Francisco Tapia
fhtapia at gmail.com
Wed Apr 15 00:01:02 CDT 2009
I've heard of it in the cases of sql injections, our old sql server was forward facing and attached to iis, i know, but it was, it had been hacked several times and rootkit'ed well, even MS suggested we just scrap the drives and start all over, the data was recoverable and I had to do a lot of scrubbing of fields that were no good. but having been lucky enough to collect all user information from before the attacks I was able to rebuild my user id's and structures. I will note that sp_revlogin did reveal all new system admin id's that I was not able to delete w/ SA, but they were all visible. http://sansforensics.wordpress.com/2009/03/27/sql-rootkits/ -Francisco http://sqlthis.blogspot.com | Tsql and More... On Tue, Apr 14, 2009 at 7:05 PM, Arthur Fuller <fuller.artful at gmail.com>wrote: > I was speaking with a security specialist at a large Canadian bank this > evening and he mentioned that they have seen several SQL Server rootkits > that can grab all the instance, logins, passwords, etc., and even create > hidden users invisible even to administrators. > > Has anyone heard of these? Been bitten? > > Arthur > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com > >