0

My server was hacked with the Mirai Botnet, we cleaned the system, Disabled the Server Agent completely and the system is stable and clean BUT...

If I re-open that sql server PC to the internet ( port 1433 ), it gets reinfected..

I experimented with all the logins and found out that if I leave the "BUILTIN\Administrators" login, that's what makes the botnet reinfects it.

The client which infects me is called "Microl Office", it originates from various assumingly hacked PCs, and the strange thing is that it authenticates as "NT AUTHORITY\ANONYMOUS LOGON"...

I deleted the model and msdb and recopied the ones in template in order to clean the server, still the same thing happens if I Leave the Builtin administrators.. soo i guess that botnet added the ANONYMOUS LOGON to the administrators group ?

I reinstalled another instance and different version and still the same thing happens so it's not an SQL issue I think.

Login succeeded for user 'NT AUTHORITY\ANONYMOUS LOGON'. Connection made using Windows authentication. [CLIENT: 138.0.224.232]

Also, if i use the BUILTIN\Users instead, it doesn't login and it fails with an error "Token-based server access validation failed with an infrastructure error" So I think once the server was severely infected, the malware somehow added the anonymous logon to the builtin administrators group

Can anyone tell me how I can see all the added users to the administrators group ? ( and yes the group has only my user as the Admin user when accessed from computer management )

Can anyone please suggest anything in that matter ? ( Windows Server 2003 R2 and SQL SERVER Enterpise 2005 + 2008 sp1 )

options I tried:

  • set LSA blockanonymous to 1
  • set allowanoynomous to 1
  • disable SID translation
  • check the administrators group from computer management

Yes, I know it's an old server, it has been developed for a specific ASP.NET website since 2009 and we tried migrating but didn't work well, so we have to use it. We expose only RDP and SQL (1433)

Improve this question
8
  • 5
    Your server OS is just shy of 5 years out of support. Start by getting to a supported OS.
    – user9517
    Commented Jun 7, 2020 at 20:41
  • 4
    And don't make SQL open to the internet.
    – mfinni
    Commented Jun 7, 2020 at 20:51
  • I suggest you backup the data (only the data; no configuration) on this system and rebuild and reconfigure it from a wiped hard drive, ideally with a newer OS. It was compromised severely. You cannot trust it.
    – Slartibartfast
    Commented Jun 7, 2020 at 21:18
  • The built-in Administrator by default. Windows Server 2003 R2 is not considered to be secure. You really should consider upgrading your OS
    – Ramhound
    Commented Jun 7, 2020 at 22:30
  • 1
    if i re-open that sql server PC to the internet ( port 1433 ), it gets reinfected - Ummm... don't do that.
    – joeqwerty
    Commented Jun 7, 2020 at 23:31

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .