Slashdot Mirror
New Microsoft SQL Server Worm
Ian Bell writes: "A new unnamed worm has been released and, once again, Microsoft software is the target. More specifically, this new worm targets Microsoft SQL servers with no administrator passwords set. Once the server is infected, it logs onto Internet Relay Chat (IRC) servers and is ready to receive commands and act accordingly. Although this can be a fairly malicious worm, it is very unlikely to infect many servers due to the fact that majority of Microsoft SQL servers have administrator passwords."
I think if someone got this one, they probably deserve it. If it attacks computers that don't have passwords, they could have prevented it. NetBIOS shares are a big hole too, without a password. Its a given.
Trying is the First Step to Failing --Homer Simpson
I must take pity on Microsoft for their situation - being so large and omnipresent, they are a constant target of attack. Of course, their situation would be a lot simpler if they released source so that these things could be fixed by anyone as soon as a problem pops up, but that is a whole philosophical problem for Microsoft, so I can only pity them, not aid them.
-Leo
A move befitting for Microsoft would be to prosecute those people that get infected with the worm. However, Microsoft probably won't put much effort into finding whoever made the virus. They don't seem to care about virus writers, unless there were a virus that caused CD burners to write copies of Microsoft products..
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
"When you install SQL, at no point does it ask you for an administrator username and password -- this is installed as standard, and once it is up and running the password still remains blank." wow .. so i guess now the administrators using microsoft sql have to be smart enough to set the password :)
but seriously, this is a very bad programming 'feature' .. if you can call it feature. At least be kind enough and set the password to something default .. oh wait, that won't help it at all :)
- mescaline - its the only way to fly -
here is what i read
.. waitaminute
"A new unmaned worm has been released"
Cool, atleast M$ cares about its pilots
Ooh, ooh! I know! We can call it the Dumbass Worm!
Seriously though, If you don't set up an admin password on your server, you deserve to be hacked. Mercilessly.
SIGFEH
New halitosis worm reported to affect people who haven't installed the new toothpaste module.
when salmon are outlawed, only outlaws will have salmon
Usually linux worms tend to need to run as root to do any real damage. .. well then i think you deserve to get smacked with that worm :)
And if you'r dumb enough to run untrusted binaries as root
- mescaline - its the only way to fly -
Is it really so hard for Microsoft to *require* you to put in an administrator password? The three seconds it would have taken to add in that common-sense functionality could have averted the whole thing. Everything about this worm just reeks of stupidity, on both Microsoft and especially the administrators' part.
Rock over London, Rock on Chicago. Wheaties: Breakfast of Champions.
If a site is stupid enough to not protect their MS-SQL server with a firewall, they are probably dimwitted enough not to put an administrative password on, too.
Weapons of Mass Analysis
Before you trash Microsoft, for "YAW" (yet another worm).
But you should trash dumbass SQL Admins who don't set passwords!! WTF, yeah, their installer may not prompt them, but shouldnt someone who knows how to log into an NT or 2K know at least, "Hey, maybe this thing has a password too".
If they don't know that, they should take a sharp stick in the eye.
the only reason Microshaft products are still widely used is due to the fact that they are generally easy to set up. Maybe this will show some admins that an easy set up will skip details (although I don't really consider a password to be a "detail") and that perhaps with a little effort on their part, a much superior product can be had for free (mysql and postgresql). Anyway, just my 2 cents.
I mean, any software listening to the internet for administrating purpose without a password should buy the admin a nice warm place between cardboard boxes and the joys of unemployement.
- installs database software without setting the password (Heck, installs any software that has passwords without changing the default) and
- exposes their corporate database to the web
is too incompetent to keep their job. I seriously believe that infections like this should start becoming yardsticks that system administrators are hired and fired against. Seriously, if your corporate network gets infected by Code Red, Sircam or this new SQL server worm it is a sign that somebody somewhere is not doing their job. This goes for UNIX boxen as well, if you're hit by a BIND, sendmail or wu-ftpd exploit then your sys admin is a waste of money and you are better off hiring some college kid who needs the experience. It'll be cheaper and you probably will get better service anyway.P.S. Does anyone know if there's a way to keep MSDE from listening on TCP/IP connections? There's Named Pipes, but from what I was able to tell, that only works on WinNT, and not on 9x.
Well, your life was apparently a waste. You didn't even make FP
It's the FBI's Magic Lantern at work. Does anyone doubt that Al Queda's terrorist cells run IIS? Honi soit qui mal e pense.
k.
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
Interesting. I think randomly accessing the A: drive and infecting its boot sector would also be a bad virus symptom. It's scary when security seems less and less up to them and more up to us.
"Wireless : LAN
Of course M$ can't do that... that would require them to abolish their anti-logic improbability drive that they use to bend the US Court System's Better Judgement.
I just find it interesting that they don't do something like that and yet still require me to have a "user" with individual preferences for the Win98 I have on my IBM I-Can't-Believe-It-Doesn't-Thinkpad...
Twain said it best: "No wonder truth is stranger than fiction. Fiction needs to make sense" (Or something like that... I got it out of Men's Health and I'm too lazy to go look it up...)
Karma: Non-Heinous
Any connections to this? I don't suppose this new worm also violates the SSSE or whatever act (M$ response: DAMN TERRORISTS!).
Compaq Insight Manager XE uses this (MSDE) too. Account 'SA' (SQL Admin) with no password. It's included on the Management CD, packed with all of their servers.
Carthago delenda est!
Using Redhat rpms, mysql doesn't ask you to enter a root password either. Is this something that Redhat or mysql developers worry about?
Important news just to hand. Microsoft boxen with no password set are at risk of being attcked. Quick, everyone convert to Linux before it's too late. Anything by Microsoft is obviously an inherantly Bad Thing, as this worm goes to prove.
The default password for the SA account on the MAJORITY of SQL servers is blank. For the majority of servers with lasy administrators, the password will be the microsoft factory default of absolutely nothing. Imagine a company with a huge SQL based system put to run everything including payroll..... with a a blank SA password.
The worst terrorist attacks in recorded history happened in September, and now we're involved in a war against Islam during the holy month of Ramadan, and people actually use Microsoft products? My *god*, people, GET A FUCKING CLUE!
You people disgust me!
Playboy got hacked last week. No one talked about it, they were using UNIX. If they were using Windows you'll have heard about it within a minute of the report.
That some 5c2|p7 k|dd|3 bet $5 with each of his/her friends that he/she could write something out of a worm kit that he could get a LOT of corperate data and that most people can't set a password?
Seriously, hang the dork that EVER sets blank passwords. This will help clean out the gene pool. Thank you, and God Bless.
Karma whorin' since 1999
Forget I wrote that.... nevermind.
Karma: Non-Heinous
systems wrongly configured with Microsoft SQL Server software
:)
I couldn't have said it better myself.
You know, back in the "good-ol'-days" of 1993, we didn't need no stinking passwords on our servers. You could leave holes in your software so big you could drive a mack-truck through and be completely safe. I tell you, it's those no-good kids that have nothing better to do that to drop out of school after only a Masters degree under their belt and turn to a life of crime destroying the saviour--Microsoft. uhm, yeah.. That's it :)
"hell," I think is the word you're looking for. As in, "To Hell with the Devil." You know, Stryper, 1986?
...should switch to Linux/Apache. That way all they would have to do is remember to keep the patches current... umm... nevermind.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Too bad I know a guy who doesn't set admin passwords on his SQL servers that can't be fired. It's his company. In all other respects, he's probably one of the best programmers I know.
You'd be surprised at the number of admins who know how to do exactly what they should do, but for some reason, consiously choose not to do it.
I may be wrong but i believe there were several linux worms last year, such as l10n and wasn't it ad0re or some such? i can't remember....but i definitely read on securityfocus.com about the lion worm which was a linux worm. and no, you don't need to "run it as root", its a worm, not a trojan. it uses known exploits to gain root all by itself.
you know, you can't ride the concept of the horse.
Interesting...I assume one loses even more karma when he doesn't garner the fruits of his sin?
No, it's not hard for the coders - but it would make life difficult for the support people. How many of them would get the inevitable "Ah installed yer ESS-Queuu-Elll thingy, and now it's buggin' me fer a paisswerd. What's wit thet?" from thier targeted users? The Marketing Department at Microsoft would be up in arms, saying "Why did you make this hard for people to install?!!? FIX IT NOW!!!
MS has always played to the LCD in computerdom - there are relatively few who have the wherewithall and curiosity to know exactly what they're doing with the tools Microsoft gives them. It's been the job of Marketing to educate the users the product has been sold to. When they can't handle it properly, it's then dumped on to the Support people. No wonder Microsoft foists it's support on it's vendors - saves them a bundle.
Example: Joe CFO wants the website up and running now, and gives the job to New Intern who doesn't have a clue. If New Intern can't get it running now, he blames his tools - namely MS, who hear about it from Joe CFO. So, figuring this out beforehand, Microsoft make it as easy as possible to get a SQL server running now - security be damned. New Intern has no authority to spend US$ 100 per call (or whatever it is) in order to contact someone who actually knows the scoop, and just blithely continues on. Microsoft make a sale, trap another customer, and get $ from supporting thier insecure product - as well as upgrades in order to get more security.
Critisize them as you want - but Microsoft has a good business model in getting everyone and thier puppy into what should be advanced products. Then they try to educate thier users as to why security is important. Backwards as it is, it seems to be working for them, too.
"Depression is merely anger without enthusiasm." - Anonymous
A new unnamed burglar is at large. More specifically, this new burglar targets homes with their front door left wide open while everyone is out. The burglar walks into the house, eats food out of the fridge, uses the toilet, doesn't flush, steals everything valuable, and leaves. Although this can be a fairly malicious burglar, it is very unlikely to attack many homes due to the fact that majority of homeowners lock their doors when they leave the house.
by THE_MESSENGER, Troll Staff Writer
HELSINKI - It has just been learned that any Linux box with an unset "root" password in vulnerable to remote compromise, says Dick Johnson, Linux hacker and security analyst. "The attack is very simple," John reports. "Pretty much all you have to do is log in. Then you have complete control of the system." This security problem is believed to be caused by a fundamental flaw in the design of the UNIX family of operating systems, which is the model for the Linux kernel, a popular Cheap Software product. Johnson elaborates: "Those UNIX guys just didn't account for administrators who are too stupid to set root passwords."
However, knowledge of this flaw fairly widespread within the Linux community. In fact, the only person known to be unaware of a password-less root account's grave implications is Timothy Gaybone, an "editor" for the popular Cheap Software news website "Slashdot.org." While Timothy is a hardcore Windows 98 user, the recent posting of an article detailing a similar security problem relating to Microsoft's SQL Server 2000 relational database product leads many analysts to believe that he is unaware of Linux's problem as well. DOJ crytoanalyst Harry Blotter guesses that Timothy's "reliance on Windows 98 is probably the root cause of his ignorance. After all, Windows 98 doesn't require login passwords."
There are no reports of websites compromised by this latest Linux vulnerability, although many industry experts suspect that, oddly enough, Slashdot.org may have been breached years ago. "Rob Malda's personal workstation has probably been cracked -- his spell-checkers have been deleted," Dick Johnson explains.
"Although this can be a fairly malicious worm, it is very unlikely to infect many servers due to the fact that majority of Microsoft SQL servers have administrator passwords."
Not in my experience, sadly. In most of the corporate environments I've seen MS-SQL Server installed, the sa account has had no password. You may wonder what their logic was... "nobody would know how to hack it, and it's just a development server anyhow."
Yeah, right... a development server exposed to the net. That's not the worst of it, though. I've seen shops where the sa account was kept blank so ASP "programmers" wouldn't have to bother with remembering a password. This shitty practice is amazingly common.
It's usually very difficult to reason with the management types on this sort of thing. Most of these people view the database server as a magic box where their information is kept, not as a system that needs to be properly secured. By and large, most corporate types I've talked to actually believed you'd have to have physical access to the machine. I can't say how many times I've heard them say things like "oh, that's what the Administrator logon password in NT is for, right?". Uh, no try again...
It would probably be impossible to accurately say how many people are running with open sa accounts, because to stand up and admit it would be career suicide for any "database admin". Then again, given the lack of knowlege concerning this among the management types, maybe they wouldn't take so much flack after all. In the end, they could always blame Microsoft for letting them set up the account with a blank password to begin with (dumb, but I can see them saying that).
Web hosting by geeks, for geeks. Now starting at $4/month (USD)!
If you're gonna email, use the public key!
I apologize in advance for this rant, but I'm currently in a battle with
the executives at a client firm (I consult) over this exact issue. At
once I feel both vindicated in that this is finally a real threat, and
infuriated that I have to fight with these morons over questions that are
really this obvious.
Not to defend Microsoft, but the main reason that there is no default
password on this sort of setup is because Microsoft assumes the
following:
1. This software will be run by monkeys (monkeys in power is our business
model).
2. Monkeys can't remember a password.
3. Monkeys won't understand the need for one anyway.
This is not directly Microsoft's fault, but rather the nature of business
in general. M$ makes so much money off of this because business wants to
employ monkeys (they're cheap, you see).
Sadly, I have to crack Administrator passwords on NT, say, once every two
weeks, because someone "forgot" it.
Heck, Milnet was a playground for hackers because of default and blank
passwords for almost two decades. Same reason.
Sometimes, being a responsible, password-using, security-loving
administrator in this world is--well--depressing. When I look around at
my "peers", I see tons of dumbasses that shouldn't even have access to the
Administrator password, let alone a keyboard. I mean, I actually have
arguments with these people about even *NEEDING* passwords at all! I get
defenses like "we're too small to be hacked" or "we don't have anything
to lose if we get hacked"!
I mean, seriously, while there are some pretty cool and froody NT admins
out there, most NT installations began with some primate stuck in front of
a computer and asked to "make it go".
I think I just realized that without the M$ crutch, 75% of the so-called
IT admins wouldn't even be able to find their ass. I hear all the time
about how Windows has provided "easier tools" and "platform
standardization". What really happened is that M$ turned the complex and
exacting task of system administration into a game of "click the
button" with all of the "hard choices" (like passwords) labeled with
scary phrases like "Advanced" or "This will require more
configuration". I suddenly realize that what M$ really did is lower the
IQ requirement to become an administrator to the point that most of these
clueless jerks defend M$ because it keeps them from having to shovel
manure for a living. Really, M$ manipulated the industry by flooding it
with idiots that must be firmly locked to the Redmond teat--knowing that
they will do more than Billy G. and the Spin Squad could ever do to defend
his monopoly!
So is this situation Microsoft's fault? By design, maybe. Directly,
no. It is precisely because business *wants* to employ cheap idiots that
these bugs exist. It's just that M$ catered to that whim and developed a
horde of pundits that cling to it's ways for their own livelihood.
The worst part is that I have personally passworded probably 40 SQL
servers (most of which doubled as a public web server) for small
businesses. I've created entire password policies for hundreds of
users. It is enfuriating to me that--despite gross evidence like
this--whenever I do a security audit, I have to drag these people kicking
and screaming to use passwords, remember them, make the secure,
periodically change them and, for god's sake, don't write them down! Is
that really so much to ask?
Oh well, at least I get paid to fix it for the three clients I have that
have INSISTED that their SQL servers have no passwords. The really ironic
thing is that all three only use SQL server for an accounting package and
their administration couldn't be bothered with passwords--and now all
their accounting data is at risk. The ironic humor of this has not
escaped me.
you will be probably hit too by this worm...
this worm attacks a stripped down version of the microsoft SQL-Server, this version is not only installed with visio and access, but with hundreds of freeware and shareware programs on the market, often without asking the user for a password, so the users (joe averange) often don't know about the SQL-Server running in the background.
"without password" is also not true, but there is a standard password set, if i remember right its "SA".
the error microsft did was to enabled remote access to this small SQL-Server Version...
so.. most often this worm will not hit computers with "administrators" at all...
sorry for my bad english,
greetings
another AC
SQL Server is a database engine. Apache is a web server. Replacing one with the other wouldn't do you much good..
could you post a link, please?
My other car is first.
why m$ worms make news is a mystery to me. granted, a lot of people use m$ products, but we've grown tired of the repeatative "new worm in microsoft (insert product)" news. i think everyone by now knows that m$ isn't the way to go if you want inherent security in your OS. let it go.
on a lighter note... XP product activation has become so annoying that otherwise-legitimate users have resorted to piracy to avoid the hassle.
c'est la vie
As already pointed out, later versions do require passwords. How do you figure asking for a password to be set would bog down tech support? Windows 2000 even asks for one by default.
Can we please quit announcing Microsoft exploits? Exploits on Microsoft products are new in much the same way that New England isn't. I'd just assume take it as read that their products are the swiss cheese of the industry and get on with my life.
And now back to the wall.
Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote.
It just occurred to me that MySQL actually doesn't allow connections from anywhere other than localhost by default, so my statement that a MySQL worm could do more damage than this MSSQL worm was probably in error. Ignore me. Even so, this is still a user problem more than a software problem.
Heck
I think if you look at it from an angle, you'd find out this might actually be a good thing. This piece of "innovation" might render the likes of FreeTDS simply obsolete.
Using a MS SQL Server from a Linux host has always been difficult, now you can simply use IRC to fire your sql statements and get your data! Information at your fingertips. Information at everyone's fingertips!
Dave
This report is so November 22nd. Worm goes out, people notice, the IRC servers (bots.kukijiri.net) DNS gets waxed, non-event.
So, people who got infected during the very short lifetime of this thing need to basically scrub the boxes, because BackOrifice, etc. could've been installed during the interim. But this is Old News; hell, I figure even that pretentious dumbass John Katz already knew about this one before some moron put it on the front page like it was a 'scoop', or something.
A password prompt at install is not something only Microsoft has decided to not bother with. I recall MySQL not forcing me to set one either. Although it tells me too, it doesn't force it.
But then, why should an "admin" be forced to set any passwords at all? These are the genius' who would use "god" or "password" as a password anyway.
It's just something that is so common sense as to be ridiculous.
not corporate database servers at all (some probably, but not most). It's most likely going to hit Joe SixPack that installed his warez copy of Windows XP and SQL Server 2000 on his primary computer which is hooked up to his cable modem 24/7 and he has no idea that SQL server has a password at all.
I am astounded at the number of security holes in Microsoft software while i have not heard barely anything of macintosh software security holes.
Does anyone know some recent news of security holes in classic Mac OS or other operating systems not including windows ain *nix?
but I forgot it.
rehab, captain ahab, you're chasing the wrong fish!
You see, I've had this strange itching sensation in my nuts for the past weekend, probably due to having gay sex with your dad. Still, it's a lot safer than having sex with that fat ass bitch you call your mom.
I remember one time in 1988, i had sex with cows and chickens on the farm, oh my god i was in heaven.
Thank you for listening to this.
f4g b0y
It was posted in The Register, too lazy to search for the article tho.
Acording to uptime.netcraft.com:
The site www.playboy.com is running Netscape-Enterprise/3.6 SP3 on Solaris.
could you post a link, please?
http://www.theregister.co.uk/content/55/22959.ht ml
UPDATE world
SET all_your_base = "are belong to us"
WHERE do_you_want_to_go = "today"
http://money.cnn.com/2001/11/20/news/playboy/
If this turns into another microsoft bashing party, some people need to get a clue. This isn't Microsofts fault, I don't see a database server as something that should have a pretty wizard or wonderful config tool. And Microsoft is not the only database server out there that has no password by default. First off the top of my head would be MySQL. Every install I have ever done of MySQL has always been followed up with the setting of the "root" password. If the administrators of internet accessable systems can't take the time to set passwords on all their services admin interfaces then they deserve what they get. If this were some backdoor that would work no matter how much care the admin took to secure the service then great. Lets get pissed at Microsoft and bitch a little. But don't forget that stuff on the other side of the fence is no better. How long has the BIND source code been available to look at? And how often in the past have there been AMAZINGLY big holes in BIND? Instead of doing nothing but bitching about the problem, lets try and come up with some solutions and get the word out on safe programming/administration practices.
