Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
trbal
Starting Member
4 Posts |
 Posted - 2012-05-24 : 03:26:47
|
| HiIam running SBS 2003 Std with SP2. AV is eset AV4.Suddenly SQL started behaving strangely ppl were unable to connect to DB. On running process explorer i find sqlserv.exe trying to execute secedit.exe with high cpu usage then starts cmd.exe trying to execute a bat file which creates folders like i4241 in c:\system32 folder then opens up ftp.exe. Eset detected lib32woaqexe and deletes it just that. I have run sophos/malwarebytes/superantispyware etc nothing is detected but process explorer still shows the same sequence of events i have stated above. I had a same issue in a diff site and had to reformat the server.is that the only option.Any help is highly appreciated. I have a screenshot where should i upload it |
|
|
Lumbago
Norsk Yak Master
3271 Posts |
Posted - 2012-05-24 : 07:45:34
|
| Sounds like your a victim of sql injection. Google "how to prevent sql injection" and you'll find very good information about what you need to do. The screenshot can be uploaded to tinypic.com or the like...- LumbagoMy blog-> http://thefirstsql.com |
 |
|
|
trbal
Starting Member
4 Posts |
Posted - 2012-05-24 : 13:36:31
|
| Thx bosswill reinstalling sql solve the issue? |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2012-05-24 : 13:39:43
|
| Not if your application still allows SQL injection, you'll just get re-infected. You have to look at your entire architecture to prevent SQL injection. |
|
|
|
trbal
Starting Member
4 Posts |
Posted - 2012-05-24 : 13:49:55
|
Thx Robvolki want upload a screenshot not able to do it in tinypic as it timesout.Any other way i can upload it maybe that will explain the process better.got it  Thx agian |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2012-05-24 : 15:26:36
|
First thing I recommend doing is disabling xp_cmdshell on your SQL Server. You can do that with the following SQL:EXEC sp_configure 'show advanced options', '1';reconfigure;EXEC sp_configure 'xp_cmdshell', '0';reconfigure; Next you should kill any cmd.exe process on the server, which you can do from the command line with:taskkill /IM cmd.exe Note that will also kill the command window you run it in. You should recheck task manager to ensure all CMD.EXEs have terminated. If they spring up again, you've got a virus and you'll probably need to wipe the server and reinstall everything if your antivirus can't remove it.This still doesn't protect you from SQL injection.BTW you can also use http://imgur.com as an image host. |
|
|
|
trbal
Starting Member
4 Posts |
Posted - 2012-05-25 : 02:01:57
|
| Thx RobI first edited the registry and removed entries from muicache (secedit.exe and cmd.exe).then removed a firewall rule wan to lan which i had created to allow access to db port.now the thing is gone. As i had mentioned earlier the server is running a updated version of eset and i have scanned it with multiple syware/virus/rootkit tools. WIll keep a tab and see if something crops up again. |
|
|
|
|
|
|
SQL ISSUE