Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Microsoft

New "SQLsnake" Microsoft Worm 362

sevenn writes "A new worm, targeting the Microsoft SQL daemon, has been sweeping the net. It uses massive scanning, default passwords, exploits against vulnerable versions and even attempts to brute force passwords. Here is the (vague) Microsoft bulliten, the SANS analysis, and a securityfocus article" Already over a thousand compromised system- you're apparently only vulnerable if you run MS SQL, but the worm is causing a substantial spike in traffic to port 1433 on the net.
This discussion has been archived. No new comments can be posted.

New "SQLsnake" Microsoft Worm

Comments Filter:
  • McAfee (Score:5, Informative)

    by Triskaidekaphobia ( 580254 ) on Wednesday May 22, 2002 @10:42AM (#3565284)
    McAfee's description [nai.com]. The AV vendors are calling it Spida, instead of snake.
  • by WildBeast ( 189336 ) on Wednesday May 22, 2002 @10:45AM (#3565305) Journal
    Who needs MS SQL Server? Are you telling me that thousands of companies with a load of data are installing SQL Server without having a database admin to do the work? Sweet, they deserve what they get. What kind of people install SQL Server without putting a password for the SA account? Apparently, plenty :)

    Long live human stupidity.
    • by Anonymous Coward
      Nope, there is a new MS-SQL mini server that runs on workstations. Installs a blank sa password and get this no admin tools are installed. So this means many people are running MS-SQL and don't even know it.
    • by Foochar ( 129133 ) <foochar AT gmail DOT com> on Wednesday May 22, 2002 @10:56AM (#3565382) Journal
      Keep in mind that Access XP includes a desktop version of SQL server that I believe is installed by default. Microsoft is trying to move away from the Jet engine that Access is based on and towards using SQL for all databases, both large and small. I'm sure that some of the thousands of infected systems are desktop systems.

      There are also plenty of business apps that run on top of SQL server. The program's installer takes care of setting up the SQL server with little to no knowledge or intervention required on the users part.
      • Keep in mind that Access XP includes a desktop version of SQL server

        This is true, but you need to go back a couple years to get to the root of this (fscking stupid) idea.

        Visio 2000 installs it by default as well. I can't remember if anything previous did, but that was my first encounter with this. I would love to buy a bag of whatever those in charge of making this idea a reality, but this is not a small thing. You need to consider the hundreds of thousadns (if not into the millions) that are running software that was created 2 or 3 years ago up to now (and the future holds suit as well).

        Can someone please remind me why I have to keep using M$ garbage? OOo [openoffice.org] is a great package. There are MUCH better webservers out there [apache.org], and there are MUCH [mysql.org] BETTER [postgresql.org] SQL Servers out there.

        I just don't get it...
    • by Lumpy ( 12016 )
      Yes it is highly standard practice to have an SQL server and noone in the building that has a clue to run it let alone what it is. The vendor of some "critical" app usually installs it (from a copy the vendor has on hand) and advises the customer.. "you need to buy MS SQL server to be legal".. well we know where that goes.... (50% ignore them and never even think of buying it, the other 50% look for it, see the price and then crap their pants, deciding not to buy the overpriced product)

      so yes, it is very common. and it will remain very common as long as there are software vendors making SQL based apps and NOT including a legal copy of SQL server, and a SQL maintaince contract in the price of the product.
    • by sphealey ( 2855 ) on Wednesday May 22, 2002 @10:59AM (#3565412)
      Are you telling me that thousands of companies with a load of data are installing SQL Server without having a database admin to do the work? Sweet, they deserve what they get. What kind of people install SQL Server without putting a password for the SA account? Apparently, plenty :)
      This is a typical Slashdot response, but I don't think most businesspeople would agree. Without in any way excusing Microsoft for their security practices, it may occur to you that 90% or more of businesses exist to do something other than IT functions. They need transportation, they go out and buy a truck. They need a machine tool, they go out and buy one. They need a copy machine, they have one installed. Although some of these tools can certainly be dangerous, there is a basic expectation that when buying, say, a machine tool (a) it will more or less do what it says it will do (b) it won't suddenly explode and destroy an entire city block.

      Along comes e-mail, the Internet, databases, web sites, etc. Joe Enthusiastic runs into the President's office and says, "Mr. Smith! I have found a great new way to communicate with our customers!". Mr. Smith, though he is 90 years old, takes a look and says, "Yeah, that looks interesting. Buy one and set it up".

      So the company buys one (database server, e-mail server, web site, etc.) and sets it up according the skimpy directions in the box. It works for a while, then blows up, seriously damaging the business.

      NOW the company is told, oh, you should have known. You should have known the instructions in the box were incomplete and dangerous. You should have known you needed an 80k/year DBA to use that. You should have known the product was dangerous. You should have known...