The exceptions are when OS user integration is used for DB authentication - then it is often a Domain Admin account that is used. Another crime just waiting to happen!
"Flyin' in just a sweet place,
Never been known to fail..."
CodeRed often travelled on employees laptops. They came in from their home DSLs into environments with lock-down net perimeters - physically and via VPN. I'm afraid that this is the vector of opportunity for this new worm.
"Flyin' in just a sweet place,
Never been known to fail..."
The first operating screening firewall I know of on the ARPA was our old friend, gatekeeper.dec.org.
"Flyin' in just a sweet place,
Never been known to fail..."
.. I mean, with all the worms/trojans/virii .. who cares? so what? where's the point? we all knew it would come to this, why the post? it not like these are rare or something..
some people need to get a life
The problem isn't really that the password is empty. It would be just as bad with *any* default password. Remeber "scott" "tiger" on Oracle?
The installment you refer to doesn't listen to a TCP/IP port, you have to configure that yourself in the registry. Therefor these installments are not vulnerable.
Never underestimate the relief of true separation of Religion and State.
Does this sound familiar: another virus attacking Microsoft software? Like I've never heard anything of that sort before.....
What's in a Sig?
Howerver Microsoft did start to pick up on the fact that this is not a good practise until they put out service pack 3 for SQL server 7.0. You have to select a lot of things to tell the system to not set a "sa" password if one does not already exist. If you tell the system to not use a "sa" password, then it will set the default on changing the security authentication to NOT use SQL authentication, but the builtin authentication of the NT/2000 OS instead.
However the usage and installation of the SQL service packs are not as widespread as the ones of the OS, and I don't think that it is something that will be applied for you automatically via the Windows Update facility. So you actually have to go and download it and install it.
However if an Admin canot bother to eliminate access to their SQL database from the web, or set a "sa" password, then they are not even going to think about applying service packs.
A blank password shouldn't be allowed in the first place. Nor should a default (known) username.
SQL sites should switch to Apache? How stupid can you be? SQL is a DATABASE, Apache is a WEB SERVER. The two are completely different.
Get back to school.
I used to design schema too, but then I got high.
And now I'm patching one fucked dee-bee and I know why.... 'cos I got high, 'cos I got high, 'cos I got high.
Its not the admins that are infected by these things, its the home users. I started out with Linux two years ago and got hit by a wu_ftpd exploit soon after. Then I began learning - quickly. I think a licensing scheme should be introduced before your alowed to have an internet connection that receives SYN packets, or perhaps a connection at all. Like driving licenses - people with no idea what they're doing are dangerous and can hurt others.
Comment removed based on user account deletion
Yes, Slashdot must have had something to do with this password exploit in Linux. Try setting an easy to guess or no password, and it aborts complaining about a
lame password, try again.
Aughghgh! The lameness filter! So many root accounts. How will I ever remember them now?
"majority of Microsoft SQL servers have administrator passwords."
/features/ that virus' usually have in them - into the MS code base... and I mean the good aspects - I mean, if you think about it - some virus' out there offer a great deal of functionality with a really limited code base...
I think the point is her - to show that there is so much you can do with Microsoft's Open Scripting Language - provided you set no passwords - the options are boundless (AND I AM NOT TRYING TO BE A TROLL)
What I am saying is that maybe M$ should learn from all the virii out there that use their products as food - the virii writers have shown a lot more talent at exploiting other's code than the several thousands in redmond - and if MS could take advantage of the "inter-op-ability" (e.g. how eaasily viriii gets ms code to do what they want) - then maybe they would have some *true* innovation - which is all they have really wanted in the last decade...
I mean seriously - wouldnt it be good for MS to actually use virii in their products as learning tools and incorporate the generally *small* (as in comparison to every bloat-app that ms writes) code base of
(doesnt mean that those features are what you wan - but that is not the point).
We should learn from this electro-bio-organism that is computer virii and see that you can take advantage of a core architecture and get many things accompllished (which is a whole other topic) - anyway.. I can see long term benifits... too many to list in this state of drunkeness....
reply please.
Didn't you know the moon is made of swiss cheese too? Aliens rooted the moon many years ago. Its just been recently within the last decade when the Microsoft Windows line of products have been released that the world has been invaded.
The war of the worlds has begun. The FBI^H^H^Hborg now has a large cluster under its control. Our new government has everything under control.
Anyone who falls victim to this 'worm' gets what they deserve.
On the other hand, given Microsoft software's propensity to spoon-feed the user absoultely everything, how difficult could it have been to FORCE the administrator to enter a password at install time ?
In effect, Microsoft knows its customers are half-wits, so it owes a duty of care to protect these morons from themselves...
I can see a class action suit brewing.
