April 26, 2004 at 9:19 am
Hi All...
Been away for a bit.
I have been tracking a problem on several sql servers for the past week. Here are the symptoms:
1. CPU is pegged on affected servers. sqlservr.exe takes 90-100% consistently.
2. A packet scan reveals a massive (6 mbit sustained traffic) outgoing traffic consisting of UDP packets all the same size being broadcast to 255.255.255.255 cycling through the following ports 2437, 2524, 1126, 1162, 1132, 1089 and 1106.
While this traffic is not making it out of our network, it is still causing us great headaches. It looks like slammer, but the affected servers are all Windows 2000 SP4 and SQL SP3a with the MS03-031 patch.
This thread may be related...
http://www.sqlservercentral.com/forums/shwmessage.aspx?forumid=6&messageid=112198
Could this be a variant of phatbot?
Sincerely,
Dan B
April 26, 2004 at 10:17 am
It also looks like it is trying to spoof the source IP and MAC address... For example, I have two nics on this box - one with internal, one with external IP. The outgoing packets are using the IP from one and the MAC from the other.
-Dan B
April 26, 2004 at 3:53 pm
What about the file sizes?
Here is a sampling of sqlservr.exe on several servers, including one brand new one.
sqlservr.exe size (sizeOnDisk)
Public Server - 7,544,916 (7,548,928)
Public Server - 7,544,916 (7,548,928)
Public Server - 7,544,916 (7,545,344)
Public Server - 7,544,916 (7,545,344)
Public Server - 7,544,916 (7,545,344)
NewServer - 7,520,337 (7,524,352)
Why would my new server with the same patches as the other servers have a sqlservr.exe of a different, smaller size?
Why do the public servers all have the same Size property, but differing sizeOnDisk properties? Note that the first two Public Servers are known to be affected by whatever this problem is...
Any thoughts?
Sincerely,
Dan B
April 27, 2004 at 10:33 am
Size on disk is based on individual disk geometry and how it was formatted.
The differences do not indicate the presence of a worm/virus.
AFAIK, there's no known worm that infects the SQL Server executable itself.
All those ports listed are not "well known ports".
I would suggest checking task manager to see what processes are running on each server.
Then check http://www.answersthatwork.com/Tasklist_pages/tasklist.htm to identify every single one of them.
April 27, 2004 at 10:42 am
Thanks for the reply.
Unfortunately there is nothing out of the ordinary running under TM unless a legit exe has been replaced with a hacked one. Likewise there are no new entries under the Run or RunOnce registry keys and nothing under Startup.
Memory is not out of the ordinary, and nothing screams out when I run profiler. In fact database transactions appear to be minimal for the CPU load the server is reporting. That is why I thought something might have altered the sqlservr.exe file in some way...
Several hours with Microsoft PSS and we are no closer to a solution.
-Dan B
April 27, 2004 at 2:16 pm
I can't believe that noone else has encountered anything like this...
Makes me think I'm imagining things.
April 29, 2004 at 11:19 am
bump
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply