So today at
13:48 avast catched a trojan dropper called F9LJK953.bat The file location was C:\Windows\ServiceProfiles\MSSQLSERVER\AppData\Local\Temp
The file was a heavily obfuscated bat file which tried to load a base64 coded gzip compressed executable via powershell.
I managed to extract the executable from the bat.
(if you want to check it out here is a link for the original bat and the executable:
https://drive.google.com/file/d/17pEvxw7R5TfcODasQrJ4ij5Bi9YvrEbk/view?usp=share_link)--> link safe to open contains a password prottected 7z file.
Upon checking the sql server logs i found out that at
13:48:13 my password have been cracked by a foreign IP.(hacked.PNG)
In Ms SQL Server Studio remote access was turned off. So I dont know how they could connect but i dont have deep SQL knowladge
In my router
Portforwarding of the following ports was turned on 1433 80 8080
In my firewall incomming of the following ports were open 3306 33060
I Did the following:
1.Changed PSWD in my SQL Server
2.Deleted all the firewall rules
3.Deleted all the port forwarding rules
4.Started to Run a full Scan of avast(84% currently nothing found yet.)
My questions:
1.What else should i check to make sure i'm not infected?
2.So the hackers logged in to my sql server because of my stupidity,but How they managed to drop a bat file into a directory inside the windows folder and start to execute it? Is this a security vulnerability or my SQL Server settings are bad?
Thank you for your help.
