The story of one nonsense
A small story about xp_cmdshell, a stored procedure from Microsoft Sql Server.
It is on my home computer I have Sql Server 2008 Express, I use it for developing various Bd. It took me somehow to contact her remotely. I enabled the TCP protocol on a non-standard port, set up a standard Windows firewall, turned off sa by cutting in a separate account for editing only one database. Everything was set up - it worked great.
And once I urgently needed access to a single file on my home computer, and where it is and how it was called was forgotten (the file was old). The situation was such that I had no other access to the computer, neither standard rdp, nor any third-party applications. At the disposal was only a wife who can do with a computer on orders, in principle, anything, except perhaps an independent search for the desired file.
All I did was to leave her session and log in using my account (reset her SMS password), enable Managment Studio and activate sa login with password 123456 (I hoped for only a couple of hours). When the procedure was completed - I could easily log in under sa. After that, the first thing I did was execute xp_cmdshell, and I started searching for the file through the console. After a couple of hours, the file was found and copied to the place accessible to the wife. Having received the file via Skype, I safely forgot about the “hole formed”.
')
After that, several days passed. Thank God for this time the home computer was not used. Just today, after I sat down at the computer, the antivirus went berserk: for 10 minutes it blocked the file from the System32 folder 3 times. According to the description, this turned out to be one of the viruses of this family www.securelist.com/ru/descriptions/115419/Trojan-Downloader.BAT.Ftp.ab . I couldn’t understand for a long time what it could manage to write to this folder: I never turn off uac, I’m checking all the programs that require administrator rights, I’m not able to see the virus so easily. Monitoring the System32 folder did not give a result - the file did not have time to appear in it, as the antivirus immediately blocked it. The standard Windows Task Manager did not show any anomalous activity ... but I also have Process Explorer. After launching it, the cmd child process from the sql server service, which in turn launched the ftp process, immediately caught the eye. I immediately remembered that I didn’t disable sa, much less xp_cmdshell. First of all, I cut down the access in the firewall, and only then disconnected sa, and then xp_cmdshell - after that, the antivirus calmed down.
In all this situation, I was struck by only one thing - how quickly we scanned an open non-standard port and tried to take advantage of this "hole."
The conclusion is clear one - the fool himself. However, if it were not for the antivirus, I probably didn’t remember about open access to the computer for a long time.
And for those who still doubt, I want to say that any hole in your computer can be detected by someone at the same moment as it appears.
UPD Eh, why I don’t watch Event Log so often, attempts to access SQL Server began immediately after opening a port. Just a month before these events, attempts were made to select passwords for non-existent logins. Only when the login sa was opened - these attempts could be crowned with some success. All ip from the internal grid of the provider - apparently either someone has a virus, or someone has a good trouble ...
It is on my home computer I have Sql Server 2008 Express, I use it for developing various Bd. It took me somehow to contact her remotely. I enabled the TCP protocol on a non-standard port, set up a standard Windows firewall, turned off sa by cutting in a separate account for editing only one database. Everything was set up - it worked great.
And once I urgently needed access to a single file on my home computer, and where it is and how it was called was forgotten (the file was old). The situation was such that I had no other access to the computer, neither standard rdp, nor any third-party applications. At the disposal was only a wife who can do with a computer on orders, in principle, anything, except perhaps an independent search for the desired file.
All I did was to leave her session and log in using my account (reset her SMS password), enable Managment Studio and activate sa login with password 123456 (I hoped for only a couple of hours). When the procedure was completed - I could easily log in under sa. After that, the first thing I did was execute xp_cmdshell, and I started searching for the file through the console. After a couple of hours, the file was found and copied to the place accessible to the wife. Having received the file via Skype, I safely forgot about the “hole formed”.
')
After that, several days passed. Thank God for this time the home computer was not used. Just today, after I sat down at the computer, the antivirus went berserk: for 10 minutes it blocked the file from the System32 folder 3 times. According to the description, this turned out to be one of the viruses of this family www.securelist.com/ru/descriptions/115419/Trojan-Downloader.BAT.Ftp.ab . I couldn’t understand for a long time what it could manage to write to this folder: I never turn off uac, I’m checking all the programs that require administrator rights, I’m not able to see the virus so easily. Monitoring the System32 folder did not give a result - the file did not have time to appear in it, as the antivirus immediately blocked it. The standard Windows Task Manager did not show any anomalous activity ... but I also have Process Explorer. After launching it, the cmd child process from the sql server service, which in turn launched the ftp process, immediately caught the eye. I immediately remembered that I didn’t disable sa, much less xp_cmdshell. First of all, I cut down the access in the firewall, and only then disconnected sa, and then xp_cmdshell - after that, the antivirus calmed down.
In all this situation, I was struck by only one thing - how quickly we scanned an open non-standard port and tried to take advantage of this "hole."
The conclusion is clear one - the fool himself. However, if it were not for the antivirus, I probably didn’t remember about open access to the computer for a long time.
And for those who still doubt, I want to say that any hole in your computer can be detected by someone at the same moment as it appears.
UPD Eh, why I don’t watch Event Log so often, attempts to access SQL Server began immediately after opening a port. Just a month before these events, attempts were made to select passwords for non-existent logins. Only when the login sa was opened - these attempts could be crowned with some success. All ip from the internal grid of the provider - apparently either someone has a virus, or someone has a good trouble ...
Source: https://habr.com/ru/post/92528/
All Articles