Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

SQL Server 2000 Infected by a worm. Sending data through port 1433

Posted on 2005-04-05
16
Medium Priority
?
3,070 Views
Last Modified: 2013-12-04
I have two webservers running (IIS) on a fully patched Windows 2000 machine. SQL Server sp3a is unable to be installed. As soon as the SQLServr.exe starts, i see the following in my netstat table:

TCP    server1:1433  host34-166.birch.net:3330     TIME_WAIT
TCP    server1:1433  host34-166.birch.net:3330     TIME_WAIT
TCP    server1:1433  host34-166.birch.net:3330     TIME_WAIT
TCP    server1:1433  host34-166.birch.net:3330     TIME_WAIT
TCP    server1:1433  host34-166.birch.net:3330     TIME_WAIT
TCP    server1:1433  host34-166.birch.net:3330     TIME_WAIT
TCP    server1:1433  host34-166.birch.net:3330     TIME_WAIT
TCP    server1:1433  host34-166.birch.net:3330     TIME_WAIT
TCP    server1:1433  host34-166.birch.net:3330     TIME_WAIT
TCP    server1:1433  host34-166.birch.net:3330     TIME_WAIT

it goes on to the  host34-166.birch.net:49999

My norton is uable to detect anything. The port 1433 and 1434 ibound and outbound are blocked by firewall. How do i get rid of this worm???? URGENT
0
Comment
Question by:GGurnani
  • 8
  • 7
16 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13711101
See if these tools can help you find the "pest"
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
May be a new virus, and they haven't made a definition for it...
-rich
0
 

Author Comment

by:GGurnani
ID: 13711323
no, that doesn't help. I don't see any weird processes running.
0
 

Author Comment

by:GGurnani
ID: 13712159
here is a report from hijack this

Logfile of HijackThis v1.99.1
Scan saved at 6:00:48 PM, on 4/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\LogWatNT.exe
U:\PVSW\BIN\NTDBSMGR.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\WebTrends Analysis Series\wtam_service.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINNT\system32\MDM.EXE
C:\PROGRA~1\SYMANT~2\DefWatch.exe
C:\PROGRA~1\SYMANT~2\Rtvscan.exe
C:\WINNT\system32\MsgSys.EXE
C:\PROGRA~1\SYMANT~2\vptray.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
c:\winnt\microsoft.net\framework\v1.1.4322\aspnet_wp.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
c:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.exe
C:\WINNT\TEMP\procexp.exe
C:\WINNT\system32\mmc.exe
C:\WINNT\TEMP\Tcpview.exe
C:\Program Files\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://website_ip1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://website_ip2
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [mspool.exe] spoolsv.exe
O4 - HKLM\..\Run: [ATIPTA] atipta.dll atipta.exe -l -p 74497 -t -e cmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\vptray.exe
O4 - Global Startup: BDMMonitor.lnk = C:\Program Files\BDMMonitor\BDMMonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://medds2/nav/WebInst.cab
O16 - DPF: {E19F9330-3110-11d4-991C-005004D3B3DB} (Java Runtime Environment 1.3.0_01) - http://129.171.149.20:7273/j2re-1_3_0_01-win-i.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~2\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\system32\dmadmin.exe
O23 - Service: ExecView Communication Module (ECM) (ECM Service) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\ECM\ECM.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\system32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~2\Rtvscan.exe
O23 - Service: Pervasive.SQL 2000 (relational) - Pervasive Software Inc. - U:\PVSW\BIN\W3SQLMGR.EXE
O23 - Service: Pervasive.SQL 2000 (transactional) - Unknown owner - U:\PVSW\BIN\NTBTRV.EXE
O23 - Service: WebTrends Alerting and Monitoring for Analysis Series 7.0 (WTAMSVC_Analysis Series 7.0) - Unknown owner - C:\Program Files\WebTrends Analysis Series\wtam_service.exe

0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 12

Expert Comment

by:rossfingal
ID: 13712395
Hi!

I don't see anything that "jumps out" as being bad.
However, this entry looks a little "strange" -
O4 - HKLM\..\Run: [mspool.exe] spoolsv.exe
Nothing wrong with spoolsv.exe being listed -
it's just that I wonder about this listed in front of it - [mspool.exe]??

Here's one page that mentions it:
http://www.trendmicro.com/vinfo/grayware/graywareDetails.asp?SNAME=HKTL_SERVU.H
Doesn't sound too good!
Search the computer for any instance of mspool.exe.

You might also want to run one of these:
"Rootkit Revealer" -
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
And/or:
F-Secure "BlackIce" -
http://www.f-secure.com/blacklight

Good luck!

