Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Microsoft SQL Server Worm

Posted by timothy on from the worms-crawl-in-and-the-worms-crawl-out dept.

Ian Bell writes: "A new unnamed worm has been released and, once again, Microsoft software is the target. More specifically, this new worm targets Microsoft SQL servers with no administrator passwords set. Once the server is infected, it logs onto Internet Relay Chat (IRC) servers and is ready to receive commands and act accordingly. Although this can be a fairly malicious worm, it is very unlikely to infect many servers due to the fact that majority of Microsoft SQL servers have administrator passwords."

4 of 290 comments (clear)

  1. Except... that would make sense... by ebbomega · · Score: 0, Troll

    Of course M$ can't do that... that would require them to abolish their anti-logic improbability drive that they use to bend the US Court System's Better Judgement.

    I just find it interesting that they don't do something like that and yet still require me to have a "user" with individual preferences for the Win98 I have on my IBM I-Can't-Believe-It-Doesn't-Thinkpad...

    Twain said it best: "No wonder truth is stranger than fiction. Fiction needs to make sense" (Or something like that... I got it out of Men's Health and I'm too lazy to go look it up...)

    --
    Karma: Non-Heinous
  2. Priceless ZDNet Quote by alexburke · · Score: 1, Troll

    systems wrongly configured with Microsoft SQL Server software

    I couldn't have said it better myself. :)

  3. And in other news... by Anonymous Coward · · Score: 4, Troll
    Linux boxes compromised
    by THE_MESSENGER, Troll Staff Writer

    HELSINKI - It has just been learned that any Linux box with an unset "root" password in vulnerable to remote compromise, says Dick Johnson, Linux hacker and security analyst. "The attack is very simple," John reports. "Pretty much all you have to do is log in. Then you have complete control of the system." This security problem is believed to be caused by a fundamental flaw in the design of the UNIX family of operating systems, which is the model for the Linux kernel, a popular Cheap Software product. Johnson elaborates: "Those UNIX guys just didn't account for administrators who are too stupid to set root passwords."

    However, knowledge of this flaw fairly widespread within the Linux community. In fact, the only person known to be unaware of a password-less root account's grave implications is Timothy Gaybone, an "editor" for the popular Cheap Software news website "Slashdot.org." While Timothy is a hardcore Windows 98 user, the recent posting of an article detailing a similar security problem relating to Microsoft's SQL Server 2000 relational database product leads many analysts to believe that he is unaware of Linux's problem as well. DOJ crytoanalyst Harry Blotter guesses that Timothy's "reliance on Windows 98 is probably the root cause of his ignorance. After all, Windows 98 doesn't require login passwords."

    There are no reports of websites compromised by this latest Linux vulnerability, although many industry experts suspect that, oddly enough, Slashdot.org may have been breached years ago. "Rob Malda's personal workstation has probably been cracked -- his spell-checkers have been deleted," Dick Johnson explains.

  4. Symptoms of A Bigger Problem (aka Karma Begone!) by Anonymous Coward · · Score: 2, Troll

    I apologize in advance for this rant, but I'm currently in a battle with
    the executives at a client firm (I consult) over this exact issue. At
    once I feel both vindicated in that this is finally a real threat, and
    infuriated that I have to fight with these morons over questions that are
    really this obvious.

    Not to defend Microsoft, but the main reason that there is no default
    password on this sort of setup is because Microsoft assumes the
    following:

    1. This software will be run by monkeys (monkeys in power is our business
    model).
    2. Monkeys can't remember a password.
    3. Monkeys won't understand the need for one anyway.

    This is not directly Microsoft's fault, but rather the nature of business
    in general. M$ makes so much money off of this because business wants to
    employ monkeys (they're cheap, you see).

    Sadly, I have to crack Administrator passwords on NT, say, once every two
    weeks, because someone "forgot" it.

    Heck, Milnet was a playground for hackers because of default and blank
    passwords for almost two decades. Same reason.

    Sometimes, being a responsible, password-using, security-loving
    administrator in this world is--well--depressing. When I look around at
    my "peers", I see tons of dumbasses that shouldn't even have access to the
    Administrator password, let alone a keyboard. I mean, I actually have
    arguments with these people about even *NEEDING* passwords at all! I get
    defenses like "we're too small to be hacked" or "we don't have anything
    to lose if we get hacked"!

    I mean, seriously, while there are some pretty cool and froody NT admins
    out there, most NT installations began with some primate stuck in front of
    a computer and asked to "make it go".

    I think I just realized that without the M$ crutch, 75% of the so-called
    IT admins wouldn't even be able to find their ass. I hear all the time
    about how Windows has provided "easier tools" and "platform
    standardization". What really happened is that M$ turned the complex and
    exacting task of system administration into a game of "click the
    button" with all of the "hard choices" (like passwords) labeled with
    scary phrases like "Advanced" or "This will require more
    configuration". I suddenly realize that what M$ really did is lower the
    IQ requirement to become an administrator to the point that most of these
    clueless jerks defend M$ because it keeps them from having to shovel
    manure for a living. Really, M$ manipulated the industry by flooding it
    with idiots that must be firmly locked to the Redmond teat--knowing that
    they will do more than Billy G. and the Spin Squad could ever do to defend
    his monopoly!

    So is this situation Microsoft's fault? By design, maybe. Directly,
    no. It is precisely because business *wants* to employ cheap idiots that
    these bugs exist. It's just that M$ catered to that whim and developed a
    horde of pundits that cling to it's ways for their own livelihood.

    The worst part is that I have personally passworded probably 40 SQL
    servers (most of which doubled as a public web server) for small
    businesses. I've created entire password policies for hundreds of
    users. It is enfuriating to me that--despite gross evidence like
    this--whenever I do a security audit, I have to drag these people kicking
    and screaming to use passwords, remember them, make the secure,
    periodically change them and, for god's sake, don't write them down! Is
    that really so much to ask?

    Oh well, at least I get paid to fix it for the three clients I have that
    have INSISTED that their SQL servers have no passwords. The really ironic
    thing is that all three only use SQL server for an accounting package and
    their administration couldn't be bothered with passwords--and now all
    their accounting data is at risk. The ironic humor of this has not
    escaped me.