      Sorry. I am not buying it anymore. And I think the general business world isn't going to buy it much longer. Either the Internet will be abandoned, or there will be heavy, heavy government regulation of who can connect and how. Sort of like the phone company in the 1950's.

      My 0.02 anyway.

      sPh

      • I am not buying it anymore. And I think the general business world isn't going to buy it much longer.

        We will continue to have incompetant management as long as we continue to have music majors getting MBAs.
      • by RocketScientist ( 15198 ) on Wednesday May 22, 2002 @11:18AM (#3565543)
        If they need to haul stuff, they buy a truck. If they want to stay in business, they don't leave the keys in it and the windows down while it's parked somewhere in public.

        If they need to make copies, they buy a copy machine. If they need machine tools, they buy them. They also tend to keep these things in locked rooms so joe public can't walk in and trash them.

        If they buy computer systems, they leave the passwords blank and expect people to not use them. That's not bad programming, it's stupid users.
        • by wik ( 10258 ) on Wednesday May 22, 2002 @11:36AM (#3565712) Homepage Journal
          It's not just stupid users. Maybe they buy a copy machine like the Xerox DocuTech. It's a powerful high-end copier. It's also not just a copy machine. It has an NT box and a Sparc running Solaris built into it. It also comes out of the manufacturer, wide open with security holes, trivial passwords and unpatched software. If you try to patch them and then ever have as service issue (don't tell me that things don't break), Xerox will gladly reinstall all of the loaded software. Bye bye, patches and passwords.

          http://online.securityfocus.com/archive/1/273029 [securityfocus.com]

          It's not just stupid users. Somebody chose this machine for the business and it's something that they NEED in order to function. Not only that, they may not have a (practical) way to keep it secure when you look at how the machine is really used. I'd sugggest reading the entire thread, because there are more juicy details into the security problems and politics associated with big machines like these.

      • (b) it won't suddenly explode and destroy an entire city block.
        ...
        So the company buys one (database server, e-mail server, web site, etc.) and sets it up according the skimpy directions in the box. It works for a while, then blows up, seriously damaging the business.


        I am a bit confused by this pair of comments - are you suggesting that companies should be able to move from experimental use of a product to production use with mission critical contents without the assistance of an expert? That the inadequacy of the information on the packaging implies that it is idiot-proof? Is that the way general business treats vacuum forming equipment or high temperature ovens?

        So in short, yes, if they are putting mission critical data into a computer and exposing that computer to the Internet without the assistance of a professional, they should have known better. Likewise, if they put the million dollar prototype in the oven and set the temperature without knowing wether the scale is kelvin, celsius, or farenheit, they deserve to lose the prototype.

        Perhaps, if Microsoft is explicitly marketing SQL Server as, "as easy to use as Word!" then they are liable, but I don't think that is what you are positing. It sounds like you are saying that the lack of flashing lights and yellow/black warning tape implies that the software is safe for any purpose.

        Not that I disagree that this is what general business is going to whine to congress for, because America is chock full of a bunch of fuckwits who refuse to take responsibility for their own actions. I only hope that congress has the foresight to pretend to listen while making fun of the whiners behind their backs.
      • I see this a lot talking to clients - they're convinced they can treat information processing just like they treat other commodity services/items (photocopiers, etc). When talking to clients, many of them have a 'DIY' approach to save money - outside consultants or expensive employees are often viewed as unncessary. Perhaps one day they will be, but for now, it's a requirement to have someone who knows what they're doing operate these things (in this case, databases). Probably half the time I know people are thinking we're trying to pull one over on them, thinking they don't need someone who knows what they're doing ("Hey, my cousin's business set up a webserver in 10 minutes and they don't even use computers! It can't be that hard!") Sometimes they're right, but at this stage of development, it's still a gamble they *shouldn't* take.
      • They need transportation, they go out and buy a truck.

        Yes, but who would put an untrain employee with little drive experience and no experience driving a truck, behind the wheel of a tractor trailer and not expect to have the truck cause an accident?

        Any company that sets up a database server with out hiring a qualified admin to set up and maintain it is asking for trouble. A qualified admin should have changed the SA password from null. There really is no reason this behavior should be acceptable.

        • Not only that, but you normally need a Commercial Driver's License to sit behind one of those.

          We're all saying that qualified sysadmins are necessary, but do we really want to go to *licensed* sysadmins? I have this ugly feeling that at some point, it may well take a license to make that final connection to the Internet. At that point, your ISP will be the licensed party, and you will have to use provided software on a acceptable platform. How many ISPs will allow you to connect on your own authority, assuming that you are licensed, is the next question.
      • Ok, first of all you clearly haven't worked for any business, small, medium or large. If you have, then it won't be in business very long.

        Second, companies *should be* and *are* responsible for security on their computer systems. By your logic, you would also claim that a company shouldn't have to buy locks, cameras or security personal for their buildings, because how would they have known that people exist that can break into a building. Your reasoning is flawed and feeble.