RF
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13713291
That server "host34-166.birch.net" appears to be a windows server also running sql... Discovered open port 1494/tcp on 216.212.34.166
What port's are open to your SQL server? Is this happening to both of your SQL/WEB servers?
IIS can be an easy hack, even fully patched... have you tried to do any packet captures of the communication between your sql server and the remote server "host34-166.birch.net" ? Ethereal is a great packet capture tool to use, perhaps you can see if you've been hacked, or find a username and password that is connecting the two of you together. to help you sort out some of the traffic you can use a capture filter, I've posted a little tutorial here for further reference:
http://www.experts-exchange.com/Security/Linux_Security/Q_20868306.html#10240752

yor capture filter could be:
host 216.212.34.166    (this is probably the prefered filter to use)
or
src port 1433  (there are other combinations to do too- but these should filter out most of the unneed traffic)
-rich

0
 

Author Comment

by:GGurnani
ID: 13718978
ok, I do see activity on port 1433. I need to keep the port 1433 running but not for host 216.212.34.166. What should i do to stop it?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13719122
It's odd that it's trying to contact that server ... I've not trouble shot a problem like this with sql... I assume that it's one of two things, you have code making the call to this server 216.212.34.166, or there is a possible infection or possible hack of your server.

You stated that "The port 1433 and 1434 ibound and outbound are blocked by firewall" so is the connection being established? You can test with nmap or another scanner that allows you to bind the source port and do the following to see if you get a response

nmap -sT -g 1433 -p 1433 -P0 216.212.34.166  -vv     or try
nmap -sT -g 1433 -p 80 -P0 216.212.34.166 -vv

The -g binds the src port to 1433 (or 1434 if you specify that) and -p is scan port 80 or 1433/34 if nmap returns results, your firewall may not be blocking as well as it should...
I'd be more interested in tracking down what is making the call to that host than anything... blocking is simple, use IPSEC filters, or your firewall, or a 3rd party software firewall...
The ehtereal captures should let you know if the data is getting out when it shouldn't- or what data is getting out rather.
-rich
0
 

Author Comment

by:GGurnani
ID: 13719514
Apparently, it's using my web ip address to send data.

I see repeatedly this data sent from my ip address to the host address:

No.     Time        Source                Destination           Protocol Info
    615 265.808380  129.171.80.124        61.88.27.90           TDS      Response Packet

Frame 615 (142 bytes on wire, 142 bytes captured)
Ethernet II, Src: 00:04:23:af:4f:d4, Dst: 00:08:20:d9:aa:bc
Internet Protocol, Src Addr: 129.171.80.124 (129.171.80.124), Dst Addr: 61.88.27.90 (61.88.27.90)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 128
    Identification: 0x3172 (12658)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x0000 (incorrect, should be 0x9e2c)
    Source: 129.171.80.124 (129.171.80.124)
    Destination: 61.88.27.90 (61.88.27.90)
Transmission Control Protocol, Src Port: 1433 (1433), Dst Port: 19166 (19166), Seq: 1, Ack: 177, Len: 88
    Source port: 1433 (1433)
    Destination port: 19166 (19166)
    Sequence number: 1    (relative sequence number)
    Next sequence number: 89    (relative sequence number)
    Acknowledgement number: 177    (relative ack number)
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
    Window size: 65359
    Checksum: 0x2b4c (incorrect, should be 0xcb77)
Tabular Data Stream
    Type: Response Packet (0x04)
    Status: Last buffer in request or response (1)
    Size: 88
    Channel: 0
    Packet Number: 1
    Window: 0
    Token 0xaa Error Message
        Length: 68
        SQL Error Number: 18456
        State: 1
        Severity Level: 14
        Error message length: 28 characters
        Error: Login failed for user 'sql'.
        Server name length: 0 characters
        Process name length: 0 characters
        line number: 0
    Token 0xfd Done
        Status flags
        Operation
        row count: 0

0000  00 08 20 d9 aa bc 00 04 23 af 4f d4 08 00 45 00   .. .....#.O...E.
0010  00 80 31 72 40 00 80 06 00 00 81 ab 50 7c 3d 58   ..1r@.......P|=X
0020  1b 5a 05 99 4a de 8f 46 34 29 e7 18 ac 53 50 18   .Z..J..F4)...SP.
0030  ff 4f 2b 4c 00 00 04 01 00 58 00 00 01 00 aa 44   .O+L.....X.....D
0040  00 18 48 00 00 01 0e 1c 00 4c 00 6f 00 67 00 69   ..H......L.o.g.i
0050  00 6e 00 20 00 66 00 61 00 69 00 6c 00 65 00 64   .n. .f.a.i.l.e.d
0060  00 20 00 66 00 6f 00 72 00 20 00 75 00 73 00 65   . .f.o.r. .u.s.e
0070  00 72 00 20 00 27 00 73 00 71 00 6c 00 27 00 2e   .r. .'.s.q.l.'..
0080  00 00 00 00 00 fd 02 00 00 00 00 00 00 00         ..............
No.     Time        Source                Destination           Protocol Info
    616 265.808439  129.171.80.124        61.88.27.90           TCP      1433 > 19166 [FIN, ACK] Seq=89 Ack=177 Win=65359 [CHECKSUM INCORRECT] Len=0

