0
 
LVL 18

Expert Comment

by:SjoerdVerweij
ID: 11780530
Brett: I feel you. Citrix is like that. ("OH NO! DON'T INSTALL WINDOWS 2000 SERVICE PACK 4! THE WORLD WILL END!" -- "Ehm, I've been on the beta's, I've read the fix list A-Z -- on an API level --, and unless you were doing some terrible undocumented stuff...."  -- "NO, IT'S MICROSOFT'S FAULT, THEY BROKE STUFF, WOE BE US, WAAAAHHH" -- anyway, you get my point).
0
 
LVL 34

Expert Comment

by:arbert
ID: 11780538
Ya, it doesn't matter how much you steer clients away from using crap like that, it seems like that's always the software they choose!!!!
0
 
LVL 18

Assisted Solution

by:SjoerdVerweij
SjoerdVerweij earned 83 total points
ID: 11780574
Actually, it's working quite well (350 clients, 11 servers, 20 client PCs). The thing I'm wondering is "what the heck is this offering above and beyond Terminal Services?!" Besides a cracked-out Java management client that doesn't do a gosh-darned thing that is...
0
 

Author Comment

by:tech_111
ID: 11786897
Sorry guys, I meant to say that if I patch the SQL Server, it MIGHT break the app and we have no support for it.  I was looking for some thoughts on patching production SQL databases that you guys have done, does it go pretty smoothly?  I think SQL Service Pack 4 is out isn't it?
0
 
LVL 34

Assisted Solution

by:arbert
arbert earned 83 total points
ID: 11787062
SQL2000 is sp3a.....

I haven't ever had any problems.  Of course, you always backup the system and the databases first...
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

I wrote this interesting script that really help me find jobs or procedures when working in a huge environment. I could I have written it as a Procedure but then I would have to have it on each machine or have a link to a server-related search that …
Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
Via a live example combined with referencing Books Online, show some of the information that can be extracted from the Catalog Views in SQL Server.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now