        A business is an educated entity. And for your information, the business world, from small to multinational, is going to continue to use the internet in more and more ways for their business. You may not buy it, but that's your mistake.
      • Failure to do proper research on a product is no excuse. Joe 90 year old president of large corporation didn't get where he is without doing research before making strategic business moves, and if he's smart, he hired managers who do the same. In this case, the manager that bought the thing should find out what needs to be done to make the thing work, and take steps to make sure it IS done. In this case, hire a DBA.

        Buying a solution and installing it without configuration and investigation is dangerous and lazy, whether it's a machine tool, a truck, a copy machine, or a web/database/mail server.

        So no, I have no sympathy. Not for the machinist who is sued by his employee that just got a steel rod shot though his shoulder by misusing a machine, nor for the shipper who needs to replace his truck fleet every two years because the undercarriages rust out, nor for the manager whose customer database is released to the internet because his passwords were unlocked.
      • They need transportation, they go out and buy a truck. They need a machine tool, they go out and buy one. They need a copy machine, they have one installed.
        an entirely reasonable course of action, to be sure. but you're missing something: don't these companies generally also hire someone who knows how to use the given tool? they make sure they guy behind the wheel knows how to drive, they make sure only authorized personell can fool around in the machine shop (okay, the copier's a bit weaker, but still valid: it's primarially secratary types using them). this benifits them because otherwise they won't get anything out of the tool, and it'll become a liability, not an asset. and outside of the IT world, companies recognize this. they seem to forget it in the IT world (possibly because these days the average guy on the street thinks he knows alot about computers). it's also quite possible for an untrained operator to do damage to any one of these three new tools. for their own good, they want someone who knows what they're doing in controll.

        what's more, a company may be liable for damages incurred by others if the company lets unqualified people use these tools (i have no idea what kind of damages to others could result from a copier). companies with large machine shops get sued about this periodically. and with good reason. that's a basic principle they should know: before letting someone use your tools, make sure they know what they're doing. to do otherwise, in many cases, constitutes negligence under the law.
        companies should know that people who don't know how to drive shouldn't be given the keys to a company truck. companies should know not to let untrained people in the machine shop. companies should know tools can be dangerous when misused. and companies - and indeed people - should know that computers are just tools.
      • Have you ever heard of those expensive people called "consultants"? Yes, they actually can be valuable, especially in this scenario. Companies hire Legal consultants, Accounting consultants, and Business Management consultants - especially when they do not have the expertise in house. What company would get into a legal battle without a Lawyer? What company would run an Enterprise DB without a DBA?
      • Either the Internet will be abandoned, or ...


        Well, I'll just wait here for that...


        *sharp intake of breath*
        ...
        *fires up his Flux Capacitor-powered Internet Users Counter (tm)*
        [number = 15 bazillion]
        *waits*
        [number = 16 bazillion]
        *waits*
        *getting faint. Can't see very well*
        "don't these people realize ... should ... force ... secure passw... in SQL Server!?"
        [number = 18 bazillion]
        *turns purple*
        "Must... abandon ... Internet!"
        [number = 20 bazillion]
        *passes out*
        [number = 25 bazillion]
        [number = 37 bazillion]
        [number = 46 bazillion]
        ....

      • They need transportation, they go out and buy a truck. They need a machine tool, they go out and buy one. They need a copy machine, they have one installed. Although some of these tools can certainly be dangerous, there is a basic expectation that when buying, say, a machine tool (a) it will more or less do what it says it will do (b) it won't suddenly explode and destroy an entire city block.

        If they're smart, they also hire a driver, a machinist (or at least an operator), or an admin assistant. None of these technologies run themselves, or run indefinitely without maintainance.

        Honestly, I have no sympathy for bottom-line dimwits who think that technology alone is the answer to a tight profit margin. Technology is the tool. The guy with the skills to *use* technology is the real answer.

        Hire a goddamned administrator, for crying out loud. If it's worth the investment to purchase the system, it's worth at least that much to invest in someone who can keep it working.

        If computer technology is so integral to the business world, how come it's so freakin' hard to find a technology job again? Short-sightedness, that's all I can figure.

        GMFTatsujin
      • You know what? Your post was brilliant and absolutely correct every step of that way, until you threw in that conclusion. Geez. What a way to ruin a great post.

        "Either the Internet will be abandoned, or there will be heavy, heavy government regulation of who can connect and how."

        That's just silly.

        The number of businesses that rely on the internet to survive, dollar-wise, now far outweigh the number of businesses who are as fed up as you claim. What will happen is that people will make more solid state type servers. Email servers in firmware style setups will be common. Look at Network Attached Storage. What else is that, except a firmwared File Server? Same thing with JetDirect Print Hubs. Beats having to actually run a print server.

        THAT is how the industry will respond to the problem you so nicely described.
    • Are you telling me that thousands of companies with a load of data are installing SQL Server without having a database admin to do the work?

      Sure, Microsoft makes it so easy to install and administer a server, even a squirrel can do it! :-)

      While that is very tongue-in-cheek, it is true. I was involved in a discussion recently about how MS is good at keeping the Total Operating Costs low by making their systems administerable by a common squirrel. [I know, the TOC argument is debatable, I was on the other side of it]

      • It is very common for packaged business apps to include a license for an RDBMS (SQLS, Oracle, etc). The vendor shows up, installs a box in the corner, and says "don't worry - we will dial in once a month to check how it is running". Which if you think about it is how most tools/equipment/systems that businesses use work. So it is not "clueless" or "irrational" for the business using the product to not know the details of how the thing works.

        sPh

    • Unfortunately there are a great number of "corperate solutions" which are nothing better than ASP hacks which require iis and mssql. And of course these solutions are required by sales vps who haven't the slightest clue how to configure an email client, let alone understand the dynamixs of network security; and they certainly don't care that a lowly systems administrator says it's insecure.

      Worse yet, it is likely at a company who doesn't even have lowly systems administrators that know it's insecure, or that there's even a sa password for sql.

      I should still always be behind some sort of access list, but that probably won't help you terribly much, as users are sure to find a way to get the worm on the lan anyways.
    • Correction (Score:2, Informative)

      To quote security focus article:

      'According to SANS incident handler Johannes Ullrich, a preliminary analysis shows the code, which has been dubbed "SQLsnake," attempts to log in to the SQL administrator's account on a remote server using a "brute force" password cracker.'

      So, it inflicts even systems, that do not have blank sa password. It only inflicts those systems, instantly.
      • So, it inflicts even systems, that do not have blank sa password.

        Yes, via Brute Force. And guess what, if you have your SQL Server open on the Internet then it can be Brute Forced with or without a worm. The same goes for any FTP server, any Web server, and any other service that's open to the public. This has nothing to do with MS SQL server. Also, it is commonly known that brute forcing over the Internet is extremely slow and therefore does not pose much of a risk, even to relatively weak passwords.
    • Some bundles of Microsoft Office include SQL server (the "developer" edition). Anybody who got this and installed everything may well have installed the MS SQL Server and never did anything with it.


      THere's also a desktop runtime engine which I think also listens on port 1433, that could be affected by this. This engine might be installed with an application written in VBA using Access or one of the other MS components. These kinds of apps are fairly common in large companies. I wrote one myself for a state government recently (although not installing MSDE).

    • Who needs MS SQL Server?
      I'm sure many do. The problem is it gets installed with other MS applications if a user specifies that they want all components installed.

      My boss just handed me his laptop the other day, wanting to know why it had slowed down. (He'd filled the hard drive to under 200K free.) Among the many other unnecessary items I removed was MS SQL Server. I can only guess that it got installed with MS Office, because all he uses the laptop for are PowerPoint presentations, word processing, surfing and game playing.

      There are probably a million people out there who don't even know that they're running it.

    • Part of what has made MS successful is now biting them in the butt. They tout "ease-of-use" to such a degree that people sub it for competence. People get an MCSE and suddenly they are competent? No, I don't think so.

      I don't want to beat on MCSEs any more than they already get it, but MS has cultivated a large number of semi-competent admins for their systems. Therefore, when patches come up, there are a large number of people who DON'T apply the patch and may not even know they are running the service!

      C'mon, Code Red is still out there! Not to say that all MCSEs are incompetent, but let's compare it to Java certification. (since I'm a Java dork)

      When someone tells me they are Java certified, my eyes glaze over. It means very little (to me) and I still want to devle into their tech knowledge. But it seems like MCSE opens the door to a greater degree, and it shouldn't

  • Digispid/SQLsnake (Score:5, Informative)

    by Scoria ( 264473 ) <slashmail AT initialized DOT org> on Wednesday May 22, 2002 @10:46AM (#3565311) Homepage
    Symantec has produced a more informative bulletin; however, they have entitled the worm "Digispid [symantec.com]" as opposed to SQLsnake.

  • by sheldon ( 2322 ) on Wednesday May 22, 2002 @10:48AM (#3565321)
    Perhaps there just isn't good documentation on this, but this issue wouldn't be a problem if the SQL Server databases were properly installed and maintained.

    First of all, a DB should never be outside a firewall. It's not necessary.

    Second of all, this issue is aided by databases installed with blank admin passwords.

    I don't know how you solve this. You can't prevent people from installing software. I guess Microsoft's new MBSA will point out the blank password issue and any patches missing, but...

