Solved

SQL Server Hijacked or Infected

Posted on 2014-10-29
3
124 Views
Last Modified: 2015-02-05
I have a customer with an SBS 2003 server. A couple days ago they started experienced huge traffic increases on the network, so much so that their ISP called and wanted to know what was going on. Accessing the server remotely was really really slow so I could tell there was a lot of traffic.

I used the Sonicwall logs to narrow down the traffic to the SBS server on HTTP and UDP 1434. I installed process explorer and tcpview and watched everything for a while and determined that the issue is coming from the SQL server components. I turned off ALL SQL components on the server and the issue stopped within minutes.

Now I'm stuck - we need SQL for our time clock and back office database software. I'm not familiar enough with SQL to begin to try and find the cause of this issue. I've blocked outgoing port 1434 UDP on the firewall for now but have not reactivated the SQL. We've scanned the server with Sophos and with Malwarebytes and nothing comes up.

Any thoughts? Places to start?
0
Comment
Question by:srnowacki
3 Comments
 
LVL 17

Expert Comment

by:pjam
ID: 40410990
If you are local, you could try one of the many Rescue boot CDs.
Checkout Hirensbootcd.org for the BitDender Recuse CD
0
 
LVL 40

Accepted Solution

by:
Kyle Abrahams earned 500 total points
ID: 40410999
Are these 3rd party systems?  

If so do you have everything patched and up to date?  

1434 is a well known SQL port for the sql server browser.

Maybe disable that service (as it's not needed to run sql server) and re-enable the sql server itself?
0
 
LVL 3

Expert Comment

by:prequel_server
ID: 40417413
" time clock and back office database software"
-do you have a support contact for the above software?
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Slowly Changing Dimension Transformation component in data task flow is very useful for us to manage and control how data changes in SSIS.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question