貌似SQL数据库被攻击了,请各位大佬帮忙看看是什么情况
本帖最后由 huang16999 于 2019-9-2 17:12 编辑用的云服务器,系统是Server 2012 R2 Datecenter数据库是 SQL 2008 R2,昨天查日志的时候发现有点不对劲,查了半天资料还是一知半解,以下是日志正文,业务数据库名称我用XXX代替了,麻烦各位大佬帮忙看看是什么情况。
日期,源,严重性,消息
08/31/2019 03:01:29,登录,未知,The login packet used to open the connection is structurally invalid; the connection has been closed. Please contact the vendor of the client library. [客户端: 193.106.31.90]
08/31/2019 03:01:29,登录,未知,错误: 17832,严重性: 20,状态: 2。
08/31/2019 00:00:21,spid24s,未知,This instance of SQL Server has been using a process ID of 1932 since 2019/8/16 14:06:11 (local) 2019/8/16 6:06:11 (UTC). This is an informational message only; no user action is required.
08/30/2019 17:33:27,登录,未知,The login packet used to open the connection is structurally invalid; the connection has been closed. Please contact the vendor of the client library. [客户端: 193.106.31.90]
08/30/2019 17:33:27,登录,未知,错误: 17832,严重性: 20,状态: 2。
08/30/2019 00:00:03,spid20s,未知,This instance of SQL Server has been using a process ID of 1932 since 2019/8/16 14:06:11 (local) 2019/8/16 6:06:11 (UTC). This is an informational message only; no user action is required.
08/29/2019 05:34:43,登录,未知,The login packet used to open the connection is structurally invalid; the connection has been closed. Please contact the vendor of the client library. [客户端: 193.111.50.81]
08/29/2019 05:34:43,登录,未知,错误: 17832,严重性: 20,状态: 2。
08/29/2019 00:00:46,spid20s,未知,This instance of SQL Server has been using a process ID of 1932 since 2019/8/16 14:06:11 (local) 2019/8/16 6:06:11 (UTC). This is an informational message only; no user action is required.
08/28/2019 23:14:04,登录,未知,The login packet used to open the connection is structurally invalid; the connection has been closed. Please contact the vendor of the client library. [客户端: 51.15.17.95]
08/28/2019 23:14:04,登录,未知,错误: 17832,严重性: 20,状态: 2。
08/28/2019 23:14:01,登录,未知,The login packet used to open the connection is structurally invalid; the connection has been closed. Please contact the vendor of the client library. [客户端: 51.15.17.95]
08/28/2019 23:14:01,登录,未知,错误: 17832,严重性: 20,状态: 2。
08/25/2019 00:00:37,spid17s,未知,This instance of SQL Server has been using a process ID of 1932 since 2019/8/16 14:06:11 (local) 2019/8/16 6:06:11 (UTC). This is an informational message only; no user action is required.
08/24/2019 00:00:20,spid25s,未知,This instance of SQL Server has been using a process ID of 1932 since 2019/8/16 14:06:11 (local) 2019/8/16 6:06:11 (UTC). This is an informational message only; no user action is required.
08/23/2019 06:55:58,登录,未知,The login packet used to open the connection is structurally invalid; the connection has been closed. Please contact the vendor of the client library. [客户端: 212.92.101.89]
08/23/2019 06:55:58,登录,未知,错误: 17832,严重性: 20,状态: 2。
08/23/2019 00:00:03,spid24s,未知,This instance of SQL Server has been using a process ID of 1932 since 2019/8/16 14:06:11 (local) 2019/8/16 6:06:11 (UTC). This is an informational message only; no user action is required.
08/22/2019 00:00:45,spid16s,未知,This instance of SQL Server has been using a process ID of 1932 since 2019/8/16 14:06:11 (local) 2019/8/16 6:06:11 (UTC). This is an informational message only; no user action is required.
08/21/2019 05:14:57,登录,未知,The login packet used to open the connection is structurally invalid; the connection has been closed. Please contact the vendor of the client library. [客户端: 118.163.185.176]
08/21/2019 05:14:57,登录,未知,错误: 17832,严重性: 20,状态: 2。
08/21/2019 00:00:28,spid26s,未知,This instance of SQL Server has been using a process ID of 1932 since 2019/8/16 14:06:11 (local) 2019/8/16 6:06:11 (UTC). This is an informational message only; no user action is required.