    • MS SQL Server 2000 SP2 will warn you that the SA password is blank. It also advises you to change it. The service pack has been out for a while now. If you have installed it, this should be a none issue for the most part. Brute force attacks are more difficult to contend with.
    • by ColdCuts ( 193807 ) on Wednesday May 22, 2002 @10:58AM (#3565405)
      One of the things incidents.org points out (http://www.incidents.org/diary/diary.php?id=156) is that some microsoft products have sql server included as a hidden or optional install. Access 2000, Visio, even Visual Studio 6 had an option for installing MSDE. If installed, no password is set for the account.
  • Does it include seineew era sreenigne epacsteN [ganns.com]? I hope not, because we happen to have it in all our MS servers.
  • Hidden installations (Score:5, Informative)

    by Painelf ( 29492 ) on Wednesday May 22, 2002 @10:51AM (#3565353)
    It is of course nothing less than idiocy to leave the 'sa' account enabled without a proper password. But, geniouses as this particular software vendor is, SQL-server is also a part of some other software packages, including deriviations of Visual C++. So if you installed VC++, your machine might be vunerable. If you are vunerable, does that make you an idiot?

    I use VC++ regularly, and am thus a potential propagator of the worm. Thankfully SQL-server was disabled on my install, but you might not be so lucky.
    • With MS's lengthy track record in these matters, if you install something like VC++ and become vulnerable, then yes, you are at fault and are an idiot, just for using their products. You should know better by now than to choose MS products, and when they bite you in the ass, you have to assume part of the blame.

      If you're not the one choosing the products, then you can blame your idiot employer. In this case, when your systems are trashed by the worm because of your employer's dumb decision, then you can just point the finger at them, and go home while they fix the problem.

      I'm sorry, but I have no more sympathy for anyone that chooses MS products and then gets burned. You had to see it coming.
    • So if you installed VC++, your machine might be vunerable. If you are vunerable, does that make you an idiot?


      If my Workstation is outside of a Firewall, yes.
  • two versions out (Score:3, Informative)

    by martin ( 1336 ) <maxsec@ g m a i l . com> on Wednesday May 22, 2002 @10:52AM (#3565361) Journal
    According to Sophos (www.sophos.com) there are two vesions out.

    the first one just attempts the 'default' null passwd and 'sa' username (the administrator).

    The second tries a brute force attack on the passwd.

    So no change from trying to telnet into a *nix box as root then....
  • I've gotten over 80k probes in two days at work and several hundred on my single IP address at home.

    I kind of gave up and just ACL'd it on the border router since the volume makes it almost a DoS of my intrusion detection.
  • From the artice.. "Many Microsoft SQL administrators fail to set a strong password for the system account, which by default has a "null" or non-existent password, SecurityFocus warned yesterday in an alert to ARIS users."

    But what they didn't address is why would you even expose the SQLServer to the internet to begin with? A SQL server user can do a lot of damage with the sa account. Might as well give them a CMD prompt. There's really no need to have that port open to the outside at all.

    I wonder how many internet servers answer port 1521 to SYS/CHANGE_ON_INSTALL. Could PL/SQLsnake be next?
    • by Error27 ( 100234 )
      Remember the Red Hat piranah bug a couple years ago where there was a default password?

      That default password existed--in beta software--for two weeks before it was found. Slashdot was up in arms about it. Alan Cox personally appologized for letting the default password slip by his check.

      I believe that slashdot was correct to get upset about piranah. I think any vendor who distributes software with default passwords deserves the same.

  • News? (Score:2, Funny)

    by xamel ( 567605 )
    &ltsarcasm&gt
    Holy shit! A flaw in microsoft software? How did this happen???Arent Microsoft systems the most secure systems available???
    &lt/sarcasm&gt
  • Microsofted (Score:3, Funny)

    by MongooseCN ( 139203 ) on Wednesday May 22, 2002 @10:55AM (#3565379) Homepage
    I'm waiting for the day when people stop saying "We got another worm." and start saying "We just got Microsofted again".
    • How about Munsoned?
    • by jc42 ( 318812 )
      I think the term is "Microshafted".
  • by chill ( 34294 ) on Wednesday May 22, 2002 @10:58AM (#3565408) Journal
    Many exploitable holes such as these can be attributed in part to the management mentality that one or two over-worked, under trained "computer people" can handle professional system/network administration.

    Frequently SysAdmins started their jobs in another field, like Engineering, and were sort of migrated over. Little formal training was given, let alone budget for. Most smaller (sub-Fortune 500) operations were more of a congealed mass than a designed network.

    Then, when the LAN wasn't hooked to the Internet, and some poor schmuck install MS BackOffice and wanted to instal SMS Server, it told him he had to install SQL Server. A couple of quick clicks and you're done. Odds are, he clicked thru the admin password not thinking he'd EVER touch MS SQL other than as a backend for SMS.

    Pity the new admin who inherits such a setup. You think a new admin is given time to actually check a network configuration out, much less do a proper security, performance, license audit? Nope. Get in and tell me why Outlook is saying my deleted folder is empty. I haven't emptied it since 1998 and everything was always there before when I needed it!