Allthough its hard to look into the future I have a feeling we're on the start of something new and icky. Don't forget that a lot of websites using IIS also have a connection to some SQL server in order to store/retrieve data. This exploit may only be capable of doing harm without a SU password, don't toss it away with "blech, there's no harm in that" and forget all about it. It just might haunt us afterall.
One benefit of haveing programs (including installations) easy to use is that *ANYONE* can do it. For some things that might be an extremely BAD idea.
Ease of use if great for end users. Not for administrators. I believe that making software which makes administering computers/networks/databases trivially easy for administrators is just asking for it.
From netcraft The site www.playboy.com is running Netscape-Enterprise/3.6 SP3 on Solaris
Um, I don't think you can associate the words "Joe Sixpack" and "SQL database server".
Perhaps you mean the "Warez Kiddies"?
Democrats or Republicans. They are both taking us to the same place and they are not afraid of us anymore.
"it is very unlikely to infect many servers due to the fact that majority of Microsoft SQL servers have administrator passwords."
Only the "majority", not "virtually all"? MCSE certification takes another step downwards! And it's already on the 23rd sub basement!
ttyl
Farrell
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
Yup; I've had this issue, too, running tech support. The number of times I asked "what's the password..." and was told:
sa/sa
sa/password
sa/*blank*
sa/admin
sa/administrator
Even when a password is set, it's often not strong. To put it mildly.
Trifle not with Dragons, for you are crunchy - and go well with catsup.
Maybe they just wanted to put windows ex-users at ease :^>.
Ciao
----
FB
If your an M$ admin anyou don't set an administrator password for you SQL server you deserve what you get.
Snoozer.
Many products that realy on ms msql make you not have an sa password. Also, many people who outsource for accounting needs are huge victims of this.
btw, don't ever let anyone use Solomon. Its a huge pain in the ass. But then, I don't know any other accounting software out there.(MS bought them out, don't support novel, etc)
The spirit of resistance to government is so valuable on certain occasions that I wish it to be always kept alive
NEW MICROSOFT SQL SERVER WORM
Hey Microsoft!
Ask yourself how many times that headline's been seen in the past two years.
Then think about it.
-Chardish
can you even charge someone with breaking and entering if your house doesn't actually have a DOOR?
I second the motion to name this the "dumbass worm"
uummm how many dumb user know how to use M$ SQL or how many DBA's do you know that are not intellegent if they dont know how to use sql than they shouldnt be using it
To keep the db password out of your ASP files, don't make your connections in ASP at all. Make your connections and queries in COM components and handle your dataflow and business logic there.
Most COM components are compiled and thus not plaintext, additionally, they can be stored outside the Inetpub structure, making them more difficult to access. If application scalability is a concern, the components can reside on their own server.
This is how you should be doing database work in ASP anyway. Making direct SQL calls in your ASP is a bad practice, and violates the basic principles of the N-Tier model.
The simple fact is that the majority of these worms and viruses are targeted at Microsoft because... well, they're Microsoft, and they hold the majority. Non-Windows users laugh, but the fact is that if most people used Linux, we'd be seeing many more attempts to exploit Apache, Mozilla, and most other Internet apps commonly used for the OS. If we all stuck to OSX we'd likely have exploits developed to attack OSX Server, Mail, Netscape, and so on.
That's not to say that Microsoft's IIS or SQL software is rock-solid, just that we wouldn't be hearing of "yet another worm" if it weren't for the worm makers' desire to cause the most damage possible. I do agree that any network admin who leaves a critical server without a password should likely incur whatever wrath is inflicted upon him as a result of it!
I just recently installed a sample web application from M$, yes it was .Net, and it came with one of these MSDE databases. When I opened up the server manager I was suprise to see several ip addresses in it. There are severaly @home user with SQL Server installed and many with no sa password, don't ask me how I know that. Many of these boxes also have infected IIS installs too. As if I don't get enough code red/ namba hits as it is. I glad I uninstall that thing, because I am sure it didn't have a password and I am not sure how I could set it.
Does anyone know about the functionality of the little engines and are they effected by this worm.
LT
This strikes me as more of a flaw in Microsoft's approach to the whole idea of domains & directories. The database itself should not have a password assigned to it. Rather, at creation time, the database should be associated with a container object in a directory (Active Directory, Novell Directory Services, NT 4 Domain, NT Workgroup, whatever), and users, or groups of users, should be added to that container as needed. For instance, if you want someone to have Administrative rights to the database, then you should pluck them from the Active Directory (or NT workgroup, or whatever) and grant them some kind of "Full Control" permission to the container object associated with the database. Everyday users of the database should be granted something like "Read" or "Read/Write" permissions to the associated container, or to some record object within the associated container.
At installation time, the install program should refuse to proceed if no user [or group of users] from the Active Directory has been granted "Full Control" rights to the associated container object.
There is a lot of stupid custom software written that needs MS SQL server with an admin account that has an empty or fixed password. I have installed this stuff before.
It's crappy stuff, but I don't pick it, and I don't think I have the business understanding to know how to pick something better that is still useful to the company.
All you can do is try to turn off remote access or firewall the thing...
