Slashdot Mirror
New Microsoft SQL Server Worm
Ian Bell writes: "A new unnamed worm has been released and, once again, Microsoft software is the target. More specifically, this new worm targets Microsoft SQL servers with no administrator passwords set. Once the server is infected, it logs onto Internet Relay Chat (IRC) servers and is ready to receive commands and act accordingly. Although this can be a fairly malicious worm, it is very unlikely to infect many servers due to the fact that majority of Microsoft SQL servers have administrator passwords."
I think if someone got this one, they probably deserve it. If it attacks computers that don't have passwords, they could have prevented it. NetBIOS shares are a big hole too, without a password. Its a given.
Trying is the First Step to Failing --Homer Simpson
I must take pity on Microsoft for their situation - being so large and omnipresent, they are a constant target of attack. Of course, their situation would be a lot simpler if they released source so that these things could be fixed by anyone as soon as a problem pops up, but that is a whole philosophical problem for Microsoft, so I can only pity them, not aid them.
-Leo
Ooh, ooh! I know! We can call it the Dumbass Worm!
Seriously though, If you don't set up an admin password on your server, you deserve to be hacked. Mercilessly.
SIGFEH
I mean, any software listening to the internet for administrating purpose without a password should buy the admin a nice warm place between cardboard boxes and the joys of unemployement.
- installs database software without setting the password (Heck, installs any software that has passwords without changing the default) and
- exposes their corporate database to the web
is too incompetent to keep their job. I seriously believe that infections like this should start becoming yardsticks that system administrators are hired and fired against. Seriously, if your corporate network gets infected by Code Red, Sircam or this new SQL server worm it is a sign that somebody somewhere is not doing their job. This goes for UNIX boxen as well, if you're hit by a BIND, sendmail or wu-ftpd exploit then your sys admin is a waste of money and you are better off hiring some college kid who needs the experience. It'll be cheaper and you probably will get better service anyway.P.S. Does anyone know if there's a way to keep MSDE from listening on TCP/IP connections? There's Named Pipes, but from what I was able to tell, that only works on WinNT, and not on 9x.
It's the FBI's Magic Lantern at work. Does anyone doubt that Al Queda's terrorist cells run IIS? Honi soit qui mal e pense.
k.
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
They do, except for in SQL Server '97. All recent versions make you set a password by default. This worm will only exploit SQL Server '97.
Installers for the last couple versions of mssql do indeed ask you to set the sa password, but allow you to override that with the "blank password" checkbox. So since SQL 7.0, you have to go out of your way to have a blank password.
I've done contract development at quite a few places that had publicly exposed sql servers with blank sa passwords.
By default postgresql doesn't have access controls turned on. Fortunately in a self compiled installation it doesn't allow remote connections, however I'm not sure if that is true for packaged versions.
Anyone who exposes database servers to the Internet is crazy.
...should switch to Linux/Apache. That way all they would have to do is remember to keep the patches current... umm... nevermind.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
No, it's not hard for the coders - but it would make life difficult for the support people. How many of them would get the inevitable "Ah installed yer ESS-Queuu-Elll thingy, and now it's buggin' me fer a paisswerd. What's wit thet?" from thier targeted users? The Marketing Department at Microsoft would be up in arms, saying "Why did you make this hard for people to install?!!? FIX IT NOW!!!
MS has always played to the LCD in computerdom - there are relatively few who have the wherewithall and curiosity to know exactly what they're doing with the tools Microsoft gives them. It's been the job of Marketing to educate the users the product has been sold to. When they can't handle it properly, it's then dumped on to the Support people. No wonder Microsoft foists it's support on it's vendors - saves them a bundle.
Example: Joe CFO wants the website up and running now, and gives the job to New Intern who doesn't have a clue. If New Intern can't get it running now, he blames his tools - namely MS, who hear about it from Joe CFO. So, figuring this out beforehand, Microsoft make it as easy as possible to get a SQL server running now - security be damned. New Intern has no authority to spend US$ 100 per call (or whatever it is) in order to contact someone who actually knows the scoop, and just blithely continues on. Microsoft make a sale, trap another customer, and get $ from supporting thier insecure product - as well as upgrades in order to get more security.
Critisize them as you want - but Microsoft has a good business model in getting everyone and thier puppy into what should be advanced products. Then they try to educate thier users as to why security is important. Backwards as it is, it seems to be working for them, too.
