My SQL Server 2000 SP4 installation running on Windows 2003 server (SP1, all patches current) has been infected TWICE by something that Sophos can't detect.
The symptoms are that an account called SQLsys is created on the machine and is made an administrator.
A service called "ApptoService spoolsrv" is created. An executable called syss.exe is also created in a few places. After infection the machine immediately starts attacking other computers on the network.
I had Windows Firewall running, with ports open for SQL server and Remote Desktop.
I ran the MBSA, it didn't find anything open.
I even ran the beta MS web tool for scanning, didn't detect any trojans.
I'm going to be restoring the machine (AGAIN), but I wish I knew what security hole is being found! Any ideas?
Please try changing your SA account password. Try a complicated password that has numbers, letters, and symbols in it. Also, do not allow your sql server to have inbound access to the internet. At the very least block port 1433 on your firewall.|||
Have you noticed this issue again after setting a strong SA password?
Thanks
Laurentiu
No comments:
Post a Comment