1) Database is behind firewall, which doesn't allow direct access to database from anyone besides the web server,
2) All database calls are through stored procedures, and the sql password used by IIS has stored procedure privileges only, and
3) the web users' username/password is stored in the asp session, and passed in to stored procedures.
In our case, we also have SSL on the entire site. At one point we experimented with client-side certificates, but support on our clients' boxes was pretty iffy - we had to back off that.
From a post to NTBugTraq:
If they were running the highly secure Oracle instead of SQL Server they wouldn't be impacted.
Larry Ellison is such a smarter man than Bill Gates!
He doesn't let you install Oracle with a blank password. Hell he doesn't even prompt you at install time to find out if you want to set the admin password at all. Instead he just puts something really really highly secure in place by default.
That something is:
CHANGE_ON_INSTALL
See how much more secure this is than just having a blank password?
Having had the distinct displeasure of working with MS SQL before, I think I can lend some insight into why SQL server gets installed with no sa password.
There are lots of companies out there that make custom software, or domain-specific software, and sell it for lots of money. Most of the software they make is database stuff for busineses, (so, there might be a company that specializes in a database product for food manufacturers, etc.).
These apps, if they are for NT, usually need MS SQL server. Usually, the person installing them doesn't know anything about SQL server, they just bought it for the first time along with the app. The installation instructions tell them to do a certain thing, they do it, and viola, SQL server is installed with a default or empty password. (To their credit, the versions of MS SQL I've used are very happy to install without setting a password for the administrator.) Most of these people probably don't realize that the software can be accessed over TCP/IP. After all, remote accessibility over the internet in Windows is a relatively new thing (as opposed to the UNIX world).
So yes, this is stupid, but it is not as braindead as installing redhat and stubbornly skipping the step where it asks you to choose a root password. You have to understand what SQL server is about, which is not as common as it perhaps should be, because SQL server is typically seen as an *accessory* to the real app they are installing.
Sounds like you need to press management for creating a list of application and database standards so that you don't get cracked out companies trying to deploy applications with hard coded passwords.
Here at work, I had to do just that. We are deploying 3 production SQL Servers and we had no standards base. I developed a list that says specifically the dos and don'ts. If an application doesn't pass the test, we hand it back to the vendor and say "fix it or sell it to someone else."
Keep pressing management on your current vulnerabilities. E-mail them links to security holes just like this with a note saying "yes, we ARE vulnerable to this." Keep a record of it. That way when "they" try to come down on you, print out the copies and hand them over as your answer.
Every day when I hear about new vulnerabilities, I e-mail links to the admins in charge of other systems, managers and the poor help desk personnel that often catch the user anger.
Yes, it is your damn fault for getting that worm. If you're gonna have unpassworded sql servers, at least have some sort of IP block.
ComPath, http://www.compath.com has an open sa account on their solomon accounting database. It is siting behind a netscreen firewall, but their are holes in it to allow some traffic . . .
administrator in this world is--well--depressing. I mean, I actually have arguments with these people about even *NEEDING* passwords at all!
Loving security is good. Loving passwords is lame. Before I get flamed, let me say that I DO belive that security is an important issue. My gripe is specifically about passwords as the main and (usually) only way to enforce that security.
Given that the standard marketing manager has at least five passwords to remember - system login, CRM system login, order system login, HR system login, pr()n site login :-) - it's a wonder that you have any security at all left. If admins really want to have an effect on security, get your organization to move away from passwords and onto smart cards or biometric validation. It's a lot easier on you and your users.
That is all.
By default the sa account has a server role of system administrator. For non sql users this means it gets god rights. The best security practice is to remove these rights, making the sa account useless.
Then setup another account with a funky name that know one knows. As far as devolpers, if your in an NT shop USE NT SECURITY, then you don't have to worry about anyone knowing passwords.
Even if you can't do this you can deny access to the part of the system that makes the sql server vunarable. I'm assuming that this virus calls xp_cmdshell, which gives you access to the command prompt. As well all eXtended stored procs should be disabled for the sa account.
The sa account is not the same thing as root in Linux. It can't be deleted, but it's rights can be reduced like any other account in the system.
In fact, the SQL Server 2000 install routine routine allows you change the main DBA's login name from the default "sa" to something else, and also allows you to set a password on the same screen.
Dunno about older versions though.
I worked at a company who's software required the sql password be set to 'sa'. This was software that dealt with millions of dollars of assets. I pointed this security flaw out several times and was ignored.
I don't work there anymore.
-- Will program for bandwidth
And if you want to use a blank password, you must forcibly check the box called "Use Blank Password (not recommended)" during your installation.
In case of fire, do not use elevator. Use water!
Meept!!s Super Destruction Emptor
Mutilate Software, Destroy Everything
Merrily Strangle Database Experts
MEEPT!! MEEPT!! MEEPT!!
I don't know how they got the figures. But Netcraft is traditionally very even handed and reasonable.
This new virus probably won't help those figures very much.
So remember... If you buy from a web site running IIS you have a 10% chance that your credit card number is going to be sent directly to a guy who calls himself Hax0rDo0d.
