Can't Access SQL Server

Help! I've been hacked! I'm running SQL 7 Desktop (MSDE) and started getting
these messages at startup that servudaemon.exe was going to be shut down.
Then, at one point, I keep getting prompted by Norton Firewall that
serve-u.exe is trying to access the Internet. It suggested I deny it, which
I did; but I kept getting prompted every minute or so, so finally I told
Norton Firewall to always deny it.
Then, some minutes later, I close an Access 2000 mdb file I had opened which
uses SQL Server as a back end (through linked tables), and I was told that
connection to SQL Server had been lost. I tried reconnecting, but couldn't.
So I went into Enterprise Manager, and was told: "A connection could not be
established to D23 - Login failed for user 'sa'.."
So I went into Registration Properties, and saw that there was a password
there. I previously didn't have a password for 'sa' (which I know is stupid,
and now see the result of it). But there's a password now, and I can't
change it. So whatever hacked into my system set my 'sa' password.
Just to be sure that my settings in Norton Firewall weren't affecting
anything, I disconnected from the Internet and then disabled Norton Personal
Firewall. The results were the same.
So is there any way to restore my system?
Thanks for any assistance.
Neilserve-u.exe is possible ServeU, which is a popular FTP program. It seems
that you may have been hacked, and someone has configured an FTP site on
your machine (eg for serving mp3s, or warez or similar)
If you are a local administrator on the SQL Server machine, you should still
be able to login to SQL Server (using your Windows admin account, not the
"sa" account). You could reset the "sa" password then.
That said, you need to work out how these people got into your machine in
the first place. Additionally, since you don't know what other "back doors"
they have installed which might let them back in again, I'd say your best
bet is to backup your data, and then setup the machine from scratch.
Cheers
Ken
"Neil Ginsberg" <nrg@.nrgconsult.com> wrote in message
news:vfS4c.37319$aT1.26124@.newsread1.news.pas.earthlink.net...
: Help! I've been hacked! I'm running SQL 7 Desktop (MSDE) and started
getting
: these messages at startup that servudaemon.exe was going to be shut down.
: Then, at one point, I keep getting prompted by Norton Firewall that
: serve-u.exe is trying to access the Internet. It suggested I deny it,
which
: I did; but I kept getting prompted every minute or so, so finally I told
: Norton Firewall to always deny it.
:
: Then, some minutes later, I close an Access 2000 mdb file I had opened
which
: uses SQL Server as a back end (through linked tables), and I was told that
: connection to SQL Server had been lost. I tried reconnecting, but
couldn't.
: So I went into Enterprise Manager, and was told: "A connection could not
be
: established to D23 - Login failed for user 'sa'.."
:
: So I went into Registration Properties, and saw that there was a password
: there. I previously didn't have a password for 'sa' (which I know is
stupid,
: and now see the result of it). But there's a password now, and I can't
: change it. So whatever hacked into my system set my 'sa' password.
:
: Just to be sure that my settings in Norton Firewall weren't affecting
: anything, I disconnected from the Internet and then disabled Norton
Personal
: Firewall. The results were the same.
:
: So is there any way to restore my system?
:
: Thanks for any assistance.
:
: Neil
:
:|||sp3A is designed to stop access to the IO Port that exposes MSDE (and SQL
Server) to the web.
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant
Microsoft MVP
www.betav.com
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________
"Ken Schaefer" <kenREMOVE@.THISadOpenStatic.com> wrote in message
news:%23Wam0XbCEHA.3132@.TK2MSFTNGP11.phx.gbl...
> serve-u.exe is possible ServeU, which is a popular FTP program. It seems
> that you may have been hacked, and someone has configured an FTP site on
> your machine (eg for serving mp3s, or warez or similar)
> If you are a local administrator on the SQL Server machine, you should
still
> be able to login to SQL Server (using your Windows admin account, not the
> "sa" account). You could reset the "sa" password then.
> That said, you need to work out how these people got into your machine in
> the first place. Additionally, since you don't know what other "back
doors"
> they have installed which might let them back in again, I'd say your best
> bet is to backup your data, and then setup the machine from scratch.
> Cheers
> Ken
> "Neil Ginsberg" <nrg@.nrgconsult.com> wrote in message
> news:vfS4c.37319$aT1.26124@.newsread1.news.pas.earthlink.net...
> : Help! I've been hacked! I'm running SQL 7 Desktop (MSDE) and started
> getting
> : these messages at startup that servudaemon.exe was going to be shut
down.
> : Then, at one point, I keep getting prompted by Norton Firewall that
> : serve-u.exe is trying to access the Internet. It suggested I deny it,
> which
> : I did; but I kept getting prompted every minute or so, so finally I told
> : Norton Firewall to always deny it.
> :
> : Then, some minutes later, I close an Access 2000 mdb file I had opened
> which
> : uses SQL Server as a back end (through linked tables), and I was told
that
> : connection to SQL Server had been lost. I tried reconnecting, but
> couldn't.
> : So I went into Enterprise Manager, and was told: "A connection could not
> be
> : established to D23 - Login failed for user 'sa'.."
> :
> : So I went into Registration Properties, and saw that there was a
password
> : there. I previously didn't have a password for 'sa' (which I know is
> stupid,
> : and now see the result of it). But there's a password now, and I can't
> : change it. So whatever hacked into my system set my 'sa' password.
> :
> : Just to be sure that my settings in Norton Firewall weren't affecting
> : anything, I disconnected from the Internet and then disabled Norton
> Personal
> : Firewall. The results were the same.
> :
> : So is there any way to restore my system?
> :
> : Thanks for any assistance.
> :
> : Neil
> :
> :
>|||Xref: TK2MSFTNGP08.phx.gbl microsoft.public.sqlserver.msde:13508 microsoft.p
ublic.sqlserver.security:19785 microsoft.public.sqlserver.connect:41876
I'm running SQL 7. Do you know if there's a similar sp for that?
Neil
"William (Bill) Vaughn" <billvaRemoveThis@.nwlink.com> wrote in message
news:%23RoIB3fCEHA.1544@.TK2MSFTNGP09.phx.gbl...
> sp3A is designed to stop access to the IO Port that exposes MSDE (and SQL
> Server) to the web.
> --
> ____________________________________
> William (Bill) Vaughn
> Author, Mentor, Consultant
> Microsoft MVP
> www.betav.com
> Please reply only to the newsgroup so that others can benefit.
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> __________________________________
> "Ken Schaefer" <kenREMOVE@.THISadOpenStatic.com> wrote in message
> news:%23Wam0XbCEHA.3132@.TK2MSFTNGP11.phx.gbl...
> still
the
in
> doors"
best
> down.
told
> that
not
> password
>