Suspected botnet detected

[safety 1]

Dear colleagues, please tell me the solution

28.12.2021 20:34:57    Suspected botnet detected    Blocked    14.33.33.206:80    192.168.1.123:51698    TCP    JS/Agent.NUN    C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Binn\sqlservr.exe    NT AUTHORITY\SYSTEM    
27.12.2021 8:20:13    Suspected botnet detected    Blocked    14.33.33.206:80    192.168.1.123:63804    TCP    JS/Agent.NUN    C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Binn\sqlservr.exe    NT AUTHORITY\SYSTEM    
27.12.2021 2:25:38    Suspected botnet detected    Blocked    14.33.33.206:80    192.168.1.123:64184    TCP    JS/Agent.NUN    C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Binn\sqlservr.exe    NT AUTHORITY\SYSTEM    
26.12.2021 13:57:13    Suspected botnet detected    Blocked    14.33.33.206:80    192.168.1.123:54972    TCP    JS/Agent.NUN    C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Binn\sqlservr.exe    NT AUTHORITY\SYSTEM    

 

 

[Marcos 3,983]

First of all make sure that the server is fully updated and all MS SQL security updates are installed. I'd also recommend changing the SA account password. Should the detection continue, please provide logs collected with ESET Log Collector for a start.

[Nightowl 132]

Block the IP also that is shown on the detection to prevent it from communicating again after doing Marcos' instructions

[safety 1]

14 minutes ago, Nightowl said:

Block the IP also that is shown on the detection to prevent it from communicating again after doing Marcos' instructions

the address is blocked by the antivirus. Most likely, a startup script from the MSSQL database is registered, it is launched on a schedule

[Nightowl 132]

12 minutes ago, safety said:

the address is blocked by the antivirus. Most likely, a startup script from the MSSQL database is registered, it is launched on a schedule

If ESET is still giving detections and communications to the IP that was logged at port 80 , then it's not blocked , because the communication has been made and ESET has blocked/dropped it as suspicious botnet activity , blocking the IP totally for all ports can help prevent further communications to the botnet server.

[safety 1]

Can the command line indicate the running processes that the malicious script is being launched from the MSSQL database?  (information from the autorun image in uVS )

logs from esetlogcollector log

 

Quote

30.12.2021 7:17:29    HTTP filter    file   hxxp://218.90.210.102:19840/0CFA042F.Png  multiple threats    connection terminated    NT AUTHORITY\SYSTEM    Event occurred during an attempt to access the web by the application: C:\Windows\System32\msiexec.exe (79CC1A09650FB1ADA6017E885A1C1E6D4FB4150E).    8BA67F4047A96BA9DDF5D9CC4657110A815DB322    30.12.2021 14:15:00    
30.12.2021 7:14:34    HTTP filter    file   hxxp://218.90.210.102:19840/0CFA042F.Png  multiple threats    connection terminated    NT AUTHORITY\SYSTEM    Event occurred during an attempt to access the web by the application: C:\Windows\System32\msiexec.exe (79CC1A09650FB1ADA6017E885A1C1E6D4FB4150E).    8BA67F4047A96BA9DDF5D9CC4657110A815DB322    30.12.2021 14:12:05    
30.12.2021 7:11:54    HTTP filter    file   hxxp://60.191.60.194:18396/57BC9B7E.Png  PowerShell/Exploit.Agent.G trojan    connection terminated    NT AUTHORITY\SYSTEM    Event occurred during an attempt to access the web by the application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (9F1E24917EF96BBB339F4E2A226ACAFD1009F47B).    B30DC310B587F19FE7E7FEC7F306286263CAF240        

 

Edited December 30, 2021 by safety

[JamesR 16]

Your symptoms indicate that your MS SQL server may be compromised.  Some things you will want to immediately do are:

• Ensure MS SQL Ports are not exposed to the internet.  Typically this will be port 1433 but could be a different port.
• Audit existing MS SQL user accounts and disable and/or reset the password for all accounts (may need to do this for Windows accounts too as MS SQL can allow the use of Windows Authentication for management)
• Generate ESET Log Collector logs

Check for the following SQL Settings being enabled as they can be abused by attackers:

• 'xp_cmdshell' - Allows SQL to execute external applications like CMD.exe or Powershell.exe or other
• 'Ole Automation Procedures' - Allows SQL to execute OLE (similar to MS office macros) and can lead to SQL executing external applications, making network connections, etc...
• 'show advanced options' - Allows advanced features of SQL to be used (this allows the above features to be used).

There are multiple ways MS SQL can be leveraged to execute malicious code.  The most popular are:

• Stored Procedures - Can be scheduled inside of MS SQL to execute at specific intervals
• Triggers - There are 3 types of triggers
  • DDL (Data Definition Language) - executes code whenever statements like CREATE, ALTER, DROP are used.
  • LOGIN - Executes code whenever a user logs into the MS SQL system.
  • DML - (Data Manipulation Language - executes code whenever statement like INSERT, UPDATE, DELETE are used.
• .NET - MS SQL does have the ability to execute .NET libraries, but this is much harder and rarer to see.

I will send you a direct message with some more specific pointers on identifying if your SQL Server is currently compromised.