We just found out that we got hacked by the sql server
worm. We have updated the machine and removed the worm.
However we now have a new user in our sql database that
we did not have before. Also we can no longer access any
of the databases that we were able to before. Looks like
the hacker accessed the sa account and changed the
password. Whenever we try to do anything we get a message
saying we do not have access. Looks like the hacker
removed administrators from doing any changes to the
machine.
How do we recover the sa account password or make any
changes to anything?
Thanks in advance for any advice
David Anderson
andretti@.toyorders.comWas the SQL Server behind a firewall?
What service pack were you running on SQL?
Do you have backups of the master database prior to this event?
The only options are restoring master or using rebuildm to rebuilt the
master database.
But, unless you understand how the machine was comprimised, this may happen
again.
Our recommendation & the general recommendation of the Security community
would be to rebuild the machine from the OS with all the patches installed.
However, you will need to make a business decision and weigh out the pros
and cons of not be able to conclusively detect all the changes made to this
machine. Cert also has good recommendations;
http://www.cert.org/nav/recovering.html
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/co...gmt/sm0504.mspx
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.|||On Tue, 15 Jun 2004 15:02:50 -0700, "David Anderson"
<andretti@.toyorders.com> wrote:
>We just found out that we got hacked by the sql server
>worm. We have updated the machine and removed the worm.
>However we now have a new user in our sql database that
>we did not have before. Also we can no longer access any
>of the databases that we were able to before. Looks like
>the hacker accessed the sa account and changed the
>password. Whenever we try to do anything we get a message
>saying we do not have access. Looks like the hacker
>removed administrators from doing any changes to the
>machine.
>How do we recover the sa account password or make any
>changes to anything?
You can restore the Master DB from backup or rebuild it to recover the
SA settings or reset them to defaults. Be aware there may have been
changes since your last valid backup that may affect your database.
Also, are you sure that you're not still compromised? Having SA
access, especially if the SP_EXEC stored procedure is left in place
means you could have much more compromised on your system than your
SQL server accounts.
Best is to nuke and rebuild. Only restore from known good backups.
Jeff
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment