Results 1 to 5 of 5
  1. #1
    Join Date
    Dec 2002
    Location
    Windsor, NSW, Australia
    Posts
    2

    Unanswered: Is this a hack? Is it bad news for me?

    Sorry if this is elementary, but while I've been using SQL7 and SQL2000 for quite a while, I'm new to setting up a server.

    I am setting up a new testing server, with WinXP Pro and SQLServer2000, amongst other things. After a day or so of tinkering with it, I noticed that when I was offline, (my broadband wont be installed until late Jan, so I'm using a dialup in the mean time) the machine would just start dialling my isp all by itself, including in the middle of the night, when I most definitely have NOT been doing anything on the system. Trying to trace the source of this activity, I have seen in the event viewer that there's a lot of activity in my SQL2000.


    I'm particularly interested in a number of items labeled

    8128 :
    Using 'xpsqlbot.dll' version '2000.80.194' to execute extended stored procedure 'xp_qv'.


    These have run at a time when I have been in bed asleep and certainly not doing anything on my system. I haven't set up any stored procedures myself yet - this is a brand new SQL2000 installation and hasn't got any live data on it yet.


    I'm thinking this is a hack attempt (probably successful). Is there any legitimate reason why SQL2000 should be active when nothing else is on my system? Since this is (or at least WAS) a default installation, is there anything called xp_qv that has a legitimate use?


    Should I be suspecting a hack if it's SQL2000 that's trying to dial out to the internet all the time? How else can i find out what's doing it? (All the entries in the WinXP event viewer at this time are related to SQL2000.)



    Cheers,
    Michael Kear
    Windsor, NSW, Australia
    AFP Webworks.

  2. #2
    Join Date
    Dec 2002
    Location
    Czech Republic
    Posts
    249

    Re: Is this a hack? Is it bad news for me?

    master.dbo.xp_qv is undocumented Microsoft XP
    I heard it can be used to find installation type
    of SQL Server. No more data ...

  3. #3
    Join Date
    Dec 2002
    Location
    Windsor, NSW, Australia
    Posts
    2

    Re: Is this a hack? Is it bad news for me?

    Originally posted by ispaleny
    master.dbo.xp_qv is undocumented Microsoft XP
    I heard it can be used to find installation type
    of SQL Server. No more data ...
    So does anyone know how I can find out why SQLServer2000 is waking up at all hours and trying to connect to my isp? Or indeed if it's not SQLServer but something else?

    The event viewer shows only SQLServer activity at those hours and now that I have disabled SQLServer, the computer is no longer trying to connect to the internet.


    What could be causing this behaviour? I dont want my system just connecting up to the net when it feels like it.

    Cheers
    Mike Kear
    AFP Webworks
    Windsor, NSW, Australia.

  4. #4
    Join Date
    Dec 2002
    Location
    Czech Republic
    Posts
    249

    Re: Is this a hack? Is it bad news for me?

    MSSQLSERVER can be really used to perform attack on server. There are many SPs and XPs
    which can run programs or call COM objects, but I have never seen such an attack yet.

    I think, that your server is just badly configured, probably at network level.
    MSSQLSERVER is only pinging connection and this is detected as I-net access.

  5. #5
    Join Date
    Jul 2002
    Location
    Australia
    Posts
    147
    Turn it off when you're not using it!!
    There have been many posts made throughout the world.
    This was one of them.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •