safety 1 Posted December 29, 2021 Share Posted December 29, 2021 Dear colleagues, please tell me the solution 28.12.2021 20:34:57 Suspected botnet detected Blocked 14.33.33.206:80 192.168.1.123:51698 TCP JS/Agent.NUN C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Binn\sqlservr.exe NT AUTHORITY\SYSTEM 27.12.2021 8:20:13 Suspected botnet detected Blocked 14.33.33.206:80 192.168.1.123:63804 TCP JS/Agent.NUN C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Binn\sqlservr.exe NT AUTHORITY\SYSTEM 27.12.2021 2:25:38 Suspected botnet detected Blocked 14.33.33.206:80 192.168.1.123:64184 TCP JS/Agent.NUN C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Binn\sqlservr.exe NT AUTHORITY\SYSTEM 26.12.2021 13:57:13 Suspected botnet detected Blocked 14.33.33.206:80 192.168.1.123:54972 TCP JS/Agent.NUN C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Binn\sqlservr.exe NT AUTHORITY\SYSTEM Link to comment Share on other sites More sharing options...
Administrators Marcos 4,285 Posted December 29, 2021 Administrators Share Posted December 29, 2021 First of all make sure that the server is fully updated and all MS SQL security updates are installed. I'd also recommend changing the SA account password. Should the detection continue, please provide logs collected with ESET Log Collector for a start. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 157 Posted December 29, 2021 Most Valued Members Share Posted December 29, 2021 Block the IP also that is shown on the detection to prevent it from communicating again after doing Marcos' instructions Link to comment Share on other sites More sharing options...
safety 1 Posted December 29, 2021 Author Share Posted December 29, 2021 14 minutes ago, Nightowl said: Block the IP also that is shown on the detection to prevent it from communicating again after doing Marcos' instructions the address is blocked by the antivirus. Most likely, a startup script from the MSSQL database is registered, it is launched on a schedule Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 157 Posted December 29, 2021 Most Valued Members Share Posted December 29, 2021 12 minutes ago, safety said: the address is blocked by the antivirus. Most likely, a startup script from the MSSQL database is registered, it is launched on a schedule If ESET is still giving detections and communications to the IP that was logged at port 80 , then it's not blocked , because the communication has been made and ESET has blocked/dropped it as suspicious botnet activity , blocking the IP totally for all ports can help prevent further communications to the botnet server. safety 1 Link to comment Share on other sites More sharing options...
safety 1 Posted December 30, 2021 Author Share Posted December 30, 2021 (edited) Can the command line indicate the running processes that the malicious script is being launched from the MSSQL database? (information from the autorun image in uVS ) logs from esetlogcollector log Quote 30.12.2021 7:17:29 HTTP filter file hxxp://218.90.210.102:19840/0CFA042F.Png multiple threats connection terminated NT AUTHORITY\SYSTEM Event occurred during an attempt to access the web by the application: C:\Windows\System32\msiexec.exe (79CC1A09650FB1ADA6017E885A1C1E6D4FB4150E). 8BA67F4047A96BA9DDF5D9CC4657110A815DB322 30.12.2021 14:15:00 30.12.2021 7:14:34 HTTP filter file hxxp://218.90.210.102:19840/0CFA042F.Png multiple threats connection terminated NT AUTHORITY\SYSTEM Event occurred during an attempt to access the web by the application: C:\Windows\System32\msiexec.exe (79CC1A09650FB1ADA6017E885A1C1E6D4FB4150E). 8BA67F4047A96BA9DDF5D9CC4657110A815DB322 30.12.2021 14:12:05 30.12.2021 7:11:54 HTTP filter file hxxp://60.191.60.194:18396/57BC9B7E.Png PowerShell/Exploit.Agent.G trojan connection terminated NT AUTHORITY\SYSTEM Event occurred during an attempt to access the web by the application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (9F1E24917EF96BBB339F4E2A226ACAFD1009F47B). B30DC310B587F19FE7E7FEC7F306286263CAF240 Edited December 30, 2021 by safety Link to comment Share on other sites More sharing options...
ESET Staff JamesR 25 Posted December 30, 2021 ESET Staff Share Posted December 30, 2021 Your symptoms indicate that your MS SQL server may be compromised. Some things you will want to immediately do are: Ensure MS SQL Ports are not exposed to the internet. Typically this will be port 1433 but could be a different port. Audit existing MS SQL user accounts and disable and/or reset the password for all accounts (may need to do this for Windows accounts too as MS SQL can allow the use of Windows Authentication for management) Generate ESET Log Collector logs Check for the following SQL Settings being enabled as they can be abused by attackers: 'xp_cmdshell' - Allows SQL to execute external applications like CMD.exe or Powershell.exe or other 'Ole Automation Procedures' - Allows SQL to execute OLE (similar to MS office macros) and can lead to SQL executing external applications, making network connections, etc... 'show advanced options' - Allows advanced features of SQL to be used (this allows the above features to be used). There are multiple ways MS SQL can be leveraged to execute malicious code. The most popular are: Stored Procedures - Can be scheduled inside of MS SQL to execute at specific intervals Triggers - There are 3 types of triggers DDL (Data Definition Language) - executes code whenever statements like CREATE, ALTER, DROP are used. LOGIN - Executes code whenever a user logs into the MS SQL system. DML - (Data Manipulation Language - executes code whenever statement like INSERT, UPDATE, DELETE are used. .NET - MS SQL does have the ability to execute .NET libraries, but this is much harder and rarer to see. I will send you a direct message with some more specific pointers on identifying if your SQL Server is currently compromised. Nightowl and safety 2 Link to comment Share on other sites More sharing options...
Recommended Posts