[Intrusions] joehack, SQL and the 1433 Scans....

Hensinger Aaron D Contr MCOM aaron.hensinger at schriever.af.mil
Thu Nov 11 16:13:10 GMT 2004 

I found some articles relating to this. It appears that it may be used as a
backdoor. I don't administer SQL so cannot validate this. I just found
several messages relating to backdoor.joehack so would be concerned. You may
want to sniff the traffic and see if anything surprising comes across.

http://www.dshield.org/pipermail/intrusions/2001-October/001936.php



-----Original Message-----
From: Scott Sanders [mailto:Scott.Sanders at Toyota-fs.com] 
Sent: Wednesday, November 10, 2004 12:56 AM
To: intrusions at lists.sans.org
Subject: [Intrusions] joehack, SQL and the 1433 Scans....

Hi there... 

I'm hoping somebody can help shed light on this issue as we have an 
identical situation here and I'm not having much luck gathering info on 
this. 

We have been investigating processor spikes on a SQL server and we have 
also found a stored procedure running with this 'joehack' string. The 
details are below: 

DECLARE @OUTPAR1 int 
 execute  sp_<removed string>  @OUTPAR1  output   
select @OUTPAR1 'joehack' 

This seems to be running under a valid SQL account. 

Any advice is appreciated. 

Regards,
Scott Sanders
IT Operations
Europe & Africa Region
Toyota Financial Services (UK)
D +44 (0)1737 365512
F +44 (0)1737 365520
M +44 (0)7810 884614
E scott.sanders at toyota-fs.com 


This correspondence is for the intended recipient only. It may contain 
confidential or legally privileged information or both. No 
confidentiality or privilege is waived or lost by any mistransmission 
or unauthorised alteration during transmission. 

If you are not the intended recipient, any disclosure, copying, 
distribution or any action taken or omitted to be taken in reliance on 
it, is prohibited and may be unlawful. If you receive this 
correspondence in error, please immediately delete it from your system 
and notify the sender. 

Any views expressed in this message are those of the individual sender, 
except where the sender expressly, and with authority, states them to 
be the views of Toyota. 

This message has been checked for viruses but the recipient is strongly 
advised to rescan the message before opening any attachments or 
attached executable files. 
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions

More information about the Intrusions mailing list