"Depression is merely anger without enthusiasm." - Anonymous
by THE_MESSENGER, Troll Staff Writer
HELSINKI - It has just been learned that any Linux box with an unset "root" password in vulnerable to remote compromise, says Dick Johnson, Linux hacker and security analyst. "The attack is very simple," John reports. "Pretty much all you have to do is log in. Then you have complete control of the system." This security problem is believed to be caused by a fundamental flaw in the design of the UNIX family of operating systems, which is the model for the Linux kernel, a popular Cheap Software product. Johnson elaborates: "Those UNIX guys just didn't account for administrators who are too stupid to set root passwords."
However, knowledge of this flaw fairly widespread within the Linux community. In fact, the only person known to be unaware of a password-less root account's grave implications is Timothy Gaybone, an "editor" for the popular Cheap Software news website "Slashdot.org." While Timothy is a hardcore Windows 98 user, the recent posting of an article detailing a similar security problem relating to Microsoft's SQL Server 2000 relational database product leads many analysts to believe that he is unaware of Linux's problem as well. DOJ crytoanalyst Harry Blotter guesses that Timothy's "reliance on Windows 98 is probably the root cause of his ignorance. After all, Windows 98 doesn't require login passwords."
There are no reports of websites compromised by this latest Linux vulnerability, although many industry experts suspect that, oddly enough, Slashdot.org may have been breached years ago. "Rob Malda's personal workstation has probably been cracked -- his spell-checkers have been deleted," Dick Johnson explains.
"Although this can be a fairly malicious worm, it is very unlikely to infect many servers due to the fact that majority of Microsoft SQL servers have administrator passwords."
Not in my experience, sadly. In most of the corporate environments I've seen MS-SQL Server installed, the sa account has had no password. You may wonder what their logic was... "nobody would know how to hack it, and it's just a development server anyhow."
Yeah, right... a development server exposed to the net. That's not the worst of it, though. I've seen shops where the sa account was kept blank so ASP "programmers" wouldn't have to bother with remembering a password. This shitty practice is amazingly common.
It's usually very difficult to reason with the management types on this sort of thing. Most of these people view the database server as a magic box where their information is kept, not as a system that needs to be properly secured. By and large, most corporate types I've talked to actually believed you'd have to have physical access to the machine. I can't say how many times I've heard them say things like "oh, that's what the Administrator logon password in NT is for, right?". Uh, no try again...
It would probably be impossible to accurately say how many people are running with open sa accounts, because to stand up and admit it would be career suicide for any "database admin". Then again, given the lack of knowlege concerning this among the management types, maybe they wouldn't take so much flack after all. In the end, they could always blame Microsoft for letting them set up the account with a blank password to begin with (dumb, but I can see them saying that).
Web hosting by geeks, for geeks. Now starting at $4/month (USD)!
If you're gonna email, use the public key!
I apologize in advance for this rant, but I'm currently in a battle with
the executives at a client firm (I consult) over this exact issue. At
once I feel both vindicated in that this is finally a real threat, and
infuriated that I have to fight with these morons over questions that are
really this obvious.
Not to defend Microsoft, but the main reason that there is no default
password on this sort of setup is because Microsoft assumes the
following:
1. This software will be run by monkeys (monkeys in power is our business
model).
2. Monkeys can't remember a password.
3. Monkeys won't understand the need for one anyway.
This is not directly Microsoft's fault, but rather the nature of business
in general. M$ makes so much money off of this because business wants to
employ monkeys (they're cheap, you see).
Sadly, I have to crack Administrator passwords on NT, say, once every two
weeks, because someone "forgot" it.
Heck, Milnet was a playground for hackers because of default and blank
passwords for almost two decades. Same reason.
Sometimes, being a responsible, password-using, security-loving
administrator in this world is--well--depressing. When I look around at
my "peers", I see tons of dumbasses that shouldn't even have access to the
Administrator password, let alone a keyboard. I mean, I actually have
arguments with these people about even *NEEDING* passwords at all! I get
defenses like "we're too small to be hacked" or "we don't have anything
to lose if we get hacked"!
I mean, seriously, while there are some pretty cool and froody NT admins
out there, most NT installations began with some primate stuck in front of
a computer and asked to "make it go".
I think I just realized that without the M$ crutch, 75% of the so-called
IT admins wouldn't even be able to find their ass. I hear all the time
about how Windows has provided "easier tools" and "platform
standardization". What really happened is that M$ turned the complex and
exacting task of system administration into a game of "click the
button" with all of the "hard choices" (like passwords) labeled with
scary phrases like "Advanced" or "This will require more
configuration". I suddenly realize that what M$ really did is lower the
IQ requirement to become an administrator to the point that most of these
clueless jerks defend M$ because it keeps them from having to shovel
manure for a living. Really, M$ manipulated the industry by flooding it
with idiots that must be firmly locked to the Redmond teat--knowing that
they will do more than Billy G. and the Spin Squad could ever do to defend
his monopoly!
So is this situation Microsoft's fault? By design, maybe. Directly,
no. It is precisely because business *wants* to employ cheap idiots that
these bugs exist. It's just that M$ catered to that whim and developed a
horde of pundits that cling to it's ways for their own livelihood.
The worst part is that I have personally passworded probably 40 SQL
servers (most of which doubled as a public web server) for small
businesses. I've created entire password policies for hundreds of
users. It is enfuriating to me that--despite gross evidence like
this--whenever I do a security audit, I have to drag these people kicking
and screaming to use passwords, remember them, make the secure,
periodically change them and, for god's sake, don't write them down! Is
that really so much to ask?
Oh well, at least I get paid to fix it for the three clients I have that
have INSISTED that their SQL servers have no passwords. The really ironic
thing is that all three only use SQL server for an accounting package and
their administration couldn't be bothered with passwords--and now all
their accounting data is at risk. The ironic humor of this has not
escaped me.
SQL Server is a database engine. Apache is a web server. Replacing one with the other wouldn't do you much good..
SQL 7 and 8 (aka 2000) do ask you for a password, and scold you if you leave it blank. However they do accept connections from anyone by default. I can't find a way to restrict access by IP, though. I guess you just have to set a decent password. Maybe I'm wrong, but it's too bad - if the web server is the only machine that needs to hit the sql server, it really shouldn't accept connections from anyone else. I've heard "but we're behind a firewall" too many times as an excuse for poor security internally. Users punch holes through firewalls, and nothing protects you against a malicious employee.
It just occurred to me that MySQL actually doesn't allow connections from anywhere other than localhost by default, so my statement that a MySQL worm could do more damage than this MSSQL worm was probably in error. Ignore me. Even so, this is still a user problem more than a software problem.
not corporate database servers at all (some probably, but not most). It's most likely going to hit Joe SixPack that installed his warez copy of Windows XP and SQL Server 2000 on his primary computer which is hooked up to his cable modem 24/7 and he has no idea that SQL server has a password at all.
I am not bashing Mac users here, but face it, there are more Windows/Unix users than there are Mac OS users.
Thus saying that, with less users using that OS, the less chance of a security problem occuring due to the low usage of Macintoshes as Servers. I am certain there are a lot of undiscovered bugs in Mac OS that we're not aware of, it is only a matter or time before they're found or never found out at all.
IIRC, the last bug or exploit that I have seen involving the Mac OS was a exploit in Microsoft Internet Explorer. That is a third-party issue though.
I feel the urge to move back to Macintosh now, though. OS X looks very purdy.
The problem isn't really that the password is empty. It would be just as bad with *any* default password. Remeber "scott" "tiger" on Oracle?
The installment you refer to doesn't listen to a TCP/IP port, you have to configure that yourself in the registry. Therefor these installments are not vulnerable.
Never underestimate the relief of true separation of Religion and State.
A blank password shouldn't be allowed in the first place. Nor should a default (known) username.
SQL 2k does force you to click a checkbox if you want to leave sa's password blank, and SQL 7 has a nice explanation of why it's bad.
So if someone is a worm victim, they either unthinkingly opened an attachment or didn't keep their machines up to date. Either way it was preventable.
;)
Actually, microsoft has created alot of reluctance amongst more experienced users to keep up to date.
Many service packs have actually broken systems in the past - making people who know what they are doing reluctant to apply a service pack until they are sure that it really works.
Also, many security updates depend on these service packs. In fact, some of microsofts own update reporting system will not see the patches until they are running on an up to date service pack.
It becomes a catch 22 - either way, you are dammed (well, you certainly would have been in the past). Maybe microsoft will not make these sort of errors again. Hmmm, did I just say that?
So, I'm not sure its totally preventable on MS software.
There is no cryptographic solution to the problem where the intended receiver and the attacker are the same entity.
Use IPSEC's port filtering to block 1433 connections if you can't afford, or don't trust your firewall.
Comment removed based on user account deletion
Allthough its hard to look into the future I have a feeling we're on the start of something new and icky. Don't forget that a lot of websites using IIS also have a connection to some SQL server in order to store/retrieve data. This exploit may only be capable of doing harm without a SU password, don't toss it away with "blech, there's no harm in that" and forget all about it. It just might haunt us afterall.
"it is very unlikely to infect many servers due to the fact that majority of Microsoft SQL servers have administrator passwords."
