11:33 The story of one stupid | |
| A little story about xp_cmdshell, stored procedures from Microsoft Sql Server. It is on the home computer I have Sql Server 2008 Express, use it for development of various Bd. It took me once to communicate with it remotely. Including TCP protocol on non-standard port, set up a standard vindovyh firewall, disabled the sa kerf separate uchetku to edit only one database. Everything was set up - worked fine. And once I urgently needed access to a single file on a home computer, and where it is and the name has been forgotten (old file was). The situation was such that no other access to the computer I have not had, nor the standard rdp, or some third party applications. Available only had a wife who can do with computer on orders, in principle, anything, except that the independent search for the desired file. All I did ask her to go out of their session and log in using my uchetki (reset her password by SMS), to include Managment Studio and activate the login sa and password 123456 (I as I had hoped for a couple of hours). When the procedure was done - I was able to calmly zaloginitsya under sa. After this, the first thing I let run xp_cmdshell, and proceeded to search for a file through the console. Through "a couple" hours of file was found and copied to an accessible place for the wife. Having obtained the file through Skype, I happily forgot about "the formed hole." After that it took several days. Thank God for this time of the home computer was not used. Literally today, after I sat at the computer, furious anti-virus: within 10 minutes it 3 times to lock a file from the folder System32. By the description it turns out one of the viruses of this family www.securelist.com/ru/descriptions/115419/Trojan-Downloader.BAT.Ftp.ab. I could not understand what could manages to write in this folder: uac never disable all programs that require administrator rights, check - well, no virus could seep so simple. Monitoring of the System32 folder did not give the result - the file could not keep it to appear as anti-virus blocked it immediately. Standard vindovyh Task Manager did not show any abnormal activity ... but I have except it is even Process Explorer. Run it - immediately struck by the child process cmd-service sql server, which in turn started the process ftp. Then he remembered that I was not disabled or sa even more so xp_cmdshell. The first cut down access to the firewall, and then turned off sa, and after it and xp_cmdshell - then antivirus calmed down. During all of this situation struck me only one thing - how to quickly scan the open non-standard port and tried to take advantage of this "hole". The conclusion is clear one - himself a fool. However, if no anti-virus, I probably take a long time thought of open access to a computer. And for those who still have doubts, I want to say that any hole in your computer can be discovered by someone at the same moment as it appears. UPD Oh, why am I so often do not watch Event Log, attempts to access SQL Server to have begun immediately after the opening of the port. A month before these events started trying to guess passwords to non-existent username. Only when it was opened login sa - these attempts could have met with some success. All ip with inner mesh provider - apparently either someone has a virus, or someone well lohanulsya | |
|
| |
| Total comments: 0 | |