Frame 616 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:04:23:af:4f:d4, Dst: 00:08:20:d9:aa:bc
Internet Protocol, Src Addr: 129.171.80.124 (129.171.80.124), Dst Addr: 61.88.27.90 (61.88.27.90)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 40
    Identification: 0x3173 (12659)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x0000 (incorrect, should be 0x9e83)
    Source: 129.171.80.124 (129.171.80.124)
    Destination: 61.88.27.90 (61.88.27.90)
Transmission Control Protocol, Src Port: 1433 (1433), Dst Port: 19166 (19166), Seq: 89, Ack: 177, Len: 0
    Source port: 1433 (1433)
    Destination port: 19166 (19166)
    Sequence number: 89    (relative sequence number)
    Acknowledgement number: 177    (relative ack number)
    Header length: 20 bytes
    Flags: 0x0011 (FIN, ACK)
    Window size: 65359
    Checksum: 0x2af4 (incorrect, should be 0xddfe)

0000  00 08 20 d9 aa bc 00 04 23 af 4f d4 08 00 45 00   .. .....#.O...E.
0010  00 28 31 73 40 00 80 06 00 00 81 ab 50 7c 3d 58   .(1s@.......P|=X
0020  1b 5a 05 99 4a de 8f 46 34 81 e7 18 ac 53 50 11   .Z..J..F4....SP.
0030  ff 4f 2a f4 00 00                                 .O*...
No.     Time        Source                Destination           Protocol Info
    617 265.939469  129.171.80.123        61.88.27.90           TCP      1433 > 19123 [ACK] Seq=90 Ack=176 Win=65361 [CHECKSUM INCORRECT] Len=0

Frame 617 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:04:23:af:4f:d4, Dst: 00:08:20:d9:aa:bc
Internet Protocol, Src Addr: 129.171.80.123 (129.171.80.123), Dst Addr: 61.88.27.90 (61.88.27.90)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 40
    Identification: 0x3174 (12660)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x0000 (incorrect, should be 0x9e83)
    Source: 129.171.80.123 (129.171.80.123)
    Destination: 61.88.27.90 (61.88.27.90)
Transmission Control Protocol, Src Port: 1433 (1433), Dst Port: 19123 (19123), Seq: 90, Ack: 176, Len: 0
    Source port: 1433 (1433)
    Destination port: 19123 (19123)
    Sequence number: 90    (relative sequence number)
    Acknowledgement number: 176    (relative ack number)
    Header length: 20 bytes
    Flags: 0x0010 (ACK)
    Window size: 65361
    Checksum: 0x2af3 (incorrect, should be 0x2639)

0000  00 08 20 d9 aa bc 00 04 23 af 4f d4 08 00 45 00   .. .....#.O...E.
0010  00 28 31 74 40 00 80 06 00 00 81 ab 50 7b 3d 58   .(1t@.......P{=X
0020  1b 5a 05 99 4a b3 8f 44 63 c2 06 31 15 ed 50 10   .Z..J..Dc..1..P.
0030  ff 51 2a f3 00 00                                 .Q*...
No.     Time        Source                Destination           Protocol Info
    618 265.942917  129.171.80.123        61.88.27.90           TCP      1433 > 19230 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460

Frame 618 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:04:23:af:4f:d4, Dst: 00:08:20:d9:aa:bc
Internet Protocol, Src Addr: 129.171.80.123 (129.171.80.123), Dst Addr: 61.88.27.90 (61.88.27.90)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 48
    Identification: 0x3175 (12661)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x0000 (incorrect, should be 0x9e7a)
    Source: 129.171.80.123 (129.171.80.123)
    Destination: 61.88.27.90 (61.88.27.90)
Transmission Control Protocol, Src Port: 1433 (1433), Dst Port: 19230 (19230), Seq: 0, Ack: 1, Len: 0
    Source port: 1433 (1433)
    Destination port: 19230 (19230)
    Sequence number: 0    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 28 bytes
    Flags: 0x0012 (SYN, ACK)
    Window size: 65535
    Checksum: 0x6e31 (correct)
    Options: (8 bytes)

0000  00 08 20 d9 aa bc 00 04 23 af 4f d4 08 00 45 00   .. .....#.O...E.
0010  00 30 31 75 40 00 80 06 00 00 81 ab 50 7b 3d 58   .01u@.......P{=X
0020  1b 5a 05 99 4b 1e 8f 49 0a fb 05 52 f9 b7 70 12   .Z..K..I...R..p.
0030  ff ff 6e 31 00 00 02 04 05 b4 01 01 04 02         ..n1..........
No.     Time        Source                Destination           Protocol Info
    619 266.254288  129.171.80.124        61.88.27.90           TCP      1433 > 19166 [ACK] Seq=90 Ack=178 Win=65359 [CHECKSUM INCORRECT] Len=0

Frame 619 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:04:23:af:4f:d4, Dst: 00:08:20:d9:aa:bc
Internet Protocol, Src Addr: 129.171.80.124 (129.171.80.124), Dst Addr: 61.88.27.90 (61.88.27.90)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 40
    Identification: 0x317f (12671)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x0000 (incorrect, should be 0x9e77)
    Source: 129.171.80.124 (129.171.80.124)
    Destination: 61.88.27.90 (61.88.27.90)
Transmission Control Protocol, Src Port: 1433 (1433), Dst Port: 19166 (19166), Seq: 90, Ack: 178, Len: 0
    Source port: 1433 (1433)
    Destination port: 19166 (19166)
    Sequence number: 90    (relative sequence number)
    Acknowledgement number: 178    (relative ack number)
    Header length: 20 bytes
    Flags: 0x0010 (ACK)
    Window size: 65359
    Checksum: 0x2af4 (incorrect, should be 0xddfd)

0000  00 08 20 d9 aa bc 00 04 23 af 4f d4 08 00 45 00   .. .....#.O...E.
0010  00 28 31 7f 40 00 80 06 00 00 81 ab 50 7c 3d 58   .(1.@.......P|=X
0020  1b 5a 05 99 4a de 8f 46 34 82 e7 18 ac 54 50 10   .Z..J..F4....TP.
0030  ff 4f 2a f4 00 00                                 .O*...
No.     Time        Source                Destination           Protocol Info
    620 266.257681  129.171.80.124        61.88.27.90           TCP      1433 > 19282 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460

Frame 620 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:04:23:af:4f:d4, Dst: 00:08:20:d9:aa:bc
Internet Protocol, Src Addr: 129.171.80.124 (129.171.80.124), Dst Addr: 61.88.27.90 (61.88.27.90)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 48
    Identification: 0x3180 (12672)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x0000 (incorrect, should be 0x9e6e)
    Source: 129.171.80.124 (129.171.80.124)
    Destination: 61.88.27.90 (61.88.27.90)
Transmission Control Protocol, Src Port: 1433 (1433), Dst Port: 19282 (19282), Seq: 0, Ack: 1, Len: 0
    Source port: 1433 (1433)
    Destination port: 19282 (19282)
    Sequence number: 0    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 28 bytes
    Flags: 0x0012 (SYN, ACK)
    Window size: 65535
    Checksum: 0xe5c5 (correct)
    Options: (8 bytes)

0000  00 08 20 d9 aa bc 00 04 23 af 4f d4 08 00 45 00   .. .....#.O...E.
0010  00 30 31 80 40 00 80 06 00 00 81 ab 50 7c 3d 58   .01.@.......P|=X
0020  1b 5a 05 99 4b 52 8f 4b 13 98 a5 ed d8 b3 70 12   .Z..KR.K......p.
0030  ff ff e5 c5 00 00 02 04 05 b4 01 01 04 02         ..............
No.     Time        Source                Destination           Protocol Info
    621 266.394904  129.171.80.123        61.88.27.90           TDS      Response Packet

Frame 621 (142 bytes on wire, 142 bytes captured)
Ethernet II, Src: 00:04:23:af:4f:d4, Dst: 00:08:20:d9:aa:bc
Internet Protocol, Src Addr: 129.171.80.123 (129.171.80.123), Dst Addr: 61.88.27.90 (61.88.27.90)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 128
    Identification: 0x3181 (12673)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x0000 (incorrect, should be 0x9e1e)
    Source: 129.171.80.123 (129.171.80.123)
    Destination: 61.88.27.90 (61.88.27.90)
Transmission Control Protocol, Src Port: 1433 (1433), Dst Port: 19230 (19230), Seq: 1, Ack: 177, Len: 88
    Source port: 1433 (1433)
    Destination port: 19230 (19230)
    Sequence number: 1    (relative sequence number)
    Next sequence number: 89    (relative sequence number)
    Acknowledgement number: 177    (relative ack number)
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
    Window size: 65359
    Checksum: 0x2b4b (incorrect, should be 0x8815)
Tabular Data Stream
    Type: Response Packet (0x04)
    Status: Last buffer in request or response (1)
    Size: 88
    Channel: 0
    Packet Number: 1
    Window: 0
    Token 0xaa Error Message
        Length: 68
        SQL Error Number: 18456
        State: 1
        Severity Level: 14
        Error message length: 28 characters
        Error: Login failed for user 'sql'.
        Server name length: 0 characters
        Process name length: 0 characters
        line number: 0
    Token 0xfd Done
        Status flags
        Operation
        row count: 0

