• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Virus on SQL server

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Viruses // Worms

View previous topic :: View next topic  
Author Message
darkalman
Just Arrived
Just Arrived


Joined: 30 Oct 2006
Posts: 0


Offline

PostPosted: Thu Jan 04, 2007 6:10 pm    Post subject: Virus on SQL server Reply with quote

Ok here's the deal

Everything is back to normal now, I got the virus taken care of.

My reason for posting is to find out how it got there in the first place and how to prevent it from happening in the future.

I'm still relatively new to network security and I'm trying to learn as much as I can in a relatively short period of time. Including spending a couple hours a day reading documentation (wow am I ever a geek) but anyway...


*INCIDENT REPORT*
A few days back our SQL server was crippled by a lack of resources. So crippled in fact that I had to force a reboot because I couldn't perform any diagnostics.

I quickly realized the problem was a corrupted SVChost.exe.
The file was one of 5 SVChost.exe's listed but where as the other would remain the same size this one grew exponentially.

After about a 1/2 hour it had grown to over 500 megs in size and was consuming all the system resources.

The obvious thing to do is attempt to disable the file, but task manager would not let me end the process.

3 hours of overtime and ALOT of caffiene later I started restarting the system services one at a time until I found the culprit:

Display name: Network Connections
Description: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
C:\WINNT\System32\svchost.exe -k netsvcs

After a quick reboot and deleting the file the system returned to normal.


All this could likely have been prevented if the previous IT guy had bothered to install a virus scanner on this perticular server.


So my question is how could a virus like this have infected the server? What are the most common culprits?

More importantly how can I clamp down our network to stop this from happening in the future?
Back to top
View user's profile Send private message
larsmhansen
Trusted SF Member
Trusted SF Member


Joined: 11 Jan 2003
Posts: 0
Location: Boston, MA, USA

Offline

PostPosted: Thu Jan 04, 2007 6:38 pm    Post subject: Reply with quote

You deleted which file???

When you say "disable the file", do you in fact mean "kill the process"? If so, are all the "files" you are refering to in your write-up really processes? If so, did you end up stopping the service or killing the process?

svchost.exe is a vital part on any windows computer, and deleting this will certainly cripple the computer. However, stopping a service or killing one of the svchost processes may work ok.

There currently is an issue with Windows Update (which also runs as svchost.exe) where it'll peg your CPU usage to close to 100% and consume a lot of your available memory. The fix for this is to disable the Windows Update service, and only enable when you intend to do any patching.
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
darkalman
Just Arrived
Just Arrived


Joined: 30 Oct 2006
Posts: 0


Offline

PostPosted: Thu Jan 04, 2007 7:01 pm    Post subject: Reply with quote

larsmhansen wrote:
You deleted which file???


I found 3 copies of SVChost.exe on the servers hard drive. I determined which one is the proper file by checking its location on my other servers. Then I moved the corrupted file to a safe folder, and once I was certain it was at fault I deleted it.


larsmhansen wrote:
When you say "disable the file", do you in fact mean "kill the process"? If so, are all the "files" you are refering to in your write-up really processes? If so, did you end up stopping the service or killing the process?


I disabled the process. The process listing was pointing to an existing file in the windows/system directory. I confirmed it was at fault, and wasn't the valid SVChost.exe then I deleted it.

larsmhansen wrote:
svchost.exe is a vital part on any windows computer, and deleting this will certainly cripple the computer. However, stopping a service or killing one of the svchost processes may work ok.


Ahh google my good friend. I'm aware o what SVChost does. I noticed there were 3 copies of svchost.exe on my hard drive it was only a matter of locating which one was the culprit.

larsmhansen wrote:
There currently is an issue with Windows Update (which also runs as svchost.exe) where it'll peg your CPU usage to close to 100% and consume a lot of your available memory. The fix for this is to disable the Windows Update service, and only enable when you intend to do any patching.


That service is disabled on that server.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Viruses // Worms All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register