08/20/2019 16:31:00,登录,未知,The login packet used to open the connection is structurally invalid; the connection has been closed. Please contact the vendor of the client library. [客户端: 51.15.15.51]
08/20/2019 16:31:00,登录,未知,错误: 17832,严重性: 20,状态: 2。
08/20/2019 16:31:00,登录,未知,The login packet used to open the connection is structurally invalid; the connection has been closed. Please contact the vendor of the client library. [客户端: 51.15.15.51]
08/20/2019 16:31:00,登录,未知,错误: 17832,严重性: 20,状态: 2。
08/20/2019 00:00:11,spid16s,未知,This instance of SQL Server has been using a process ID of 1932 since 2019/8/16 14:06:11 (local) 2019/8/16 6:06:11 (UTC). This is an informational message only; no user action is required.
08/19/2019 14:26:02,登录,未知,The login packet used to open the connection is structurally invalid; the connection has been closed. Please contact the vendor of the client library. [客户端: 193.188.22.137]
08/19/2019 14:26:02,登录,未知,错误: 17832,严重性: 20,状态: 2。
08/19/2019 00:00:54,spid18s,未知,This instance of SQL Server has been using a process ID of 1932 since 2019/8/16 14:06:11 (local) 2019/8/16 6:06:11 (UTC). This is an informational message only; no user action is required.
08/18/2019 00:00:36,spid23s,未知,This instance of SQL Server has been using a process ID of 1932 since 2019/8/16 14:06:11 (local) 2019/8/16 6:06:11 (UTC). This is an informational message only; no user action is required.
08/17/2019 00:00:19,spid24s,未知,This instance of SQL Server has been using a process ID of 1932 since 2019/8/16 14:06:11 (local) 2019/8/16 6:06:11 (UTC). This is an informational message only; no user action is required.
08/16/2019 14:06:11,spid51,未知,Using 'xplog70.dll' version '2009.100.1600' to execute extended stored procedure 'xp_msver'. This is an informational message only; no user action is required.
08/16/2019 14:06:11,spid51,未知,Attempting to load library 'xplog70.dll' into memory. This is an informational message only. No user action is required.
08/16/2019 14:06:11,spid51,未知,Using 'xpstar.dll' version '2009.100.1600' to execute extended stored procedure 'xp_instance_regread'. This is an informational message only; no user action is required.
08/16/2019 14:06:11,spid51,未知,Attempting to load library 'xpstar.dll' into memory. This is an informational message only. No user action is required.
08/16/2019 14:06:11,spid51,未知,Using 'xpsqlbot.dll' version '2009.100.1600' to execute extended stored procedure 'xp_qv'. This is an informational message only; no user action is required.
08/16/2019 14:06:11,spid51,未知,Attempting to load library 'xpsqlbot.dll' into memory. This is an informational message only. No user action is required.
08/16/2019 14:06:11,spid7s,未知,Recovery is complete. This is an informational message only. No user action is required.
08/16/2019 14:06:11,spid23s,未知,Recovery is writing a checkpoint in database 'XXXX' (7). This is an informational message only. No user action is required.
08/16/2019 14:06:10,spid24s,未知,Starting up database 'XXXXX'.
08/16/2019 14:06:10,spid23s,未知,Starting up database 'XXXXXX'.
08/16/2019 14:06:10,spid22s,未知,Starting up database 'ReportServerTempDB'.
08/16/2019 14:06:10,spid21s,未知,Starting up database 'msdb'.
08/16/2019 14:06:10,spid20s,未知,Starting up database 'ReportServer'.
08/16/2019 14:06:10,spid20s,未知,A new instance of the full-text filter daemon host process has been successfully started.
08/16/2019 14:06:10,登录,未知,Login failed for user 'NT AUTHORITY\SYSTEM'. 原因: 无法打开明确指定的数据库。 [客户端: <local machine>]
08/16/2019 14:06:10,登录,未知,错误: 18456,严重性: 14,状态: 38。
08/16/2019 14:06:09,登录,未知,Login failed for user 'NT AUTHORITY\SYSTEM'. 原因: 无法打开明确指定的数据库。 [客户端: <local machine>]
08/16/2019 14:06:09,登录,未知,错误: 18456,严重性: 14,状态: 38。
08/16/2019 14:06:08,spid13s,未知,Service Broker manager has started.
08/16/2019 14:06:08,spid13s,未知,The Database Mirroring protocol transport is disabled or not configured.
08/16/2019 14:06:08,spid13s,未知,The Service Broker protocol transport is disabled or not configured.
08/16/2019 14:06:08,spid10s,未知,Starting up database 'tempdb'.
08/16/2019 14:06:08,服务器,未知,SQL Server is now ready for client connections. This is an informational message; no user action is required.
08/16/2019 14:06:08,服务器,未知,The SQL Server Network Interface library could not register the Service Principal Name (SPN) for the SQL Server service. Error: 0x54b<c/> state: 3. Failure to register an SPN may cause integrated authentication to fall back to NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies.
