Solved

SQL Server Hijacked or Infected

Posted on 2014-10-29
3
130 Views
Last Modified: 2015-02-05
I have a customer with an SBS 2003 server. A couple days ago they started experienced huge traffic increases on the network, so much so that their ISP called and wanted to know what was going on. Accessing the server remotely was really really slow so I could tell there was a lot of traffic.

I used the Sonicwall logs to narrow down the traffic to the SBS server on HTTP and UDP 1434. I installed process explorer and tcpview and watched everything for a while and determined that the issue is coming from the SQL server components. I turned off ALL SQL components on the server and the issue stopped within minutes.

Now I'm stuck - we need SQL for our time clock and back office database software. I'm not familiar enough with SQL to begin to try and find the cause of this issue. I've blocked outgoing port 1434 UDP on the firewall for now but have not reactivated the SQL. We've scanned the server with Sophos and with Malwarebytes and nothing comes up.

Any thoughts? Places to start?
0
Comment
Question by:srnowacki
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 17

Expert Comment

by:pjam
ID: 40410990
If you are local, you could try one of the many Rescue boot CDs.
Checkout Hirensbootcd.org for the BitDender Recuse CD
0
 
LVL 40

Accepted Solution

by:
Kyle Abrahams earned 500 total points
ID: 40410999
Are these 3rd party systems?  

If so do you have everything patched and up to date?  

1434 is a well known SQL port for the sql server browser.

Maybe disable that service (as it's not needed to run sql server) and re-enable the sql server itself?
0
 
LVL 3

Expert Comment

by:prequel_server
ID: 40417413
" time clock and back office database software"
-do you have a support contact for the above software?
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
connection to SQL 2012 error in windows 10 18 49
VMware PVSCSI SQL Server 2016 AlwaysOn 2 37
database audit for object access 6 42
t-sql left join 2 34
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Via a live example, show how to setup several different housekeeping processes for a SQL Server.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question