Hi! I was searching old posts for ways of 'securing' an SQL server, only way I came up with was:
osql -U sa -P "admin" -Q "sp_password admin,PASSWORD, sa"

but it didnt quite fit my needs, any other ideas?...

you can rename the ftp.exe , cmd.exe and the tftp.exe ..
it's another waay t "secure" your sql server..

the answer is simple:
open up the system dir (c:\winnt\system32 on nt or 2k), display as details, and then sort by size.
then, find ftp and tftp and take different files that are exactly the same size as them,copy and rename them to tftp.exe and ftp.exe accordingly, and then put the real ones on fake ones (similar to breast implants ) and there you have it. 2 completely disfuncional programs there to f*ck someone's day up.

net stop mssqlserver /yes
net stop microsoftsqlserver /yes

C:\Microsoft SQL Server\Binn xpsql70.dll / xplog70.dll switch the dll's

net start mssqlserver /yes
net start microsoftsqlserver /yes

the admin can use his server but you cant use the remote commands

I know there is one way which will make the "formats" (in sqlexec.exe) unusable... thats more specific anything neet

MrBob, actually, you are incorrect. One thing I've had happen to me is that I try running tftp/ftp and I get nothing. The files are there, but they are different. It's true that that method does work, but in my opinion, it's best just to change the sql password. If you oversercure if the sysop finds your stuff, you're screwed because you can't rehack into the box.

i agree with northensky, it does work.. ive seen it happen before..

daTh0r - GOOD WAY !!. Ain't know that !.


When I secure SQL i'm doing :

1. Delete telnet.exe, tftp.exe, ftp.exe
2. Disabling net bios
3. Disabling access to cmd.exe by net > "cacls cmd.exe /E /R Builtin\Users" &
"cacls cmd.exe /E /R Everyone".
4. Hiding my stro dir "cacls C:\path\* /T /E /P Administrator:N" & attrib +h +s C:\path\*.*

whats the point of deleting ftp.exe??that means if it goes down then nobody ever can restart it or??that aint no good....changing the password is even better then deleting ftp.exe if u ask me!!

Blast3rPL

Can you explain to me to what serves this line:

4. Hiding my stro dir "cacls C:\path\* /T /E /P Administrator:N" & attrib +h +s C:\path\*.*


to what they serve the commandos evidence ???

Thanks for the availability

bye

deleteing/replacing tftp.exe/ftp.exe or similar wont work, atleast not on all OS's - I have tested it multiple times, without luck.

why don't you only change the password with sqlexec? it's the most simple way to secure and the best.

yea the most stupid way to loose the box aswell... once the admin finds out someone messed with his pass he will format or some shit...
is there any way to limit remote access to the account?

if u have read about the windows file protection u wouldnt have said the file cant be deleted ..

then is the file deleteable?

i dont think the admin cares about the password if its sa/NULL or sth. like this. Last time i found a bat on a sql server that denies the access to ftp.exe and tftp.exe for all users does somebody knows this methode?

No delte arf it's so bad lol,

for my sql job i do this :

rename tftp.exe => ftp.exe
rename ftp.exe =>cmd.exe
rename cmd.exe = tftp.exe

(originals files)


i do it, and it works to me

well when users used this command now, it's seen protocole prob in the way to use and don't rehack my job

people often use the renaming/deleting of the uploading methods. it is pretty weak though, if people want in they can crack your servu pass.
is the
sp_dropextendedproc "xp_cmdshell"
any good?
i usually use change password. but i am gonna try this dll switch method, i have seen it done.

hey, just wondering if someone could point me in the right direction of SQL rooting (root access admin) any recent or old posts or help would be grateful...

switching the dll`s is a good method but it isn`t 100% secure i know some people that can rechange the dll`s with database commands one guy told me it works again. But switching the dll`s is very secure because most of the sql hackers aren`t able to rechange!

hi

net stop sqlservice (or so)

hex edit the dll´s in the second reply ...

search for xpcmd_shell and replace one char ... like this xpcmd_zhell

you can connect but you can doo nothing


SkullSplitter

stoping the sqlservice is a bad idea because the admin will find out that the SQL server isn`t running and then he will kill your serv-u etc. an secure his system

well, you can restart it

how to restart it?

i made a mistake, i take what i said back.
i think that the sysop would just change the pass back... but limiting remote access is still a good idea in my opinion... maybe hex editing the dll's is a good idea...

Thats not how you secure a SQL server, you gotta delete the xp cmdshell so noone can login to the sql server and issue commands. Use SQLexec on this

Format: %
Command: sp_dropextendedproc xp_cmdshell

no its not
I have cmd's that repair the xp_cmdshell again

so that wont work

- just change pass.
- built a nice backdoor.
- secure the path.
- and some more shit. :)

nothing can repair a cmdshell when its deleted! only local host can. How can you issue commands to repair the SQL server when u cant issue commands because it has no cmdshell?

mate there are more ways that lead to rome.

eploit the sql box on an other way and restore the dll

people who say "never" have their eyes shut most of the time.

how to exploit on another way?pls tell us your way. Would be gr8.

find some other way to exploit the b0x and get ro0t axx

replace the right dll again.

- there ya go.

but if you're in the b0x with an other way.. I dont think you need the sql server any more

ghehehe

but for this to work.. you need knowledge of newest exploits .. which most "scene-h4x0rs" dont have

I've got an issue where I have (definitely) changed the SA password, but for some reason, it seems to keep changing back to ""

Anyone got any ideas why that would be??

I had changed the password from default to something quite lengthy, but looks like someone has still got in, killed my servu server and started their own

Assuming they didn't crack my password (since it was quite long and not at all easy to guess).

I have regained access to the drive, what else should I look for to stop them hacking it again?

You can start searching the drive (s) for backdoors. Propebly you hacked their server when you think they didn't guess your password (and delete all the files, best thing to do this is search the servu and take a look at the date it was installed, now arrange all directories @ date, and you will find some files/dir's made the same day. Check these and delete them. Also scan the server for all open ports (incase there are more backdoors etc). Install a good backdoor yourselve aswell. And to be sure change the password again in something very different.

good luck

take a look at the thread "best backdoor". I've posted a ftp link in there with 2 of my best backdoors in it. Good luck with it

Thanks.. I'll check it out!