日期:2014-05-17  浏览次数:21038 次

电脑被攻击了!大家帮忙看下
昨天电脑不停的提示有木马,杀了后,过一会儿又有了。还是同样的位置同样的文件名!
今天早上打开电脑发现多了两个用户,我已经删除了!
系统:win7 我在电脑上发布了个网站(asp.net + mssql2005 + IIS 6.0)

我查看了事件日志(管理事件):
使用集成安全性建立连接时,SSPI 握手失败,错误代码 0x8009030c;该连接已关闭。 [客户端: 221.213.178.126](显示了很多条这个信息)

事件日志(Windows日志 - 应用程序):
1.SQL Server 阻止了对组件 'Ole Automation Procedures' 的 过程'sys.sp_OAMethod' 的访问,因为此组件已作为此服务器安全配置的一部分而被关闭。系统管理员可以通过使用 sp_configure 启用 'Ole Automation Procedures'。有关启用 'Ole Automation Procedures' 的详细信息,请参阅 SQL Server 联机丛书中的 "外围应用配置器"。 
2.SQL Server 阻止了对组件 'xp_cmdshell' 的 过程'sys.xp_cmdshell' 的访问,因为此组件已作为此服务器安全配置的一部分而被关闭。系统管理员可以通过使用 
3.用户 'sa' 登录失败。 [客户端: 221.231.122.68]
(这三条出现了N次)

事件日志(Windows日志 - 安全):
1.已更改用户帐户。
2.试图重置帐户密码。
3.已向启用了安全性的全局组中添加某个成员。
4.为新登录分配了特殊权限。

SQL Server日志:
SQL code

03/03/2011 17:56:46,spid51,未知,SQL Server blocked access to 过程 'sys.sp_OAMethod' of component 'Ole Automation Procedures' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'Ole Automation Procedures' by using sp_configure. For more information about enabling 'Ole Automation Procedures'<c/> see "Surface Area Configuration" in SQL Server Books Online.
03/03/2011 17:56:46,spid51,未知,SQL Server blocked access to 过程 'sys.sp_OACreate' of component 'Ole Automation Procedures' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'Ole Automation Procedures' by using sp_configure. For more information about enabling 'Ole Automation Procedures'<c/> see "Surface Area Configuration" in SQL Server Books Online.
03/03/2011 17:56:46,spid51,未知,SQL Server blocked access to 过程 'sys.sp_OAMethod' of component 'Ole Automation Procedures' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'Ole Automation Procedures' by using sp_configure. For more information about enabling 'Ole Automation Procedures'<c/> see "Surface Area Configuration" in SQL Server Books Online.
03/03/2011 17:56:46,spid51,未知,SQL Server blocked access to 过程 'sys.sp_OACreate' of component 'Ole Automation Procedures' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'Ole Automation Procedures' by using sp_configure. For more information about enabling 'Ole Automation Procedures'<c/> see "Surface Area Configuration" in SQL Server Books Online.
03/03/2011 17:56:46,spid51,未知,Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
03/03/2011 17:55:58,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]
03/03/2011 17:55:58,登录,未知,错误: 18456,严重性: 14,状态: 8。
03/03/2011 17:55:56,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]
03/03/2011 17:55:56,登录,未知,错误: 18456,严重性: 14,状态: 8。
03/03/2011 17:55:56,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]
03/03/2011 17:55:56,登录,未知,错误: 18456,严重性: 14,状态: 8。
03/03/2011 17:55:56,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]
03/03/2011 17:55:56,登录,未知,错误: 18456,严重性: 14,状态: 8。
03/03/2011 17:55:56,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]
03/03/2011 17:55:56,登录,未知,错误: 18456,严重性: 14,状态: 8。
03/03/2011 17:55:56,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]
03/03/2011 17:55:56,登录,未知,错误: 18456,严重性: 14,状态: 8。
03/03/2011 17:55:55,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]
03/03/2011 17:55:55,登录,未知,错误: 18456,严重性: 14,状态: 8。
03/03/2011 17:55:55,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]
03/03/2011 17:55:55,登录,未知,错误: 18456,严重性: 14,状态: 8。
03/03/2011 17:55:55,登录,未知,Login failed for u