0000  00 08 20 d9 aa bc 00 04 23 af 4f d4 08 00 45 00   .. .....#.O...E.
0010  00 80 31 81 40 00 80 06 00 00 81 ab 50 7b 3d 58   ..1.@.......P{=X
0020  1b 5a 05 99 4b 1e 8f 49 0a fc 05 52 fa 67 50 18   .Z..K..I...R.gP.
0030  ff 4f 2b 4b 00 00 04 01 00 58 00 00 01 00 aa 44   .O+K.....X.....D
0040  00 18 48 00 00 01 0e 1c 00 4c 00 6f 00 67 00 69   ..H......L.o.g.i
0050  00 6e 00 20 00 66 00 61 00 69 00 6c 00 65 00 64   .n. .f.a.i.l.e.d
0060  00 20 00 66 00 6f 00 72 00 20 00 75 00 73 00 65   . .f.o.r. .u.s.e
0070  00 72 00 20 00 27 00 73 00 71 00 6c 00 27 00 2e   .r. .'.s.q.l.'..
0080  00 00 00 00 00 fd 02 00 00 00 00 00 00 00         ..............
No.     Time        Source                Destination           Protocol Info
    622 266.394952  129.171.80.123        61.88.27.90           TCP      1433 > 19230 [FIN, ACK] Seq=89 Ack=177 Win=65359 [CHECKSUM INCORRECT] Len=0

Frame 622 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:04:23:af:4f:d4, Dst: 00:08:20:d9:aa:bc
Internet Protocol, Src Addr: 129.171.80.123 (129.171.80.123), Dst Addr: 61.88.27.90 (61.88.27.90)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 40
    Identification: 0x3182 (12674)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x0000 (incorrect, should be 0x9e75)
    Source: 129.171.80.123 (129.171.80.123)
    Destination: 61.88.27.90 (61.88.27.90)
Transmission Control Protocol, Src Port: 1433 (1433), Dst Port: 19230 (19230), Seq: 89, Ack: 177, Len: 0
    Source port: 1433 (1433)
    Destination port: 19230 (19230)
    Sequence number: 89    (relative sequence number)
    Acknowledgement number: 177    (relative ack number)
    Header length: 20 bytes
    Flags: 0x0011 (FIN, ACK)
    Window size: 65359
    Checksum: 0x2af3 (incorrect, should be 0x9a9c)

0000  00 08 20 d9 aa bc 00 04 23 af 4f d4 08 00 45 00   .. .....#.O...E.
0010  00 28 31 82 40 00 80 06 00 00 81 ab 50 7b 3d 58   .(1.@.......P{=X
0020  1b 5a 05 99 4b 1e 8f 49 0b 54 05 52 fa 67 50 11   .Z..K..I.T.R.gP.
0030  ff 4f 2a f3 00 00                                 .O*...
No.     Time        Source                Destination           Protocol Info
    623 266.703962  129.171.80.124        61.88.27.90           TDS      Response Packet

Frame 623 (142 bytes on wire, 142 bytes captured)
Ethernet II, Src: 00:04:23:af:4f:d4, Dst: 00:08:20:d9:aa:bc
Internet Protocol, Src Addr: 129.171.80.124 (129.171.80.124), Dst Addr: 61.88.27.90 (61.88.27.90)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 128
    Identification: 0x318c (12684)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x0000 (incorrect, should be 0x9e12)
    Source: 129.171.80.124 (129.171.80.124)
    Destination: 61.88.27.90 (61.88.27.90)
Transmission Control Protocol, Src Port: 1433 (1433), Dst Port: 19282 (19282), Seq: 1, Ack: 179, Len: 88
    Source port: 1433 (1433)
    Destination port: 19282 (19282)
    Sequence number: 1    (relative sequence number)
    Next sequence number: 89    (relative sequence number)
    Acknowledgement number: 179    (relative ack number)
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
    Window size: 65357
    Checksum: 0x2b4c (incorrect, should be 0xffa9)
Tabular Data Stream
    Type: Response Packet (0x04)
    Status: Last buffer in request or response (1)
    Size: 88
    Channel: 0
    Packet Number: 1
    Window: 0
    Token 0xaa Error Message
        Length: 68
        SQL Error Number: 18456
        State: 1
        Severity Level: 14
        Error message length: 28 characters
        Error: Login failed for user 'sql'.
        Server name length: 0 characters
        Process name length: 0 characters
        line number: 0
    Token 0xfd Done
        Status flags
        Operation
        row count: 0

0000  00 08 20 d9 aa bc 00 04 23 af 4f d4 08 00 45 00   .. .....#.O...E.
0010  00 80 31 8c 40 00 80 06 00 00 81 ab 50 7c 3d 58   ..1.@.......P|=X
0020  1b 5a 05 99 4b 52 8f 4b 13 99 a5 ed d9 65 50 18   .Z..KR.K.....eP.
0030  ff 4d 2b 4c 00 00 04 01 00 58 00 00 01 00 aa 44   .M+L.....X.....D
0040  00 18 48 00 00 01 0e 1c 00 4c 00 6f 00 67 00 69   ..H......L.o.g.i
0050  00 6e 00 20 00 66 00 61 00 69 00 6c 00 65 00 64   .n. .f.a.i.l.e.d
0060  00 20 00 66 00 6f 00 72 00 20 00 75 00 73 00 65   . .f.o.r. .u.s.e
0070  00 72 00 20 00 27 00 73 00 71 00 6c 00 27 00 2e   .r. .'.s.q.l.'..
0080  00 00 00 00 00 fd 02 00 00 00 00 00 00 00         ..............
No.     Time        Source                Destination           Protocol Info
    624 266.704009  129.171.80.124        61.88.27.90           TCP      1433 > 19282 [FIN, ACK] Seq=89 Ack=179 Win=65357 [CHECKSUM INCORRECT] Len=0

Frame 624 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:04:23:af:4f:d4, Dst: 00:08:20:d9:aa:bc
Internet Protocol, Src Addr: 129.171.80.124 (129.171.80.124), Dst Addr: 61.88.27.90 (61.88.27.90)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 40
    Identification: 0x318d (12685)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x0000 (incorrect, should be 0x9e69)
    Source: 129.171.80.124 (129.171.80.124)
    Destination: 61.88.27.90 (61.88.27.90)
Transmission Control Protocol, Src Port: 1433 (1433), Dst Port: 19282 (19282), Seq: 89, Ack: 179, Len: 0
    Source port: 1433 (1433)
    Destination port: 19282 (19282)
    Sequence number: 89    (relative sequence number)
    Acknowledgement number: 179    (relative ack number)
    Header length: 20 bytes
    Flags: 0x0011 (FIN, ACK)
    Window size: 65357
    Checksum: 0x2af4 (incorrect, should be 0x1231)

0000  00 08 20 d9 aa bc 00 04 23 af 4f d4 08 00 45 00   .. .....#.O...E.
0010  00 28 31 8d 40 00 80 06 00 00 81 ab 50 7c 3d 58   .(1.@.......P|=X
0020  1b 5a 05 99 4b 52 8f 4b 13 f1 a5 ed d9 65 50 11   .Z..KR.K.....eP.
0030  ff 4d 2a f4 00 00                                 .M*...
No.     Time        Source                Destination           Protocol Info
    625 266.818550  129.171.80.123        61.88.27.90           TCP      1433 > 19230 [ACK] Seq=90 Ack=178 Win=65359 [CHECKSUM INCORRECT] Len=0

Frame 625 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:04:23:af:4f:d4, Dst: 00:08:20:d9:aa:bc
Internet Protocol, Src Addr: 129.171.80.123 (129.171.80.123), Dst Addr: 61.88.27.90 (61.88.27.90)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 40
    Identification: 0x3197 (12695)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x0000 (incorrect, should be 0x9e60)
    Source: 129.171.80.123 (129.171.80.123)
    Destination: 61.88.27.90 (61.88.27.90)
Transmission Control Protocol, Src Port: 1433 (1433), Dst Port: 19230 (19230), Seq: 90, Ack: 178, Len: 0
    Source port: 1433 (1433)
    Destination port: 19230 (19230)
    Sequence number: 90    (relative sequence number)
    Acknowledgement number: 178    (relative ack number)
    Header length: 20 bytes
    Flags: 0x0010 (ACK)
    Window size: 65359
    Checksum: 0x2af3 (incorrect, should be 0x9a9b)

0000  00 08 20 d9 aa bc 00 04 23 af 4f d4 08 00 45 00   .. .....#.O...E.
0010  00 28 31 97 40 00 80 06 00 00 81 ab 50 7b 3d 58   .(1.@.......P{=X
0020  1b 5a 05 99 4b 1e 8f 49 0b 55 05 52 fa 68 50 10   .Z..K..I.U.R.hP.
0030  ff 4f 2a f3 00 00                                 .O*...
No.     Time        Source                Destination           Protocol Info
    626 266.822394  129.171.80.123        61.88.27.90           TCP      1433 > 19341 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460

Frame 626 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:04:23:af:4f:d4, Dst: 00:08:20:d9:aa:bc
Internet Protocol, Src Addr: 129.171.80.123 (129.171.80.123), Dst Addr: 61.88.27.90 (61.88.27.90)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 48
    Identification: 0x3198 (12696)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x0000 (incorrect, should be 0x9e57)
    Source: 129.171.80.123 (129.171.80.123)
    Destination: 61.88.27.90 (61.88.27.90)
Transmission Control Protocol, Src Port: 1433 (1433), Dst Port: 19341 (19341), Seq: 0, Ack: 1, Len: 0
    Source port: 1433 (1433)
    Destination port: 19341 (19341)
    Sequence number: 0    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 28 bytes
    Flags: 0x0012 (SYN, ACK)
    Window size: 65535
    Checksum: 0x8adc (correct)
    Options: (8 bytes)