I don't want to flame MS for this since customers demand that no password be installed by default. But on the other hand theres no need to go over board and buy from hax0red web sites just to be nice.
I run Micros~1 programs
I'm very happy
I'm very happy
'Coz I know when there is a patch out
even in my Local Newspaper
You know announcing all this Microsoft patches news is actually making people trust Microsoft. Coz you will be noted when to upgrade.
I bet you wouldn't post some news every time they find a security hole in MySQL.
Haha.
What the hell are theses SQL servers doing on real internet IPs and not behind a firewall. Moron illreguardless of a password.
-- Jason...
After reading a good portion of this thread, I'd say that this industry is in a serious problem.
Applications being written that hardcode that no password can exist? Users refusing to enter passwords???
I'll generally throw a fit if I have to enter a meaningful password & it travels clear text on the wire (eg - billing information, or multi-purpose password tied to Kerberos). Call me paranoid, but this world has non-honest people. I've got a good 50+ passwords in my head from roots, GPG, shell accounts, web accounts, etc. Stuff has to be protected.
-Michael [Remove two parts of address to mail me]
Remember? That crap is still there... One of the oracle manuals lists about 10 or so default accounts and passwords... half of them I have no idea what they are for.
Thankfully I don't have to do much with oracle on the admin end because I'd have no clue to properly secure the bloated beast.
--- polarbear
There's another reason why sysadmins go for the password-free, no-security approach. It's easier, in the short term, yes, but there's also remote administration. Many sysadmins either (a) refuse to give out passwords to the people who actually use/run the servers, or (b) make those passwords empty so that they can control the machines from somewhere else in the organization without fear of interference from the local users. Going with route (a) is better from a security standpoint, but tends to infuriate the local users; if you leave the password empty, then as long as the local users aren't clued enough to turn it on themselves you're fine.
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore
It only takes a few seconds to change the sa password is true, and this is not a problem with the source either (it's a DBA problem, and has existed since the Sybase days), however, not everyone can or should upgrade to SQL Server 2000 just because of lousy security practices. M$ would love that, and will probably try and force you to do so but this problem is not a whole lot different than the Code Red worm where users were running an M$ web server and didn't know enough about what they were doing to understand this.
actually many dev servers don't have passwords. as long as they aren't exposed it shouldn't be a problem but most companies leave their dev servers without a password and only set them for testing and production servers.
From the XP ad,
Yes you can.
I so agree with you. But you'll find unsecured SQL Server databases exposed to the public Internet all the time. I've seen it particularly with Small Business Server (package of Microsoft Back Office products, including SQL Server). A small company buys a package deal from a local vendor--they start hosting their own web pages, using SQL Server, and never even wondering about anything like security.
There is plenty of fault to go around here: the small business bears some responsibility--they're buying a tool without providing the resources to use the tool appropriately. But there are lots of small vendors out there that fancy themselves as Microsoft OEMs and ISVs, assembling kit computers, doing the basic install with zero configuration (or security updates) and plugging the box into the client's network. This is precisely the market for Microsoft's Small Business Server--a low budget tool, and frequently completely unprotected.
And sometimes it's the client
Sometimes the client absolutely insists on shooting himself in the foot. I have a proposal outstanding to a warehousing firm--they're dragging their feet, and part of the reason is that they don't want to pay for two servers. (One is publicly accessible, the other [which has the SQL Server installed] is not.) Why can't we use the same box as the web server and the SQL Server? Well, gosh--because then anybody with SQL Enterprise Manager can connect on port 1433, and keep retrying passwords as long as he wants--the login dialog never times out.
You heard it here first: this worm will affect a lot more companies that you'd think.
What really blows my mind is how many programmers use the blank sa password, so that the SQL administrators have no choice about leaving it blank. OK, so I have taken a few too many support calls of this nature, but really....
LedgerSMB: Open source Accounting/ERP
Offtopic? How? I hope I get to metamod you.
... SP2 makes you enter a password for sa.
Service Packs = Good.
duh.
worm needs stored procedures. msde doesn't have them. no worm. fuckhead.
update comments set karma=-1, reason='offtopic' where sid=26315
First, having a smaller installed base (rarity) is not the same as purposefully hiding insecure practices (obscurity). It may not be any better, but it's completely different. Watch your terminology -- it's like saying that a social engineering attack is a kernel exploit.
Second, although I wouldn't want to rely on it, security through rarity is a statistical fact. MacOS has about 5% of computer marketshare, but it suffers from much less than 5% of vulnerabilities -- viruses, exploits, root kits, etc. There's a lot of black hats out there who just don't own (or 0WN) Macs.
How about the thief figures that, if you didn't want your house robbed, you would have locked it? =)
Yep, we give them a login, aliased to SA, and SA has a password, but they do have "an" SA password
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
This post deserves a heap of insightfuls. I used to think that ease-of-use isn't important for linux - before I read this post. I used to think 'Linux will get easy when it's done'. Now I realize that every day it's not easy is another day for micros~1 to increase its marketshare and profitability which it will use to squelch its perceived competition.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)