    Stupid worms/viruses/exploits will prevail until the MENTALITY of management changes. Computers run most modern business, they are not an afterthought. The people that take care of them should be properly trained, with proper budgets. Periodic PM (preventative maintenance) needs to be allowed, scheduled and performed.

    I feel pity for the admins who have to deal with these worms. I feel nothing but contempt for the management process that let them get in this position.
    • No kidding. Management are so busy shorting the company's stock or faking business to pump it up in an effort to get more money, coke and whores that they don't even understand that just because the server's don't crash 10 times a day they're not shorting their technology infrastructure.

    • Stupid worms/viruses/exploits will prevail until the MENTALITY of management changes.

      Burn me once, shame on you. Burn me twice, shame on me. How many times are people going to let themselves be burnt by Microsoft's intentionaly easy to break and push onto software?

      All the trolls keep ssying, "Linux is not ready for the desktop." Hmphf! I'm so sick of that bull. M$ is not ready for anything. If it really were easier to get work done on M$ desktops and they could be protected, management might be justified in continuing to order new M$ junk. But it's not.

      Debian kicks M$'s but, and Red Hat has all the bells and whistles any corporate user could want. At work, I've got one virtual desktop with tiny picutes on a single bar at the bottom of my screen. There's no way to segregate projects, so I have to cycle the little buttons and place keeping fails. A "power user" in the next cube has two freaking monitors eating his desk top, how stupid! The environment lacks useful scripting, and it's impossible to run processes on other M$ machines without getting out of your seat. Walk, click, click, click, where's the automation? Every two years the file formats change enough to make everyone "upgrade". The GUI's constant flux requires constant relearning, and seems to make less sense with every new improvement. Stability is a joke, as is speed. My first 486 gave comperable perfomance and speed back in 1993. It just burns me up. When I go home I sit at a single chair and look into a single good monitor and can control and run processes on any number of computers I can set up behind my firewall. At home, I move plenty of big pictues and files, no problems. Things at home HAVE gotten faster with new hardware. Why do people at management level put up with this expensive, invasive, rights denying, won't even work well with itself junk?

      Someone somewhere is going to get the desk top switchover started and M$ is going to vanish. Poof, back into the cloud of hot air they started with.

  • by rabtech ( 223758 ) on Wednesday May 22, 2002 @10:59AM (#3565414) Homepage
    First of all, if you attempt to set a blank admin password for SQL Server it gives you a warning that doing so is a very bad idea. None the less, you'd be surprised at how many are blank (or just use sa/sa). The article makes it sound like the default sa password is blank - this is NOT the case. Also, although you cannot disable the sa account, you can rename it during setup.

    Secondly, as has already been pointed out here, your database server should not be exposed to the net in general. There is usually very little reason to do so. If you need to let other machines access the SQL box from abroad, create an IP Security filter that only allows port 1433 for a specific subnet or ip address.

    Don't complain that you got rooted when your login is root/root.
  • I found the way out! [wehavethewayin.com]


    What was ASP is now Perl [page1book.com].(look at the link before you click, then look at the address bar after you arrive). What was SQL Server is now MySQL. And what was IIS is now Apache.


    I'm sleeping much better these days now that I don't have to scramble every week there is another hideous security flaw announced. Not to mention they(MS) recently stated if they opened their source, even worse flaws would be revealed.


    As the new Rush [amazon.com] song(Secret Touch) says, "The way out is the way in".

  • Ugh! (Score:2, Interesting)

    by Lysol ( 11150 )
    A few things;

    One, ok, so, another m$ "exploit". Why does it always have to have this "see, we told you" attitude? After a while, you get tired of finger pointing. Especially when it's all action and little thought. Think? Nah, I'll just complain first and then eat my foot later.

    Two, any IDIOT that puts their SQL server on a public network deserves to get it cracked. This would be the same for any db on a public network. I mean, c'mon, a null sa password?! If someone told you to jump off a cliff, would you? Common sense yo! Jeeze..

    Fellow /.'s, I have to put forth the real issue here which is bad sysadmin. True, m$'s strategy is 'fast, easy, fun', and while it is probably better practice to lock everything down on install vs. not, it's not a m$ problem so much as it is an admin problem.

    I've worked for companies which take the easy road (hire dumb people to do smart things) and the hard road (smart peeps, smart things) and that's what this is all about. Not m$ as much as the companies that are cost cutting everywhere (except when it comes to executive perks), especially IT.

    It is true that m$ does have a lot of security through obscurity issues, but it would be time well spent jumping on the cracked systems than m$. Because, honestly, they don't care. These systems can me made as secure/insecure as the sysadmin wants, so it's really their fault.
  • I've been noticing a more-than-usual amount of probes to port 1433 on my firewall during the past couple of days, although it seems to have really spiked up since last night. DShield seems to prove this, as their "movie" [dshield.org] demonstrates.

  • Some of the DBA's I have worked with love a blank SA password. They also love to write scripts that attach with SA and a blank password. I hope this will teach them to stop being stupid...

    I guess they can use next.
  • by Diamon ( 13013 ) on Wednesday May 22, 2002 @11:04AM (#3565452)
    A massive "unlocked door" worm has been ravaging users of Schlage locks. Aparrently hackers have been breaking into houses with Schlage locks installed. 9 out of 10 users were found to have installed the locks but never engaged the locking mechanism, and many times had left the key in the knob.
    • Re:In Other News (Score:3, Interesting)

      by White Roses ( 211207 )
      Good point. I do actually think that a lot of clueless admins ought to be flogged with cat-5 until they wake up and close the door.

      On the other hand, you know when you've put a Schlage on your door. You can see it, it's "well documented," and it's obvious how you lock it down. Too much MS software isn't well documented, it's not obvious how you lock it down, and the most egregious point is that you might not be able to tell (easily) if it's been installed.

      Both are left unlocked by default after installation, though, so I can't point that out. But I think that MS is more like installing 100 locks on your door, some which are locked and some which aren't, some with keys and some without, and nothing to tell you which is which.

    • However, you already knew that you had a door...

      MS has this server built-in to many installs. It like installing an room air conditioner and the contractor puts a hinge on it so you can use it as a door. Then, he installs a lock on the hinge, but leaves it unlocked, and doesn't even bother to give you the key.

  • by Nintendork ( 411169 ) on Wednesday May 22, 2002 @11:08AM (#3565484) Homepage

    The bulletin MS02-020 was just released about a month ago. Only the admins that place a top priority on patches (such as myself) are safe.

    I supported NT server for MS for over a year and can attest to the number of admins out there that rely too heavily on anti-virus software. When nimda spread and took over a buttload of systems, it was for this very reason. The thing spread before it could be researched and DAT files updated.

    Here's some solid advice for NT/2000/XP/.NET admins:

    Use the hfnetchk tool to monitor all NT based computers on your network for installed patches using the syntax hfnetchk -h host1,hotst2,host3 -v -z -s 1. It will also check for SQL, I.E., and IIS patches. Other products such as Office will have to be checked manually. At least Office has the officeupdate web site for easy installation that the users can do. Block email attachments with extensions that viruses use. Have anti-virus software installed that checks avery 2 or 3 hours for updates. Have a properly configured firewall (Blocks well known attacks) in place that only allows incoming session requests for what services are to be made available to the Internet. Lock down any services that are open to the Internet. Have strong passwords for all admin accounts (At least 10 random characters) and create a new one for each admin account once every few months. Same thing goes for any account that can authenticate in any way from the Internet (8 characters and changing every 6 months or so should be okay). If domain authentication is going to be provided to the Internet for some stupid reason, hack the registry so only NTLM v2 is used. Configure all windows computers to use the Peer-Peer node type 0x2. Use switches instead of hubs to prevent evesdropping and assign MAC addresses to ports for your servers to avoid MAC address spoofing. Most of these things are a one time setup. The ones that require maintenance are worth the trouble.
  • If your accounting software uses MSSQL as a backend and was installed by accounting consultants, you probably need to pay special attention to this alert. Odds are, they didn't set an sa password when it was installed either -- mine wasn't.
  • The Microsoft Data Engine (MSDE) that comes with the .NET SDK is just a stripped down version of SQL server. Unfortunately enough, it's got enough "features" to make it vulnerable to attack. Sure I'm just stating the obvious, but I've already talked to 3 boneheaded .NET developers that insist that they're not running SQL Server. Imagine what I found on port 1433...
  • One of the nice things I've noticed about MySQL (having used MSSQL as well) is that I can have MySQL prevent people from connecting based on IP addresses, even if they have the proper username/password credentials. I could never find a way to do this in MSSQL - is there a way of doing this? Yes, it's not perfect, but it's definitely a nice extra that MySQL offers which I've not seen in MSSQL. Again, if it can be done, someone let me know.

    Also, why does the SQL Server run at all without a password? IIRC in the latest versions the installation prompts you for an 'sa' password to set, but earlier ones didn't do that. Why not just disable the program - when running it having a popup say 'hey - I won't run unless you set a password!' and be done with these types of 'holes' (yes, it's really just lazy admins, but the computer should be doing more thinking for me at this level - perhaps Clippit could bounce up and demand a password be set?)
  • > Already over a thousand compromised system

    Grepping my firewall logs for hits to port 1433, I find 1078 hits since midnight, from 39 unique IP addresses.

    The majority appear to be dynamic residential addresses -- attbi.com, swbell.net, pacbell.net. Only a few resolve to static addresses. Here's one of the sites that probed me:

    http://210.90.207.4/admin.inc [210.90.207.4]

    LMAO!
  • If the administrator installed MSSQL and chose integrated security mode, that machine is not vulnerable, however, if the administrator chose mixed mode and did not set a password for the username "sa" then that machine is vulnerable.

