SQL Server 2008R2 Agent Malware - sql

List of unidentified sql jobs
Our SQL Server 2008 R2 has lots of auto generated jobs from nowhere as can be seen from image above. I strongly suspect this causes our server password keeps reset daily for no reasons (I had untick those 'Enforce password policy' checkboxes). For now I had delete the jobs but I am not sure can this really solve the root of the problems. Any idea on this? Thanks guys...

Your server has most likely been compromised. The most appropriate thing to do in this situation is to either reinstall everything from scratch and restore your last known good data backup (prior to getting compromised), or perform a bare metal restore of the server from the last known good (uncompromised) backup. At this point you don't know what malicious software is still on that server, so you have to assume that it's riddled with it.
Do this after you've ensured that the server will be secured from network attacks and don't leave it exposed to the public internet. If it wasn't previously exposed, you may have malicious software on your company network.

Related

Creating a Database Server for home use in SQL Server 2005 Express

I am looking to create a database server that can be used to store data using a VB.net application. When I initially installed SQL Server 2005 Express edition, I believe I installed this using the LocalDB option.
As it stands my application is a simple tool which utilises the Process.Start command under certain situations, depending on user input, to launch Game Servers for use at a gaming LAN I assist in running.
I wish to progress the application by being able to update, delete and query a database created in SQL Server 2005 Express. I understand the use of connection strings etc, however I am wondering if the installation using LocalDB will mean that I cannot connect to the server to process the data I require.
Can I continue to use the LocalDB option and create a Database Server for specific use using my application or is a different installation option required?
Secondly, can someone point me in the right direction of how to create a new Server for this purpose? All of my searches so far have provided results for creating a database only, and not the server.
I have a couple questions about what you are trying to do.
First, why are you installing SQL Server 2005? It was released almost a decade ago.
I would go with 2012 express edition.
http://www.microsoft.com/en-us/download/details.aspx?id=29062
Second, install the management tools. SSMS is a nice GUI to do work in.
Third, If you are spinning up anything other than express, there are licensing costs which are quite high. 9K for standard and 25K for enterprise per socket or such.
Here are the versions and features list from microsoft.
http://technet.microsoft.com/en-us/library/ms144275.aspx
Last but not least, having the express edition on another computer is fine. However, you will have to use a network protocol such as TCP/IP instead of shared memory.
It will take longer to send Tabular Data Stream (TDS) to the other computer versus talking to memory on the same computer.
http://social.msdn.microsoft.com/Forums/sqlserver/en-US/c4f06669-41fd-42e6-b4a9-564cf04ca9f7/how-to-choose-between-shared-memory-named-pipes-tcpip-via?forum=sqlgetstarted
Good luck with your project.
You can use a local instance of SQL Server just fine, if you want to set up a separate server for some reason then you'll need either a 2nd machine on which to install SQL Server, or to spin up a virtual machine. If running Windows 8 (and barring hardware limitations) you have Hyper-V at your fingertips.
This is not a complete answer for you but may give you some things to think about.
First you might want to think about your choice of database. If you don't have a compelling reason for using 2005 you will probably at least want to move to SQL Express 2008.
Second, to answer the part about creating a server... A server is something that serves data. In a general sense a computer configured to be contacted by external machines and respond with data is a server. A web server runs a program like IIS or Apache to respond with web pages. A database server contains a database and allows connections to that database. So as long as you install the database on a computer and configure it to allow external connections, you have your database server.
In MS SQL there are several things that need to be set up to allow a database to accept external connections. One is that the SQL Server Browser service will need to be active. Another is that the database itself will need to be configured to allow external connections (SQL Authentication type probably).
Hope this helps.
Addition:
SQL Remote Connection Configuration
Disclaimer, I don't have SQL Express 2005 installed but I think the settings are found in the same place in 2008. If the info here is not exact to SQL Express 2005, the general terminology used here should be enough to get you headed in the right direction to find the specifics.
While viewing the database in Server Management Studio or Enterprise Manager, right click the database server instance name (the root of the tree) and select properties. There should be a section title Connections and within this section there should be an option "Allow remote connections to this server". Make sure it is checked. The other setting you need in this properties menu is under the security area. There is a radio button for "Windows Authentication Mode" and "SQL Server and Windows Authentication Mode", you want the second that allows both.
The next step you have may be to create a new user, add a password, and connect the user to the database. That will give you the credentials you will use in your database connection string while programming. I usually add new users through the security section of the database then set the User Roles for each database that I need to connect to. It is good practice to limit the permissions to those needed by the application. Typically this is read and write, but sometimes you can get away with just read. The less the better.

MDF file security, lock and unauthorized access

I used SQL Server 2008 R2 database in my application, now I want to install the application for my friend. How can I block access to my database tables and stored procedures ?
I removed Windows authentication and SQL Server Management Studio just login with my own user or pass ! But what happen if he opens my database file in other Management Studio in other systems?
Your users should not have access (ACL permissions) to MDF files, ever. Not at all. They should, instead, have database access, and their account should be set to do what you want them to do, and not to do what you don't.
This is a pretty basic question, really; what you need to look into is SQL Server security, so you can figure out how and what to secure your database with users. But you also need proper file security, as I noted above.
Finally... your question makes me wonder; you do know that SQL Server is not necessarily meant to be installed on every single client system, right? You certainly can do that, but it's a server product. If you are installing it on a computer to which the user has admin rights, the game is pretty much over, really.

Has anybody ever used QaasWall to prevent brute force attacks?

We suffered a brute force attempt on our SQL database yesterday and obviously want to prevent this from happening again. The bot or whatever it was was trying to log into the sa account about 30 times a second so in the first instance we have changed the sa account and restricted the IP range that can access SQL via windows firewall. We are also considering disabling the sql server browser and changing the default port.
The problem is none of these things will prevent malicious log in attempts.
I came across a piece of open source software called QaasWall and wondered if anybody had used it and whether it is reputable.
Here is a link to the project site: http://sourceforge.net/projects/qaaswall-window/
Any other tips on how to restrict the number of server log in attempts would be greatly appreciated.
Many thanks.
Clayton.
The best solution is completely disabling access to the database from all hosts which do not need it. E.g. by binding to localhost if the DB is only accessed locally or blocking any connections to the IP/port used by the DB in your firewall.
TheifMaster is correct...the SQL Slammer was really vicious, but installing SQL Server SP3 or SP4 fixed the vulnerability in the sql server listner that this worm exploited. When you install SQL Server 2000 Pre-SP3 from disk your server will get pinged to death...this is why I disable the network connections while installing SQL Server until I can get it fully updated.
I recently installed QAAS Wall on one of my W2003 Servers and it works, but I'm having some difficulties getting the whitelist to work property. It keeps blocking access from one of my database servers.

Install Sharepoint on a server with other databases already on it?

We have a DB server with a couple web app db's on there (don't get a ton of traffic). We'd like to make use of the server and allow it to be the DB server for sharepoint. I'm assuming it's not good practice and that sharepoint should have it's own exclusive db server. Am I right in that conclusion, or is it alright if we put the database on a server that already hosts other databases.
You can install SharePoint on an existing DB server, sure. Unless your environment is going to be huge, I don't see why you would give it its own DB server. It will use an embedded SQL Server instance if you want, but you'll get better performance if you have the full-blown version. We're running a few SharePoint apps on our DB server with a number of other applications.
The way in which I solve this is to install a second SQL Server instance dedicated to SharePoint, as SharePoint likes to have a lot of control over the database and spews all sorts of stuff such as logins, etc. across the instance, which you really want to separate from your standard line of business instance.
The added bonus is multiple SQL Server instances on the same physical machine are included in your licence.
Be careful with the SQL Server collation. I think SharePoint requires a particular setting for this. See http://www.moss2007.be/blogs/vandest/archive/2007/07/24/sharepoint-2007-and-sql-server-collation-latin1_general_ci_as_ks_ws.aspx for one reference.
Prior to centralizing our environment we had many Sharepoint sites located on servers with existing applications. I'm not a fan of adding an additional named instance as this increases the administrative overhead for the DBA. You have to know how much use you expect of your Sharepoint instance then measure the resource utilization of your existing applications balance it from there.

MS SQL Server 2005 : Error log is too big and getting bigger

I guess someone tries to logon to our sql server and error log is getting bigger. I am running out of space on hdd. What should be the solution?
Cleaning up error log regularly? Howto?
Disabling access to SQL server? For attacker IPs? For local use only? Howto?
Any other?
Regards,
Burak
we had a similar problem here, constant attempts to guess the systems password filled up the log to epic proportions.
you could disable external access via the windows firewall (if you're using windows SBS 2003) its fairly trivial but the end solution we opted for (because we still required external access ourselfs to the database server) was to change the default access port to SQL server; it seemed to stop alot of problems.
although if possible, I would also considering changing the architecture of your network slightly (sometimes this isn't possible if you have purchased some virtual machine from a service provider); moving your database server and disconnecting it from your hub/switch and plugging it into the back of your web server (if this is the ultimate use for your databases) so the web server acts as a type of proxy, prevent all external internet access.
Are you sure logins are the cause of the error-log growth? If so, you could disable remote logins:
Goto START --> Microsoft SQL server 2005 --> Configuration Tools --> SQL server surface area configuration
Select Surface area con figuration for services..
Select Databas engine --> Remote connections and choose 'local only'
Note, this will disable all remote connections to the database, so only change this if your application connects locally!
For emergency you execute sp_cycle_errorlog to start a new one, so you can delete the old one w/o restarting the server.
But the million dollar question is, of course, what is filling up the errorlog? What message shows up again and again? If you tell us that, perhaps we can help you fix the problem and eliminate the errorlog growth.