电脑被攻击了！大家帮忙看下,该怎么处理

2012-04-03

电脑被攻击了！大家帮忙看下昨天电脑不停的提示有木马，杀了后，过一会儿又有了。还是同样的位置同样的文件名！

电脑被攻击了！大家帮忙看下
昨天电脑不停的提示有木马，杀了后，过一会儿又有了。还是同样的位置同样的文件名！
今天早上打开电脑发现多了两个用户，我已经删除了！
系统：win7 我在电脑上发布了个网站（asp.net + mssql2005 + IIS 6.0）

我查看了事件日志（管理事件）：
使用集成安全性建立连接时，SSPI 握手失败，错误代码 0x8009030c；该连接已关闭。 [客户端: 221.213.178.126]（显示了很多条这个信息）

事件日志（Windows日志 - 应用程序）：
1.SQL Server 阻止了对组件 'Ole Automation Procedures' 的过程'sys.sp_OAMethod' 的访问，因为此组件已作为此服务器安全配置的一部分而被关闭。系统管理员可以通过使用 sp_configure 启用 'Ole Automation Procedures'。有关启用 'Ole Automation Procedures' 的详细信息，请参阅 SQL Server 联机丛书中的 "外围应用配置器"。
2.SQL Server 阻止了对组件 'xp_cmdshell' 的过程'sys.xp_cmdshell' 的访问，因为此组件已作为此服务器安全配置的一部分而被关闭。系统管理员可以通过使用
3.用户 'sa' 登录失败。 [客户端: 221.231.122.68]
（这三条出现了N次）

事件日志（Windows日志 - 安全）：
1.已更改用户帐户。
2.试图重置帐户密码。
3.已向启用了安全性的全局组中添加某个成员。
4.为新登录分配了特殊权限。

SQL Server日志：

SQL code

03/03/2011 17:56:46,spid51,未知,SQL Server blocked access to 过程 'sys.sp_OAMethod' of component 'Ole Automation Procedures' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'Ole Automation Procedures' by using sp_configure. For more information about enabling 'Ole Automation Procedures'<c/> see "Surface Area Configuration" in SQL Server Books Online.03/03/2011 17:56:46,spid51,未知,SQL Server blocked access to 过程 'sys.sp_OACreate' of component 'Ole Automation Procedures' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'Ole Automation Procedures' by using sp_configure. For more information about enabling 'Ole Automation Procedures'<c/> see "Surface Area Configuration" in SQL Server Books Online.03/03/2011 17:56:46,spid51,未知,SQL Server blocked access to 过程 'sys.sp_OAMethod' of component 'Ole Automation Procedures' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'Ole Automation Procedures' by using sp_configure. For more information about enabling 'Ole Automation Procedures'<c/> see "Surface Area Configuration" in SQL Server Books Online.03/03/2011 17:56:46,spid51,未知,SQL Server blocked access to 过程 'sys.sp_OACreate' of component 'Ole Automation Procedures' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'Ole Automation Procedures' by using sp_configure. For more information about enabling 'Ole Automation Procedures'<c/> see "Surface Area Configuration" in SQL Server Books Online.03/03/2011 17:56:46,spid51,未知,Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.03/03/2011 17:55:58,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:58,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:56,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:56,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:56,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:56,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:56,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:56,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:56,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:56,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:56,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:56,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:55,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:55,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:55,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:55,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:55,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:55,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:55,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:55,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:54,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:54,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:54,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:54,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:54,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:54,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:54,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:54,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:52,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:52,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:52,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:52,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:52,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:52,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:52,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:52,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:52,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:52,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:52,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:52,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:52,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:52,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:52,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:52,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:51,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:51,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:51,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:51,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:51,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:51,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:51,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:51,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:51,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:51,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:51,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:51,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:51,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:51,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:51,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:51,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:50,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:50,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:50,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:50,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:50,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:50,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:50,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:50,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:55:48,登录,未知,Login failed for user 'sa'. [客户端: 61.160.213.32]03/03/2011 17:55:48,登录,未知,错误: 18456，严重性: 14，状态: 8。03/03/2011 17:52:38,spid51,未知,Configuration option 'Ole Automation Procedures' changed from 1 to 0. Run the RECONFIGURE statement to install.03/03/2011 17:52:38,spid51,未知,Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.03/03/2011 17:52:37,spid51,未知,Configuration option 'default trace enabled' changed from 0 to 0. Run the RECONFIGURE statement to install.03/03/2011 17:52:37,spid51,未知,Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.03/03/2011 17:52:37,spid51,未知,Configuration option 'xp_cmdshell' changed from 1 to 0. Run the RECONFIGURE statement to install.03/03/2011 17:52:37,spid51,未知,Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.03/03/2011 17:52:37,spid51,未知,Configuration option 'default trace enabled' changed from 0 to 0. Run the RECONFIGURE statement to install.03/03/2011 17:52:37,spid51,未知,Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.03/03/2011 17:52:37,spid51,未知,Configuration option 'default trace enabled' changed from 0 to 0. Run the RECONFIGURE statement to install.03/03/2011 17:52:37,spid51,未知,Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.03/03/2011 17:52:37,spid51,未知,Configuration option 'default trace enabled' changed from 0 to 0. Run the RECONFIGURE statement to install.

还有很多。

怎么防御啊？
攻击我的人IP是：221.231.122.68 吗

[解决办法]
呵呵呵，sql注入了？
[解决办法]
拔掉网线一了百了
[解决办法]
不懂啊
[解决办法]
原因很多
不见得参数化能解决任何注入问题
[解决办法]
注入是肯定的，
可能还留有木马，
需要彻底清除
[解决办法]
拔掉网线杀下毒吧，把不必要的端口禁掉
[解决办法]
你的数据库开的是默认端口，远程机器在尝试猜解你的数据库密码。

看日志貌似密码被猜到了。

这些一般都是别人一段一段IP扫肉鸡的时候扫到了你，数据库的话建议更换默认服务端口。

密码复杂度自己看着办吧。
[解决办法]

探讨
拔掉网线杀下毒吧，把不必要的端口禁掉

[解决办法]
又是弱口令一类的猜解,尝试把密码设置复杂点
[解决办法]

探讨
又是弱口令一类的猜解,尝试把密码设置复杂点

[解决办法]
断网，用瑞星等强点的杀软全面查杀。

热点排行

Bad Request.

windows

电脑被攻击了！大家帮忙看下,该怎么处理