How to secretly run cmd.exe ftp.exe on your computer

Source: Internet
Author: User

Some days ago, this problem also exists! It's a headache! Using anti-virus software such as NOD32, rising, and McAfee does not help! Only McAfee found two files, EQ and TT, under system32, but after clearing them, they will be automatically generated later! No hair is always cleared completely!

Then I checked the network status with Trojan killer v5.31 and found that 1433 of the traffic was very large! Isn't 1433 the default port of sqlserver? It indicates that someone is connecting to my data warehouse (the machine is equipped with slqserver2000for Testing). At the same time, the ftp.exe process accesses a remote computer port and does not know what to download! Probably not a good thing! It seems that the camera is monitored! What should I do? After the ftp.exeand cmd.exe processes are disabled! It wasn't long before it was automatically turned on again! However, I found that the opened time was irregular! Sometimes it will be opened and called soon, and sometimes it will appear again for a long time! It seems that it was manually executed by someone else! Think carefully! It seems that the problem lies in sqlserver. I checked the relevant information on the Internet and finally noticed the Stored Procedure xp_mongoshell:

The command shell of the xp_cmdshell operating system. This process is an extended stored procedure used to execute a specified command string and return any output as a text line.

In general, xp_mongoshell is not necessary for the Administrator. The elimination of xp_mongoshell will not cause the server
Any impact.
You can remove xp_cmdshell:
Use master
Exec sp_dropextendedproc n 'xp _ export shell'
Go

If necessary, you can restore xp_mongoshell back:
Use master
Exec sp_addextendedproc n 'xp _ cmdshell', n'xp log70. dll'
Go

[Experience]
It is best to eliminate the xp_mongoshell storage process of the server.

Close it! Haha .... Use the Trojan horse to view the network status! Haha .. The 1433's ports are also normal, and ftp.exeand cmd.exe have never appeared again! It seems that the problem lies in the security settings! I have posted this experience and hope you can have a reference when you encounter the same problem!

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.