Jump to content

SQL Servers are hacked and under control


Recommended Posts

Hi Dears.

In these two weeks our support team find some SQL Servers infected with this problem :

Many ESET FS Event log that show sqlservr.exe want to download hxxp://dl.love-network.cc/SqlBase.exe

So ESET block it by webAccessProtection .

info : Port 1433 was open on internet. ( We force customer to secure this port with vpn or ...)

how can we find these command are run from to clean it manually ?

This is the ESET Log Collector log : https://we.tl/t-OeSUn9AXTc

 

Parjin.jpg

Link to comment
Share on other sites

As we analyze sqlBase.exe :

it's a Trojan Downloader that install a coin-miner (SqlConn.exe) that ESET detect it as  Win64/CoinMuner.FQ.

But still we did not find how SQL Server run Download command !? No Job or Schedule task , ..

 

Miner.jpg

Miner2.jpg

Link to comment
Share on other sites

For starters on an infected device check if the following exists:

%WINDIR%\\FONTS\\SQLCONN.EXE

Link to comment
Share on other sites

36 minutes ago, itman said:

For starters on an infected device check if the following exists:

%WINDIR%\\FONTS\\SQLCONN.EXE

Dear @itman,

There is no SQLCONN.EXE in that location, even we can't find sqlconn.exe in sysinspector log ( https://we.tl/t-OeSUn9AXTc ).

Link to comment
Share on other sites

What about sqlbase.exe since this is the malicious parent process? Does that show in SysInspector?

BTW - I believe a malicious sqlbase engine was installed.

Also it appears you found the malicious versions sqlbase.exe and sqlconn.exe since they are sitting on your desktop. Is the issue these keep reappearing on the infected devices?

Also submit sqlservr.exe on one of these devices with issues to VirusTotal for a scan.

Edited by itman
Link to comment
Share on other sites

5 hours ago, itman said:

What about sqlbase.exe since this is the malicious parent process? Does that show in SysInspector?

BTW - I believe a malicious sqlbase engine was installed.

Also it appears you found the malicious versions sqlbase.exe and sqlconn.exe since they are sitting on your desktop. Is the issue these keep reappearing on the infected devices?

Also submit sqlservr.exe on one of these devices with issues to VirusTotal for a scan.

The Screenshot is for the system in our test system.

in SQL server we just see that ESET block hxxp://dl.love-network.cc/SqlBase.exe

it means that C:\ProgramFiles\MicrosoftSQLServer\MSSQL11.MSSQLSERVER\MSSQL\Binn\sqlservr.exe  are downloading hxxp://dl.love-network.cc/SqlBase.exe
and ESET will block it.

We are searching for the source of these commands.

Link to comment
Share on other sites

23 hours ago, kamiran.asia said:

it means that C:\ProgramFiles\MicrosoftSQLServer\MSSQL11.MSSQLSERVER\MSSQL\Binn\sqlservr.exe  are downloading hxxp://dl.love-network.cc/SqlBase.exe
and ESET will block it.

You might want to refer to this article:

Quote

The Mrbminer investigation begins with the Microsoft SQL Server (sqlservr.exe) process launching a file called assm.exe, a downloader Trojan. The assm.exe program downloads the cryptominer payload from a web server, then connects to its command-and-control server to report the successful download and execution of the miner.

Also of note:

Quote

While our records don’t reveal exactly how the malware gained a foothold on the database servers, it stands to reason the attackers may have used similar techniques as the MyKings, Lemon_Duck, or Kingminer miners, whose attack methods we have documented in previous articles.

https://www.sophos.com/en-us/press-office/press-releases/2021/01/sophos-identifies-source-of-mrbminer-attacks-targeting-database-servers.aspx

-EDIT- In regards to the above "similar techniques" referenced is all employed some form of brute force attack element against the server and/or exploiting of system vulnerabilities.

Since it appears sqlserver.exe in your situation is directly initiating the Trojan download attempt, I assume some type of code injection is being performed against it. Again, this assumes that sqlserver.exe is a legit Windows file.

Or if the server has been compromised and accessible to the attacker, any method he chooses to initiate further malicious download activities.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...