50,000 MS-SQL and PHPMyAdmin Servers Infected with Rootkit Malware

Researchers at Guardicore Labs have released a comprehensive report on a global cryptojacking campaign targeting Windows MS-SQL and PHPMyAdmin servers.

The malicious campaign, dubbed Nansh0u, is reportedly being conducted by a Chinese APT-style hacking group that has infected nearly 50,000 servers and is installing a sophisticated kernel-mode rootkit on compromised systems to prevent the malware from being terminated.

The campaign, which dates back to February 26 but was detected for the first time in early April, has been discovered to deliver twenty distinct payload variants hosted by various hosting providers.

After locating publicly accessible Windows MS-SQL and PHPMyAdmin servers using a simple port scanner, the attack employs brute force.

After authenticating successfully with administrative privileges, attackers execute a sequence of MS-SQL commands on the compromised system to download a malicious payload from a remote file server and execute it with SYSTEM privileges.

The payload uses a known privilege escalation vulnerability (CVE-2014-4113) to gain SYSTEM privileges on compromised systems.

“The exploit uses this Windows privilege to inject code into the Winlogon process. The injected code generates a new process that inherits Winlogon SYSTEM privileges and possesses the same permissions as the previous version.”

On compromised servers, the payload then installs cryptocurrency mining malware to mine TurtleCoin cryptocurrency.

In addition, the malware prevents its process from terminating by utilizing a digitally-signed kernel-mode rootkit.

“The driver was found to have a digital signature issued by the leading Certificate Authority Verisign. The expired certificate bears the name of a fraudulent Chinese company, Hangzhou Hootian Network Technology.”

Researchers have also released a comprehensive list of indicators of compromise (IoCs) and a free PowerShell-based script that Windows administrators can use to determine whether or not their systems are infected.

Since the attack relies on a weak username and password combinations for MS-SQL and PHPMyAdmin servers, administrators should always use strong, complex passwords.

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.


BestTopReviewsOnline.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com. As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 BestTopReviewsOnline.com Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of BestTopReviewsOnline.com.