08/16/2019 14:06:08,服务器,未知,Dedicated admin connection support was established for listening locally on port 1434.
08/16/2019 14:06:08,服务器,未知,Server is listening on [ 127.0.0.1 <ipv4> 1434].
08/16/2019 14:06:08,服务器,未知,Server is listening on [ ::1 <ipv6> 1434].
08/16/2019 14:06:08,服务器,未知,Server local connection provider is ready to accept connection on [ \\.\pipe\sql\query ].
08/16/2019 14:06:08,服务器,未知,Server local connection provider is ready to accept connection on [ \\.\pipe\SQLLocal\MSSQLSERVER ].
08/16/2019 14:06:08,服务器,未知,Server is listening on [ 'any' <ipv4> ].
08/16/2019 14:06:08,服务器,未知,Server is listening on [ 'any' <ipv6> ].
08/16/2019 14:06:08,服务器,未知,The certificate was successfully loaded for encryption.
08/16/2019 14:06:08,spid10s,未知,Clearing tempdb database.
08/16/2019 14:06:08,spid10s,未知,Starting up database 'model'.
08/16/2019 14:06:08,spid7s,未知,Server name is 'XServer'. This is an informational message only. No user action is required.
08/16/2019 14:06:08,spid7s,未知,The resource database build version is 10.50.1600. This is an informational message only. No user action is required.
08/16/2019 14:06:08,spid7s,未知,Starting up database 'mssqlsystemresource'.
08/16/2019 14:06:08,spid7s,未知,SQL Trace ID 1 was started by login "sa".
08/16/2019 14:06:08,spid7s,未知,SQL Server Audit has started the audits. This is an informational message. No user action is required.
08/16/2019 14:06:08,spid7s,未知,SQL Server Audit is starting the audits. This is an informational message. No user action is required.
08/16/2019 14:06:08,spid7s,未知,Resource governor reconfiguration succeeded.
08/16/2019 14:06:08,spid7s,未知,Recovery is writing a checkpoint in database 'master' (1). This is an informational message only. No user action is required.
08/16/2019 14:06:08,spid7s,未知,Starting up database 'master'.
08/16/2019 14:06:07,服务器,未知,Node configuration: node 0: CPU mask: 0x0000000f:0 Active CPU mask: 0x0000000f:0. This message provides a description of the NUMA configuration for this computer. This is an informational message only. No user action is required.
08/16/2019 14:06:07,服务器,未知,Using dynamic lock allocation.Initial allocation of 2500 Lock blocks and 5000 Lock Owner blocks per node.This is an informational message only.No user action is required.
08/16/2019 14:06:07,服务器,未知,SQL Server is not configured to use all of the available system memory. To enable SQL Server to use more memory<c/> set the awe enabled option to 1 by using the sp_configure stored procedure.
08/16/2019 14:06:07,服务器,未知,Detected 4 CPUs. This is an informational message; no user action is required.
08/16/2019 14:06:07,服务器,未知,SQL Server is starting at normal priority base (=7). This is an informational message only. No user action is required.
08/16/2019 14:06:07,Server,未知,Registry startup parameters: <nl/> -d C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\master.mdf<nl/> -e C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log\ERRORLOG<nl/> -l C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\mastlog.ldf
08/16/2019 14:06:07,Server,未知,This instance of SQL Server last reported using a process ID of 1912 at 2019/8/16 14:05:31 (local) 2019/8/16 6:05:31 (UTC). This is an informational message only; no user action is required.
08/16/2019 14:06:07,Server,未知,Logging SQL Server messages in file 'C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log\ERRORLOG'.
08/16/2019 14:06:07,Server,未知,Authentication mode is MIXED.
08/16/2019 14:06:07,Server,未知,System Manufacturer: 'Alibaba Cloud'<c/> System Model: 'Alibaba Cloud ECS'.
08/16/2019 14:06:07,Server,未知,Server process ID is 1932.
08/16/2019 14:06:07,Server,未知,All rights reserved.
08/16/2019 14:06:07,Server,未知,(c) Microsoft Corporation.
08/16/2019 14:06:07,Server,未知,Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (Intel X86) <nl/> Apr2 2010 15:53:02 <nl/> Copyright (c) Microsoft Corporation<nl/> Enterprise Edition on Windows NT 6.2 <X64> (Build 9200: ) (WOW64) (Hypervisor)
不知道你的前置是否有网站或者应用在使用这个数据库,看日志大概率是有人用SA帐号使用xp_cmdshell组件进行提权操作 坐等大牛 哪有把sql端口暴露给外网的做法。。。
页:
[1]