Jump to content

BACKDOOR.BOT

RussK
 Share

Recommended Posts

RussK

RussK

Posted
Posted

All,

We have had infections of Backdoor.bot items in Malwarebytes, showing up in C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data and affects the MSSQL DB Files (master.mdf, mastlog.ldf, model.mdf, modellog.ldf, msdbdata.mdf, msdblog.ldf). All of these are from scans running Malwarebytes Version 1.46 Database 5241. We did not notice this untill we had to reboot our production system. When it came back up SQL would not run as the control DB's were gone. This happend on 2 of our 12 servers and it took us down for several hours. Is anyone experiencing this in their work places? We checked the data base's and I am convinced that these are false positives because unable to find infections in the SQL DB files. Is there any thoughts on this? We removed Malwarebytes until we get an answer on this.

This is from the log file.

Files Infected:

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf (Backdoor.Bot) -> Delete on reboot.

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf (Backdoor.Bot) -> Delete on reboot.

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf (Backdoor.Bot) -> Delete on reboot.

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf (Backdoor.Bot) -> Delete on reboot.

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf (Backdoor.Bot) -> Delete on reboot.

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf (Backdoor.Bot) -> Delete on reboot.

Thanks in advance for your help.

RussK

Link to post
Share on other sites
  • 3 weeks later...
RussK

RussK

Posted
  • Author
Posted
OK it seems to be working now. I'll give it a few days to make sure.

After loading 1.50 the problem did go away. We let it run for several weeks with no problems. I think there should be a little more testing before you release an update that will bring down a server. We lost several man hours fixing the problem. Time is money!

Thanks for your help.

Link to post
Share on other sites
  • Staff
shadowwar

shadowwar

Posted
  • Staff
Posted

Unfortunately this was a bug with the previous version of Mbam. It didn't rear its ugly head till one certain type of definition was created with rare parameters and didn't get filtered properly with the old version. These were tested but it took a certain set of rare parameters to cause this. I understand as i have been a server admin. What you want through was not fun at all and we take personally what happened. We have added some more safety measures to prevent this from happening. The next few versions will have a lot more safeguards in place to prevent valid files from ever coming under scrutiny.

As you have discovered 1.50 was immune to this bug.

1.50 is more powerful and to provide the best protection we recommend updating to the latest version always. I know its not always easy in the corporate world.

Link to post
Share on other sites
  • 2 weeks later...
RussK

RussK

Posted
  • Author
Posted
Unfortunately this was a bug with the previous version of Mbam. It didn't rear its ugly head till one certain type of definition was created with rare parameters and didn't get filtered properly with the old version. These were tested but it took a certain set of rare parameters to cause this. I understand as i have been a server admin. What you want through was not fun at all and we take personally what happened. We have added some more safety measures to prevent this from happening. The next few versions will have a lot more safeguards in place to prevent valid files from ever coming under scrutiny.

As you have discovered 1.50 was immune to this bug.

1.50 is more powerful and to provide the best protection we recommend updating to the latest version always. I know its not always easy in the corporate world.

The nice thing about 1.501 is that you can now exclude files to be scanned. A much improved version.

Thanks again Rich!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.