    I've not seen that particular bit of advise on any of the pages, though.

    DanH

  • Why The X-Box Network Will Fail

    New "SQLsnake" Microsoft Worm

    yuk yuk yuk etc

  • The thing that strikes me about a lot of things like this is that they are immediately exploited by the anti-virus software writers, but not by the big Unix/Linux vendors.

    If I was in IBM I would have a budget set aside to ramp up a scary campaign about this and every other big worm/exploit - I'd be buying the spots right now to go on the offensive.

    Gentlemen, your opponent is drowning, so throw the son of a bitch an anvil.
  • here's a topic for further discussion....

    Now that the cat is out of the bag that MSSQL is "in play" as a target, I wonder if sealing 1433 and the sa password are enough to head off future attacks.

    The linked articles explain how the worm replicates by essentially logging on as an SQL client and storing a copy of itself in the database. Ingenious, but relatively easy to defend. However, couldn't future versions infect any-old-user's PC using standard email/windows virus techniques and then look for an ODBC connection which would hopefully, by now, be configured with a no-longer-blank sa password to seed a new infection? It might even hit more systems because it gets you inside the firewall that closed off 1433?

    In other words, is all the /. schadenfreude about dumb-ass sysadmins not setting the 'sa' password eventually going to be for naught? The problem is still MS's poorly thought-out standard of mixing code with data...
  • Microsoft SQL is the most popular Web database, with 68 percent market share, according to Microsoft.

    free [postgresql.org] alternatives [mysql.com]

  • How the hell is this a bug? If you're an idiot and place an unsecured SQL server out on the internet where anyone can log onto it, what the hell do you expect?

    I didn't need all that karma anyway.

  • by quark2universe ( 38132 ) on Wednesday May 22, 2002 @12:37PM (#3566144) Homepage
    is to put SQL Server on a port other than 1433. Of course for an existing installation, this could be a major change. But if you're setting up a new SQL Server, use another port. This is assuming you are using SQL Server and not another superior database product (like Oracle).
  • by blowdart ( 31458 ) on Wednesday May 22, 2002 @03:09PM (#3567209) Homepage

    I've just mailed this to a couple of security lists I take part in. Posting here seems like a good idea (although now, of course, I am outed as a SQL Server user)

    Please feel free to forward these recommendations to any other lists as you see fit. However, as with all system changes, things can go wrong. Make sure you have backups. I take no responsibility if your SQL server dies. Or if the sun fails to come up :)

    • The automated MS baseline security tool [microsoft.com] checks for blank sa passwords.
    • You can safely (well ish) drop the xp_cmdshell stored procedure from your servers. There's very little valid use for this (smug mode - I had mentioned this in a presentation to SQL-PASS 2 years ago!) This can kill some things, like BCP. Don't hold me responsible if something stops working :)
      use master
      exec sp_dropextendedproc 'xp_cmdshell'
    • Don't run mixed mode security if you can help it. MSDN [microsoft.com] has details.
    • You can of course, change the port SQL listens on. Not ideal, but for those that want a wide open to the world SQL database, it's an option. (Run the Server Network Utilities program on the server, and choose properties for TCP/IP - don't forget to tell the client machines the new port)
    • I want to restate - SQL does not log logins (failed or otherwise by default). Turn it on. (Enterprise manager, right click your server, choose Properties, then the security tag. Login events go to the Application log.
    • From what I see the worm adds a password to guest and moves it into the admin groups. It's done using the username, not a SID, so renaming your guest accounts would stop this. Always a good idea to enforce this at a domain policy level.
    • You may also wish to consider dropping the ActiveX stored procedures. Do you want/need sa to be able to create ActiveX objects?

      sp_OACreate sp_OADestroy sp_OAGetErrorInfo sp_OAGetProperty sp_OAMethod sp_OASetProperty sp_OAStop

      The same goes for registry sps

      xp_regaddmultistring xp_regdeletekey xp_regdeletevalue xp_regenumvalues xp_regremovemultistring

    • Check the login tables for null passwords (mixed mode). Run the following SQL

      use master
      select name, Password
      from syslogins
      where password is null
      order by name

    • Use a low access user account for SQL Server service not LocalSystem or Administrator. This account should only have minimal rights (Run as a Service Right IS required). If you use Enterprise Manager to make this change, the ACLs on files, the registry, and user rights are done for you.
    • Check the other extended stored procedures, delete as you see fit.
    • Don't run SQLMail unless you have to.
    • Don't use TCP/IP as a network protocol unless you have to.

    Finally, MS have released a bulletin [microsoft.com]

Machines have less problems. I'd like to be a machine. -- Andy Warhol

Working...