Jump to content

Suspected botnet detected


safety

Recommended Posts

Dear colleagues, please tell me the solution

28.12.2021 20:34:57    Suspected botnet detected    Blocked    14.33.33.206:80    192.168.1.123:51698    TCP    JS/Agent.NUN    C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Binn\sqlservr.exe    NT AUTHORITY\SYSTEM    
27.12.2021 8:20:13    Suspected botnet detected    Blocked    14.33.33.206:80    192.168.1.123:63804    TCP    JS/Agent.NUN    C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Binn\sqlservr.exe    NT AUTHORITY\SYSTEM    
27.12.2021 2:25:38    Suspected botnet detected    Blocked    14.33.33.206:80    192.168.1.123:64184    TCP    JS/Agent.NUN    C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Binn\sqlservr.exe    NT AUTHORITY\SYSTEM    
26.12.2021 13:57:13    Suspected botnet detected    Blocked    14.33.33.206:80    192.168.1.123:54972    TCP    JS/Agent.NUN    C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Binn\sqlservr.exe    NT AUTHORITY\SYSTEM    

 

 

Link to comment
Share on other sites

  • Administrators

First of all make sure that the server is fully updated and all MS SQL security updates are installed. I'd also recommend changing the SA account password. Should the detection continue, please provide logs collected with ESET Log Collector for a start.

Link to comment
Share on other sites

  • Most Valued Members

Block the IP also that is shown on the detection to prevent it from communicating again after doing Marcos' instructions

Link to comment
Share on other sites

14 minutes ago, Nightowl said:

Block the IP also that is shown on the detection to prevent it from communicating again after doing Marcos' instructions

the address is blocked by the antivirus. Most likely, a startup script from the MSSQL database is registered, it is launched on a schedule

Link to comment
Share on other sites

  • Most Valued Members
12 minutes ago, safety said:

the address is blocked by the antivirus. Most likely, a startup script from the MSSQL database is registered, it is launched on a schedule

If ESET is still giving detections and communications to the IP that was logged at port 80 , then it's not blocked , because the communication has been made and ESET has blocked/dropped it as suspicious botnet activity , blocking the IP totally for all ports can help prevent further communications to the botnet server.

Link to comment
Share on other sites

Can the command line indicate the running processes that the malicious script is being launched from the MSSQL database?  (information from the autorun image in uVS )

180110337_.png.faac31af6e6178ce4c67ef1024ea7b21.png

logs from esetlogcollector log

 

Quote

30.12.2021 7:17:29    HTTP filter    file   hxxp://218.90.210.102:19840/0CFA042F.Png  multiple threats    connection terminated    NT AUTHORITY\SYSTEM    Event occurred during an attempt to access the web by the application: C:\Windows\System32\msiexec.exe (79CC1A09650FB1ADA6017E885A1C1E6D4FB4150E).    8BA67F4047A96BA9DDF5D9CC4657110A815DB322    30.12.2021 14:15:00    
30.12.2021 7:14:34    HTTP filter    file   hxxp://218.90.210.102:19840/0CFA042F.Png  multiple threats    connection terminated    NT AUTHORITY\SYSTEM    Event occurred during an attempt to access the web by the application: C:\Windows\System32\msiexec.exe (79CC1A09650FB1ADA6017E885A1C1E6D4FB4150E).    8BA67F4047A96BA9DDF5D9CC4657110A815DB322    30.12.2021 14:12:05    
30.12.2021 7:11:54    HTTP filter    file   hxxp://60.191.60.194:18396/57BC9B7E.Png  PowerShell/Exploit.Agent.G trojan    connection terminated    NT AUTHORITY\SYSTEM    Event occurred during an attempt to access the web by the application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (9F1E24917EF96BBB339F4E2A226ACAFD1009F47B).    B30DC310B587F19FE7E7FEC7F306286263CAF240        

 

Edited by safety
Link to comment
Share on other sites

  • ESET Staff

Your symptoms indicate that your MS SQL server may be compromised.  Some things you will want to immediately do are:

  • Ensure MS SQL Ports are not exposed to the internet.  Typically this will be port 1433 but could be a different port.
  • Audit existing MS SQL user accounts and disable and/or reset the password for all accounts (may need to do this for Windows accounts too as MS SQL can allow the use of Windows Authentication for management)
  • Generate ESET Log Collector logs

Check for the following SQL Settings being enabled as they can be abused by attackers:

  • 'xp_cmdshell' - Allows SQL to execute external applications like CMD.exe or Powershell.exe or other
  • 'Ole Automation Procedures' - Allows SQL to execute OLE (similar to MS office macros) and can lead to SQL executing external applications, making network connections, etc...
  • 'show advanced options' - Allows advanced features of SQL to be used (this allows the above features to be used).

There are multiple ways MS SQL can be leveraged to execute malicious code.  The most popular are:

  • Stored Procedures - Can be scheduled inside of MS SQL to execute at specific intervals
  • Triggers - There are 3 types of triggers
    • DDL (Data Definition Language) - executes code whenever statements like CREATE, ALTER, DROP are used.
    • LOGIN - Executes code whenever a user logs into the MS SQL system.
    • DML - (Data Manipulation Language - executes code whenever statement like INSERT, UPDATE, DELETE are used.
  • .NET - MS SQL does have the ability to execute .NET libraries, but this is much harder and rarer to see.

I will send you a direct message with some more specific pointers on identifying if your SQL Server is currently compromised. 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...