Scott Nowacki
asked on
SQL Server Hijacked or Infected
I have a customer with an SBS 2003 server. A couple days ago they started experienced huge traffic increases on the network, so much so that their ISP called and wanted to know what was going on. Accessing the server remotely was really really slow so I could tell there was a lot of traffic.
I used the Sonicwall logs to narrow down the traffic to the SBS server on HTTP and UDP 1434. I installed process explorer and tcpview and watched everything for a while and determined that the issue is coming from the SQL server components. I turned off ALL SQL components on the server and the issue stopped within minutes.
Now I'm stuck - we need SQL for our time clock and back office database software. I'm not familiar enough with SQL to begin to try and find the cause of this issue. I've blocked outgoing port 1434 UDP on the firewall for now but have not reactivated the SQL. We've scanned the server with Sophos and with Malwarebytes and nothing comes up.
Any thoughts? Places to start?
I used the Sonicwall logs to narrow down the traffic to the SBS server on HTTP and UDP 1434. I installed process explorer and tcpview and watched everything for a while and determined that the issue is coming from the SQL server components. I turned off ALL SQL components on the server and the issue stopped within minutes.
Now I'm stuck - we need SQL for our time clock and back office database software. I'm not familiar enough with SQL to begin to try and find the cause of this issue. I've blocked outgoing port 1434 UDP on the firewall for now but have not reactivated the SQL. We've scanned the server with Sophos and with Malwarebytes and nothing comes up.
Any thoughts? Places to start?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
" time clock and back office database software"
-do you have a support contact for the above software?
-do you have a support contact for the above software?
Checkout Hirensbootcd.org for the BitDender Recuse CD