COI Report – Part IV
Page
154 of
425 26.3 Detecting active queries to the SCM database 473. Upon receiving Sze Chun’s email, Katherine noticed that the Citrix server in question was Citrix Server 2. She
also noted that the account, workstation, and program that were involved were unusual.
474. Katherine then logged into the SCM database to look at the current active sessions running on the database. Her intention was to check if the query mentioned by Sze Chun was still running. She found that very similar queries were being run. The active sessions reflected the hostname of VM 1, and the queries were being run using a different program (referred to in this section as the “
second program”). She was of the view that this was indicative of abnormal activity, and called Benjamin to inform him of the active sessions.
Following the call, Benjamin checked the active sessions and found the same queries described by Katherine. He thought that perhaps it could be some new modules that were deployed or being tested, and which used the second program to run queries on the SCM database. Benjamin called some colleagues, who confirmed that they
were not running any queries, and that they were unaware of the second program.
476. At pm, Katherine emailed Sze Chun with a screenshot showing the SQL sessions on the SCM database involving the second program and running from VM 1. Katherine asked Sze Chun in her email why the hostname was that of VM 1. Shortly after at pm, Katherine also pointed out that that the query had been running since pm, and was still running. At pm,
Sze Chun replied Katherine, confirming that the query she identified was still running, and that there was a second query that was running at the time.
477. By this point, Sze
Chun had become more concerned, as the probability of the AA. account being misused appeared to be higher, in view of all the unusual circumstances.
Share with your friends: 