0000  00 08 20 d9 aa bc 00 04 23 af 4f d4 08 00 45 00   .. .....#.O...E.
0010  00 30 31 98 40 00 80 06 00 00 81 ab 50 7b 3d 58   .01.@.......P{=X
0020  1b 5a 05 99 4b 8d 8f 4d 80 f4 bf 87 ac 6a 70 12   .Z..K..M.....jp.
0030  ff ff 8a dc 00 00 02 04 05 b4 01 01 04 02         ..............
No.     Time        Source                Destination           Protocol Info
    627 267.173118  129.171.80.124        61.88.27.90           TCP      1433 > 19282 [ACK] Seq=90 Ack=180 Win=65357 [CHECKSUM INCORRECT] Len=0

Frame 627 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:04:23:af:4f:d4, Dst: 00:08:20:d9:aa:bc
Internet Protocol, Src Addr: 129.171.80.124 (129.171.80.124), Dst Addr: 61.88.27.90 (61.88.27.90)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 40
    Identification: 0x3199 (12697)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x0000 (incorrect, should be 0x9e5d)
    Source: 129.171.80.124 (129.171.80.124)
    Destination: 61.88.27.90 (61.88.27.90)
Transmission Control Protocol, Src Port: 1433 (1433), Dst Port: 19282 (19282), Seq: 90, Ack: 180, Len: 0
    Source port: 1433 (1433)
    Destination port: 19282 (19282)
    Sequence number: 90    (relative sequence number)
    Acknowledgement number: 180    (relative ack number)
    Header length: 20 bytes
    Flags: 0x0010 (ACK)
    Window size: 65357
    Checksum: 0x2af4 (incorrect, should be 0x1230)

0000  00 08 20 d9 aa bc 00 04 23 af 4f d4 08 00 45 00   .. .....#.O...E.
0010  00 28 31 99 40 00 80 06 00 00 81 ab 50 7c 3d 58   .(1.@.......P|=X
0020  1b 5a 05 99 4b 52 8f 4b 13 f2 a5 ed d9 66 50 10   .Z..KR.K.....fP.
0030  ff 4d 2a f4 00 00                                 .M*...
No.     Time        Source                Destination           Protocol Info
    628 268.828450  129.171.80.123        61.88.27.90           TCP      [TCP Retransmission] 1433 > 19123 [FIN, ACK] Seq=89 Ack=176 Win=65361 [CHECKSUM INCORRECT] Len=0

Frame 628 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:04:23:af:4f:d4, Dst: 00:08:20:d9:aa:bc
Internet Protocol, Src Addr: 129.171.80.123 (129.171.80.123), Dst Addr: 61.88.27.90 (61.88.27.90)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 40
    Identification: 0x3349 (13129)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x0000 (incorrect, should be 0x9cae)
    Source: 129.171.80.123 (129.171.80.123)
    Destination: 61.88.27.90 (61.88.27.90)
Transmission Control Protocol, Src Port: 1433 (1433), Dst Port: 19123 (19123), Seq: 89, Ack: 176, Len: 0
    Source port: 1433 (1433)
    Destination port: 19123 (19123)
    Sequence number: 89    (relative sequence number)
    Acknowledgement number: 176    (relative ack number)
    Header length: 20 bytes
    Flags: 0x0011 (FIN, ACK)
    Window size: 65361
    Checksum: 0x2af3 (incorrect, should be 0x2639)
    SEQ/ACK analysis

0000  00 08 20 d9 aa bc 00 04 23 af 4f d4 08 00 45 00   .. .....#.O...E.
0010  00 28 33 49 40 00 80 06 00 00 81 ab 50 7b 3d 58   .(3I@.......P{=X
0020  1b 5a 05 99 4a b3 8f 44 63 c1 06 31 15 ed 50 11   .Z..J..Dc..1..P.
0030  ff 51 2a f3 00 00                                 .Q*...
0
 

Author Comment

by:GGurnani
ID: 13720157
ip sec policy is not working. the host address is changed to 61.88.27.90 and 210.182.103.71. PLEASE HELP!
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13720204
I don't see the 216.212.34.166 ip as the source or destination... I see the
OrgName:    University of Miami  as the source and the
netname:      ADVICE4LIFE in austraila as the destination in those packet dumps...

Source                       Destination
129.171.80.124        61.88.27.90

These do look like someone is attempting to login to your sql server, I'm not sure your firewall is doing is job... SQL port's are not great to have exposed on the internet. Typically you want to keep the sql port internal for the webservers to call on the private ip space rather than over the public ip address space, the private ip ranges are 10.x.x.x 192.168.x.x. and 172.16.x.x in accordance with RFC 1918.
-rich
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13720519
you can block based on src or dst port... but again are your 1433 and 1434 supposed to be able to be visible on the internet? I assume not,
210.182.103.71=
netname:      BORANET-NET-210-182
descr:        DACOM Corp.
descr:        Facility-based Telecommunication Service Provider
descr:        providing Internet leased-ine, on-line service, BLL etc.

Looks like your sql server is exposed, and various locations are trying to access them, perhaps it's the SQL-Slammer worm making attempts on your sql-server. I assume you've scanned your machine for all viri. These appear to be attempts TO your box, i'm not sure your box is making the connection request. You don't have to post the entire packet dump, but you can tell if your's is making the request. Do a capture with no filter rules, and look down the dump to see if the next attempt has a SRC other than your own subnet... like this
SRC   SRC port        DST               DST port
1.2.3.4    >1025         your ip here 1433  (the src should have a src port greater than 1024, and be trying to go to dst port 1433)
If it's the other way around, then your machine is making the inital request, but if a request comes from a src other than your own, then they are making attempts on your server, does that make sense?
-rich
0
 

Author Comment

by:GGurnani
ID: 13721123
I scanned my machine with Norton, stinger and Slammer removal tools; nothing found. If i block port 1433 & 1434,  would my sql server will be able to contact IIS? I need to allow internal subnet ppl to access the SQL but no one outside... How can i do that  on all my network cards (ips)?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13721545
Are these servers on the internet by themselves? No firewall infront of them? I'd recommend getting one, be it software or hardware if not.
IPSEC firewall rules are easily by-passed if you bind your source port to port 88 or 500, you can see this if you use nmap -g as we discussed earlier.
http://support.microsoft.com/kb/810207/EN-US/

Does your SQL server have two ip address? an internal one and an external one (10.x.x.x 192.168.x.x or 172.16.x.x for internal)
Even if you don't have any private ip's you could block all other sources, but allow your entire ip range or a certain range.
-rich
0
 

Author Comment

by:GGurnani
ID: 13721893
There is one server with three network cards all of them with different ip addresses all behind hardware firewall. Two cards that are hosting website and hence has onlyt 80 and SSL port open on them inbound/outbound. The third one is totally invisible to outside network. I think the server got infected through port 80 and its trying to get back to the ip where it got infected from (shown in the ethreal log). The firewall is suppose to block traffic on port 1433 inbound outbound on public ip but i dont think it's doing it's job. I applied the policy of blocking all outbound/inbound network traffic on port 1433 except for internal netowrk using ipsec. However, that is not stopping this "Wacko" from trying to connect to my public ip address port 1433 and busying my server. What else can be done beside firewall to stop this?
0
 

Author Comment

by:GGurnani
ID: 13722196
Apparently the firewall guy forgot to block port 1433~~)

Is it possible to find out how the intruder was able to get in and if they infected any files?How to block port 1433 from outside/inside without using a full-fletched firewall? How to secure IIS so that it doesn't happen again? Thank for your quick response, Rich!
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 2000 total points
ID: 13726798
IIS can be hard to secure, I'd suggest the IIS Lockdown and URL Scan utilities for a start
http://www.microsoft.com/technet/security/tools/locktool.mspx
http://www.microsoft.com/windows2000/downloads/recommended/urlscan/default.asp

As far as finding out how it was done, you should review your log's (event log's iss log's firewall log's etc) Also you may want to start using an IDS such as Snort, to alert you when possible hacker/malcious activities are occuring against your servers.

You should be able to keep them out by blocking port 1433 1434. You should only allow a certain set of pc's or a certain ip range(s) to access that sql server on port 1433 1434. Now if you don't think you can trust your server anymore, meaning your not sure if it's been "root'd" or owned, then you must rebuild. Make backup's- save all you can, and then rebuild from scratch
Turn on auditing if you don't have it on. I suggest McAfee as an AV solution for 2 reason's- 1) It finds utilites that 90% of the others ignore, tools like netcat, pwdump, l0pht crack, etc... 2) there is a firewall included in the enterprise version of mcafee- it will also allow you to not only block port's but also block programs that are not approved, such as those that may be uploaded during a unicode attack. Snort will alert you of this activity also, but it's not easy for most people to setup the first time.
Here are some IIS protection tips, as well as some best practices to follow, and prevention links
http://www.sans.org/resources/malwarefaq/wnt-unicode.php
http://www.gfi.com/lannetscan/ (audit yourself with this tool, and or Nessus- see if there are any major holes)
http://nessus.org/
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx (dl the guide- read it over)
http://www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp
http://www.microsoft.com/downloads/details.aspx?FamilyId=B352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
https://www.grc.com/x/ne.dll?bh0bkyd2 (this will also run a scan on your current internet ip, do this from the sql machine directly to scan it)
http://www.hackingexposed.com/ (these are some of the greatest books in the world- pick some up) http://www.hackingexposed.com/tools/tools.html
http://www.snort.org/ (network intrusion detection system)
http://www.intersectalliance.com/projects/SnareWindows/ (event log monitoring)
-rich
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Screencast - Getting to Know the Pipeline
Suggested Courses
Course of the Month20 days, 23 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question