RussK Posted December 5, 2010 ID:356370 Share Posted December 5, 2010 All,We have had infections of Backdoor.bot items in Malwarebytes, showing up in C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data and affects the MSSQL DB Files (master.mdf, mastlog.ldf, model.mdf, modellog.ldf, msdbdata.mdf, msdblog.ldf). All of these are from scans running Malwarebytes Version 1.46 Database 5241. We did not notice this untill we had to reboot our production system. When it came back up SQL would not run as the control DB's were gone. This happend on 2 of our 12 servers and it took us down for several hours. Is anyone experiencing this in their work places? We checked the data base's and I am convinced that these are false positives because unable to find infections in the SQL DB files. Is there any thoughts on this? We removed Malwarebytes until we get an answer on this.This is from the log file.Files Infected:C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf (Backdoor.Bot) -> Delete on reboot.C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf (Backdoor.Bot) -> Delete on reboot.C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf (Backdoor.Bot) -> Delete on reboot.C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf (Backdoor.Bot) -> Delete on reboot.C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf (Backdoor.Bot) -> Delete on reboot.C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf (Backdoor.Bot) -> Delete on reboot.Thanks in advance for your help.RussK Link to post Share on other sites More sharing options...
Staff shadowwar Posted December 5, 2010 Staff ID:356409 Share Posted December 5, 2010 These are false positives.. We are currently updating the database to correct this. Link to post Share on other sites More sharing options...
Staff shadowwar Posted December 5, 2010 Staff ID:356555 Share Posted December 5, 2010 This is corrected in the latest database as of this writing. Could you please verify for us? Link to post Share on other sites More sharing options...
RussK Posted December 6, 2010 Author ID:357473 Share Posted December 6, 2010 This is corrected in the latest database as of this writing. Could you please verify for us?OK it seems to be working now. I'll give it a few days to make sure. Link to post Share on other sites More sharing options...
RussK Posted December 22, 2010 Author ID:364316 Share Posted December 22, 2010 OK it seems to be working now. I'll give it a few days to make sure.After loading 1.50 the problem did go away. We let it run for several weeks with no problems. I think there should be a little more testing before you release an update that will bring down a server. We lost several man hours fixing the problem. Time is money!Thanks for your help. Link to post Share on other sites More sharing options...
Staff shadowwar Posted December 23, 2010 Staff ID:364420 Share Posted December 23, 2010 Unfortunately this was a bug with the previous version of Mbam. It didn't rear its ugly head till one certain type of definition was created with rare parameters and didn't get filtered properly with the old version. These were tested but it took a certain set of rare parameters to cause this. I understand as i have been a server admin. What you want through was not fun at all and we take personally what happened. We have added some more safety measures to prevent this from happening. The next few versions will have a lot more safeguards in place to prevent valid files from ever coming under scrutiny. As you have discovered 1.50 was immune to this bug. 1.50 is more powerful and to provide the best protection we recommend updating to the latest version always. I know its not always easy in the corporate world. Link to post Share on other sites More sharing options...
RussK Posted January 5, 2011 Author ID:370134 Share Posted January 5, 2011 Unfortunately this was a bug with the previous version of Mbam. It didn't rear its ugly head till one certain type of definition was created with rare parameters and didn't get filtered properly with the old version. These were tested but it took a certain set of rare parameters to cause this. I understand as i have been a server admin. What you want through was not fun at all and we take personally what happened. We have added some more safety measures to prevent this from happening. The next few versions will have a lot more safeguards in place to prevent valid files from ever coming under scrutiny. As you have discovered 1.50 was immune to this bug. 1.50 is more powerful and to provide the best protection we recommend updating to the latest version always. I know its not always easy in the corporate world.The nice thing about 1.501 is that you can now exclude files to be scanned. A much improved version.Thanks again Rich! Link to post Share on other sites More sharing options...
Staff shadowwar Posted January 6, 2011 Staff ID:370676 Share Posted January 6, 2011 No problem. Thanks again for sticking with us! Feel free to let us know of any false positives in the false positive forum. We will get it fixed Asap! Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now