Check whether SQL Server has a Trojan horse

Kanwi.cn

Does your SQL Server Run abnormally recently? No, I am not referring to the common database and operating system problems we will certainly encounter. I mean, have you ever experienced slow server response, unstable operations, heavy Network workload, or a sharp rise in server processing or memory utilization? Oh, it is not excluded that there is a Trojan horse in your system. Like most other computers, SQL Server can also access and download and install software from the Internet. These and other things we often do on a daily basis may provide Trojan Horse installation methods. It looks strange, but in terms of servers, virus infection is very easy-especially when you do not protect your end-user system in the same way.

When you find that your database server has encountered a strange phenomenon, you should first run the following test before you spend countless times trying to solve application or database problems, check whether the trojan virus is infected.

1: Use a malware Scanner

I have seen database servers not taking measures for fear of performance degradation or system crashes, or taking limited malware protection measures. Obviously, this is a matter of concern, but what is the price? If you have not installed any anti-virus software, you can run it as soon as possible. If too many resources need to be protected in real time, exclude your database and other highly active directories from the real-time scan. Otherwise, at the minimum, you must install the anti-virus software, and then find a non-peak time to scan the local disk every few days.

If you have already run the anti-virus software, make sure it is up-to-date (the client-based Automatic Updates and network management signatures are not reliable) and perform a comprehensive system scan. Do not be afraid to install and use software from other vendors, especially when it involves spyware protection.

2: view memory

You can use the Windows Task Manager to search for applications that seem to be malware, or use too much memory or a large amount of CPU time. I recommend that you use Process Explorer of Sysinternals (the highlighted NetBus Trojan below) because it provides more information about running processes, and kill processes that are not supposed to be killed in a more reliable way.

You may think, it looks too strong-how can you catch things loaded into your Windows server. When you think about it, you will find that it is not actually very complex. In all the systems on your network, you do need to thoroughly understand your database-including recording which processes should be running, which should not. So if you have a good baseline after the first installation-or even now, assuming everything runs well-when a problem of the Trojan type occurs, you can use it as the basis for your comparison.

3: View open ports

You can use the built-in Windows netstat tool to view which ports are open and connect to the server. In the command line, enter netstat-an more to view open and listening TCP and UDP ports on one page. Another better way is to use Foundstone's Vision tool or Sysinternals's TCPView tool.

4: view your network traffic

Perhaps the simplest way to determine whether your SQL Server has malicious behaviors is to see if it has been through network communication. If you have a very good network analyzer, you can find the situation within 1 or 2 minutes. You can use analyzer carried by SQL Server, or connect it elsewhere to your Ethernet switch or mirror port.

I prefer the EtherPeek network analyzer, which can capture the packages that come in and out of your SQL Server like most other analyzer. As shown in, some traffic running on TCP port 12345 (usually the trojan port of NetBus) is discovered.

EtherPeek can easily capture network traffic and highlight the trojan action. In this network traffic capture process, you can create your own network analysis trigger and filter, if you know what to look. The list lists the common and relevant ports of the Trojan. This method of discovering malicious traffic is not very secure, because the port number can be changed frequently, but its server is a good target.

You can run Ether Peek in "monitoring" mode to give it an overall picture of what happens on the network-from top to bottom-without capturing packets. You can view which protocol is being used, find huge traffic, strange communications, and other network access to your SQL Server system.

5: how to deal with malware

A Trojan Horse is an annoying creation on a computer-It creates remote access tunnels, intercepts buttons, deletes data, and more-especially on your most important server. Obviously, the best way is to use your SQL Server for Internet access, Web browsing, and email. -- However, this is unrealistic. You (or others) may need it not just as a database server. Once this happens, you need to ensure that you are protected. Don't shirk responsibility to others, or anything else. Trojan is not running on their systems. In any way, never assume that your anti-virus software can keep you safe.

Analysis and solutions to malware: If you want to attack, or install a fraud software that can help you on the internet, nothing is better than simply using SQL Server. There may be no Trojan on your server, but if you feel something wrong, the murderer can easily find it.

The bad guys know that many servers are not protected against malware. They also know that, due to performance and online system service time, it is difficult for over-skilled administrators to install security software on their database servers or perform some protection measures. Protect your server and learn how and where to find the origin of the problem.