W2K netstat detects port 1433 is listenning but fport does NOT..., can't start mission critical sql

[SammyBar]

Hi all,

I have a problem with my Sql Server 2000 server. A malware captured the 1433
port when we restarted the SQL Server service. Now we have some users (that
uses TCP/IP to connect to the server instead named pipes) that can not
access to the server. The server is mission critical, can not be reset until
midnight to eliminate the virus. We want to kill the malware process but we
can not get the process id of the malware. We tryed with fport last version
downloaded from Foundstone but it does't lists the 1433 port as being in
use. But netstat -an clearly shows the 1433 port is listening. The Sql
Server Log says it could not be binded to 1433. So is it possible fport
fails to detect a process? Which other way can I use to detect the process
id of the malware apart of fport?

Thanks in advance
Sammy

 

[David H. Lipman]

From: "SammyBar" <[email protected]>

| Hi all,
|
| I have a problem with my Sql Server 2000 server. A malware captured the 1433
| port when we restarted the SQL Server service. Now we have some users (that
| uses TCP/IP to connect to the server instead named pipes) that can not
| access to the server. The server is mission critical, can not be reset until
| midnight to eliminate the virus. We want to kill the malware process but we
| can not get the process id of the malware. We tryed with fport last version
| downloaded from Foundstone but it does't lists the 1433 port as being in
| use. But netstat -an clearly shows the 1433 port is listening. The Sql
| Server Log says it could not be binded to 1433. So is it possible fport
| fails to detect a process? Which other way can I use to detect the process
| id of the malware apart of fport?
|
| Thanks in advance
| Sammy
|

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } 4 batch files, 6 Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend, Kasperski and McAfee Anti Virus Command Line
Scanners to
remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site. The choices are;
Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[Steven L Umbach]

Try Process Explorer from SysInternals. In the properties of each process is
a page for tcp/ip info that will show if any port is used. TCPView may also
be helpful but Process Explorer is the king of process identification. You
also have the option to kill the process or process tree though that does
not work all the time. Also check your services as sometimes malware will
install as a service that you could try to stop/disable. --- Steve

http://www.sysinternals.com/Utilities/ProcessExplorer.html
http://www.sysinternals.com/Utilities/TcpView.html

 

[SammyBar]

I was able to find the process that is listening on 1433 port: It is the
System process! I can not shutdown it.
Anyway thanks for the help

Sammy

 

[Peter Foldes]

Did you install the MS05-051 Security Update over your network. There is many more issues cropping up aside from what is listed.

http://support.microsoft.com/?kbid=909444

 

[Roger Abell [MVP]]

But - are you saying issues with 051 specific to SQL Server ?
I have systems with SQL 2K without issues after 051.

--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
Did you install the MS05-051 Security Update over your network. There is
many more issues cropping up aside from what is listed.

http://support.microsoft.com/?kbid=909444

 

[Roger Abell [MVP]]

I am hearing you make the assumption that it is a light-weight malware,
which may/may not be so. That it shows as running in a System context
only means it is using that account and/or has attached into some process
tree started by System.

Feel good that it is showing at all as that tends to say it is not rootkit
you
are up against (yet).

You might want to try PortRptr to see if the logs help you narrow things
down
http://search.microsoft.com/search/results.aspx?st=b&na=88&View=en-us&qu=PortRptr

 

[cquirke (MVP Windows shell/user)]

On Fri, 14 Oct 2005 17:59:28 -0500, "Steven L Umbach"

Try Process Explorer from SysInternals.

You can also try free tools from www.nirsoft.net - they have several,
including Current Process (process killer) and one for ports:

http://www.nirsoft.net/utils/cports.html

The latter lets you see what process is attached to what port, and you
can close ports and kill tasks.

Another useful set of free tools are Faber Toys.

--------------- ----- ---- --- -- - - -

Error Messages Are Your Friends

 

[Peter Foldes]

Roger

I did say that this Security Update made some issues to some posters aside from the ones listed in the KB. I have seen 1 posting concerning SQL where the OP said that SQL was freezing on him. He was getting the Event ID 778.

When he applied the workaround as described in the KB he solved his issue.

Not everyone is getting the issues as described in the KB but some are and some are getting ones that are not documented in there.

I was just trying to point to the issue as another possible fix.

--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

 

[Roger Abell [MVP]]

Interesting Peter. Thank you for replying with the info.
Please understand, I was not meaning to seem critical,
I was honestly wondering if there had been observed
effect on SQL installs.
Thx,
Roger

Roger

I did say that this Security Update made some issues to some posters aside
from the ones listed in the KB. I have seen 1 posting concerning SQL where
the OP said that SQL was freezing on him. He was getting the Event ID 778.

When he applied the workaround as described in the KB he solved his issue.

Not everyone is getting the issues as described in the KB but some are and
some are getting ones that are not documented in there.

I was just trying to point to the issue as another possible fix.

--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.