Hola…
Hace unos tres meses, empecé con problemas con la base de datos de uno de mis sistemas. Se rompió inicialmente el master.mdf, tuve que reinstalar el SQL Server, funciono bien por un par de días, y luego empezó a caerse el servicio, en forma aleatoria. En el log de error, se registraban intentos de acceso con contraseña errónea.
Desactive todos los accesos, y el problema persistía.
Finalmente, encontré que el equipo estaba infectado con Win64/DisguisedXMRigMiner
Por lo visto, esta basura ataca directamente al SQL Server y trata de romperlo.
Lo pude eliminar con ESET
Por si le pasa a alguien. Estén atentos…
Saludos…
1 Like
In the past, I noticed eset.co.uk used Symantec for their spam and AV solution on their MS Exchange email servers.
Today I can see they use their own product on the eset.com domain on their MS Exchange email servers.
Network Tools: DNS,IP,Email (mxtoolbox.com)
Question is, did Eset AV let the virus in, or was the SQL server port exposed to the internet without any IDS/IPS system & traffic shaping through poor network design or something else?
One piece of advice I hold dear is this. Once a system gets hacked, its no longer reasonable to assume a computer is clean after virus removal because the hackers may have embedded themselves in your computer chips for persistence, so even OS reinstallation can be useless.
You should check out the NSO group, they have done some nifty things, like building a basic cpu inside an image file which exploits the compression algorithm of the jpg standard and allows it to run once during the decompression process. This is like stenography and FPGA programming rolled into a smiley face. 
I dont think NSO are the only one’s exploiting these long forgotten techniques and levels of innovation previously not seen since the early days of computing and massive hardware restrictions.
Edit. Some languages translate so smoothly, I wonder if it was written in English first and then translated into Spanish!
Unfortunately, in the case in question, the computer was not protected by antivirus. Those things of some small businesses, they don’t spend on security.
The ports were not open, except to the local network.
Everything indicates that the virus entered through one of the terminals, and stayed on the server.
I have pending control of the terminals.
My concern was to communicate this “effect” on the databases…
And what you have highlighted is how the “effect” is a multi vector attack.
Its got in through some method on the workstation and been able to navigate the network, identify the server and get into the MS SQL server.
Now it could have used ODBC communication from a workstation to the MS SQL server, and if so, is there a username and pwd on the MS SQL server, maybe it tried the default sa user without a pwd?
What version of MS SQL server was affected because later versions restricted the ability to use the sa account?
If it got in through one of the terminals, has that backdoor/bug been fixed on the terminals or is it still open for a future attack?
It also demonstrates that this is exploiting some standard practices, because most companies do not have Intrusion Detection running on their internal networks, so once into a business network, there are loads of places to remain persistent.
Its like breaking into an office building where all the security is concentrated on the security perimeter of the building, but there is no locks on the office doors so anyone can walk into anyone’s office beit the directors, the IT guys office or anyone elses.
I know mining crypto on graphics cards has been popular and Lapsus$ - Wikipedia has recently show that nVidia, Microsoft & Samsung cant keep their crown jewels secure, so what hope have we got?!?
I was recently talking to this bloke, who hacked one of the biggest telecoms companies in the UK, he’s looking for a job now!
Daniel Kelley - Llanelli, Wales, United Kingdom | Professional Profile | LinkedIn
There is a pattern emerging with some of these hackers, they have not been brainwashed into conformity by education. In other words, their creative thinking is unrestricted, which obviously drives innovation and there appears to be some low hanging fruit still to be had.
Hello…
The virus likely entered through a workstation.
I directly communicate Clarion systems with the engine, without using ODBC.
From what I saw in the logs, I tried to login with the user “sa”.
I use SQL Server Express 2019.
I am working with the terminals. Just posting this to warn, since it seemed like a bug in the infrastructure, and ended up being a virus.
And what you say is possible. I have already seen this behavior in some ransom (infect terminal, and spread through the internal network)
I don’t think the issue is mining cryptocurrencies… what worries me is that it is to encrypt and hijack the databases.
We are in serious problems, in this case, in countries like Argentina, where many users do not want to pay for security!
Thank you very much for all the information…
This was published in 2014, seven years ago, but …
Antivirus software is dead, says security expert at Symantec | Malware | The Guardian
Its a world wide phenomena and it would probably pay to have a paper based contingency which every one is familiar with, especially with world affairs like they are.
Hello…
That’s right… Possibly, this is because my clients are usually very small companies. It is a continuous, slow fight, but little by little they are taking measures…
Here there is a lot, a lot of improvisation, little trained technician advising…
It’s true, we’re in serious trouble…
My biggest complaint is windows. Sure everything is there to secure your pc, but its a full time job doing that which is why big business can afford it but there doesnt seem to be much in the way of after market products which could really lock down a machine imo.
Dont get me wrong, its industry wide, look at this car hacks
Radio station broadcast bad files, crashed car infotainment • The Register
Nissan Gives Up Root Shell Thanks To Hacked USB Drive | Hackaday
Nissan Car Hack Allowed Remote Access To Car | Threatpost
TV broadcast hack
Original Max Headroom Hack 22.11.1987 - YouTube
Basically if there is a processor, it doesnt know what instructions it has to run in order, they are just like an old style telephone exchange with operators plugging in cables to connect calls. Its a bit of a free for all.
So if you take you mobile, your (micros) SD card will likely have an Arm or risc cpu to handle the wear levelling, On Hacking MicroSD Cards « bunnie’s blog (bunniestudios.com)
your sim card will have one and your phone will have one. So your sim card can work independently of the OS and phone home as you can read here
What is AT&T doing at 1111340002? (scribe.rip)
I thought it was cool that they emulated the AT&T mobile network in Romania to get at this info!
More Proactive SIMs (scribe.rip)
Reverse engineering a Qualcomm baseband (ccc.de)
CDMA UMTS University 1xEV-DO Overview.pdf (unpad.ac.id)
JavaCard OS | Javacard,Smartcard Readers,Javacard Development Kit,Javacard Forum
BMI260 Product flyer (bosch-sensortec.com)
SIM cards are prone to remote hacking (srlabs.de)
On a pc, your 3rd party graphics card can work independently of the motherboard cpu, so in all these instances, you then have to rely on the circuit board design to contain additional processors and leakage.
Now DDR5 is coming in as the new normal standard and they have an Arm cpu to prevent corruption and other problems, so a whole new attack vector will be opening up there I would image.
Hap Bit - Disable Intel’s Backdoor on Modern Hardware | Hackaday
My phone system got hacked and I traced it back to this vulnerability.
ITU V.23 - Wikipedia
Basically all landline phones and digital telephone exchanges which can show caller id has an attack vector and if your landline calls can be ported to an ATA device or digital PABX thats connected to an ethernet network, you got yourself a dialup modem attack vector into other peoples computer systems! The v23 protocol is an old dialup modem standard which means your home phone in the UK “could” be reprogrammed over the phone line (or RF links if wireless) like a remote modem firmware update, if the chips in the phone are not factory fused or OTP.
I contacted BT openreach to find out who had been ringing me, because I finished one morning at 3am or 4am having been working on my phone system and ATA device and an hour later someone rang it, I answered because I hadnt fallen asleep and they hung up!
Someone or some people have way more oversight or intrusion into our lives than they care to admit I think.
Even like a few weeks ago I still get it, mysterious phone calls ringing me based on websites I have visited. Now this sort of stuff has been going on since I first I got online in the dialup days in the 90’s with Aol and CompuServe. Computers at work being hacked and remotely switched on etc etc then getting told off for leaving computers on when it wasnt me leaving them on! Preemptive military actions perhaps?!? I do know that BBS’s which you could dial into and work computers did exist back then, but that was beyond me but I know now that tech existed back then.