Home > Articles > Data > SQL Server

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

Investigation Summary

As a result of your SQL Server forensic investigation of the PROD-SQL05 server, you have determined that a remote user gained unauthorized database access through a brute-force attack. During this attack, several SQL Server logins names were targeted, eventually resulting in the compromise of the MSmith account. Unauthorized access was gained on 2008-08-31 15:27:09.50.

The MSmith login had a relatively high level of access within the database server through fixed-server role membership. Luckily, it did not have access to the CCProtect_Key that was used to encrypt the sensitive credit card information within the database.

After performing database reconnaissance and learning about the databases, users, and objects within the databases, the intruder utilizing the MSmith account initiated a search for passwords and encryption key–related information. No credit card information was disclosed during the incident, and no data within production tables was modified by the MSmith account. The unauthorized user's last known database access occurred at 2008/08/31 2008-08-31 15:31:35.24.

A summary of your investigation findings appears in Table 11.2.

Table 11.2. SQL Server Forensic Investigation Findings

Time

Event

Source

15:27:09.50

Brute-force attack initiated

IP: 192.168.1.20

15:31:35.24

Attacker gains unauthorized access to the database server

Login: MSmith

15:32:16.740 - 15:41:17.990

Database reconnaissance, including the viewing of data within the orderhistory, sys.symmetric_keys, and sys.asymmetric_keys views

Login: MSmith

15:32:41.320

The sp_helpdb procedure is executed

Login: MSmith

15:32:41.367

Temporary object #09DE7BCC is created within the Tempdb database associated with the sp_helpdb statement

Login: MSmith

15:36:34.42

Attacker reconnects to PROD-SQL05

Login: MSmith

15:38:15.31

Attacker reconnects to PROD-SQL05

Login: MSmith

15:41:55:060

SELECT INTO is statement executed, which initiates the copying of data from an unknown table into the IllB3back table within the Master database

Login: MSmith

15:41:55.060

IllB3back table is created within the Master database

Login: MSmith

15:43:16:570

Repeat SELECT INTO statement is executed using transaction ID 2724 but is aborted at 2008-08-31 15:43:16:570

Login: MSmith

15:43:23.74

Attacker reconnects to PROD-SQL05

Login: MSmith

15:45:15:437

Login password reset is attempted using sp_password

Login: MSmith

15:45:19:880

Login password reset is attempted using sp_password

Login: MSmith

15:45:43:797

Successful password reset of the MSmith password occurs using sp_password

Login: MSmith

15:45:43.800

MSmith account is updated

Login: MSmith

15:46:03.340

EASYACCESS login created

Login: MSmith

Note: All events within Table 11.2 occurred on 2008/08/31.

After reviewing the investigation findings, the client resets the password on the MSmith account compromised by the attacker and removes the EASYACCESS account created as a backdoor by the intruder. A stronger password policy is also implemented to help prevent a repeat occurrence of unauthorized access gained from a successful brute-force attack.

  • + Share This
  • 🔖 Save To Your Account