Only the "majority", not "virtually all"? MCSE certification takes another step downwards! And it's already on the 23rd sub basement!
ttyl
Farrell
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
can you even charge someone with breaking and entering if your house doesn't actually have a DOOR?
I second the motion to name this the "dumbass worm"
I hesitated to suggest that because of the performance hit, but it is an option if you can spare the CPU cycles.
I just recently installed a sample web application from M$, yes it was .Net, and it came with one of these MSDE databases. When I opened up the server manager I was suprise to see several ip addresses in it. There are severaly @home user with SQL Server installed and many with no sa password, don't ask me how I know that. Many of these boxes also have infected IIS installs too. As if I don't get enough code red/ namba hits as it is. I glad I uninstall that thing, because I am sure it didn't have a password and I am not sure how I could set it.
Does anyone know about the functionality of the little engines and are they effected by this worm.
LT
There is a lot of stupid custom software written that needs MS SQL server with an admin account that has an empty or fixed password. I have installed this stuff before.
It's crappy stuff, but I don't pick it, and I don't think I have the business understanding to know how to pick something better that is still useful to the company.
All you can do is try to turn off remote access or firewall the thing...
I can't find a way to restrict access by IP.
A properly designed network doesn't need this. First, all SQL servers should be subnetted into an internal address space, only routeable by other internal machines like the web server. Then your firewall has port 80 open and NAT's to your web server. Unless you compromise the web server and are able to write malicious code on it, there's no way to get to even ping the SQL server.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Having had the distinct displeasure of working with MS SQL before, I think I can lend some insight into why SQL server gets installed with no sa password.
There are lots of companies out there that make custom software, or domain-specific software, and sell it for lots of money. Most of the software they make is database stuff for busineses, (so, there might be a company that specializes in a database product for food manufacturers, etc.).
These apps, if they are for NT, usually need MS SQL server. Usually, the person installing them doesn't know anything about SQL server, they just bought it for the first time along with the app. The installation instructions tell them to do a certain thing, they do it, and viola, SQL server is installed with a default or empty password. (To their credit, the versions of MS SQL I've used are very happy to install without setting a password for the administrator.) Most of these people probably don't realize that the software can be accessed over TCP/IP. After all, remote accessibility over the internet in Windows is a relatively new thing (as opposed to the UNIX world).
So yes, this is stupid, but it is not as braindead as installing redhat and stubbornly skipping the step where it asks you to choose a root password. You have to understand what SQL server is about, which is not as common as it perhaps should be, because SQL server is typically seen as an *accessory* to the real app they are installing.
administrator in this world is--well--depressing. I mean, I actually have arguments with these people about even *NEEDING* passwords at all!
Loving security is good. Loving passwords is lame. Before I get flamed, let me say that I DO belive that security is an important issue. My gripe is specifically about passwords as the main and (usually) only way to enforce that security.
Given that the standard marketing manager has at least five passwords to remember - system login, CRM system login, order system login, HR system login, pr()n site login :-) - it's a wonder that you have any security at all left. If admins really want to have an effect on security, get your organization to move away from passwords and onto smart cards or biometric validation. It's a lot easier on you and your users.
That is all.
I worked at a company who's software required the sql password be set to 'sa'. This was software that dealt with millions of dollars of assets. I pointed this security flaw out several times and was ignored.
I don't work there anymore.
-- Will program for bandwidth
I don't know how they got the figures. But Netcraft is traditionally very even handed and reasonable.
This new virus probably won't help those figures very much.
So remember... If you buy from a web site running IIS you have a 10% chance that your credit card number is going to be sent directly to a guy who calls himself Hax0rDo0d.
I don't want to flame MS for this since customers demand that no password be installed by default. But on the other hand theres no need to go over board and buy from hax0red web sites just to be nice.
The reason all these worms target Microsoft is not because they hold the majority, it's because it's like shooting fish in a barrel...
There's another reason why sysadmins go for the password-free, no-security approach. It's easier, in the short term, yes, but there's also remote administration. Many sysadmins either (a) refuse to give out passwords to the people who actually use/run the servers, or (b) make those passwords empty so that they can control the machines from somewhere else in the organization without fear of interference from the local users. Going with route (a) is better from a security standpoint, but tends to infuriate the local users; if you leave the password empty, then as long as the local users aren't clued enough to turn it on themselves you're fine.
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore
I so agree with you. But you'll find unsecured SQL Server databases exposed to the public Internet all the time. I've seen it particularly with Small Business Server (package of Microsoft Back Office products, including SQL Server). A small company buys a package deal from a local vendor--they start hosting their own web pages, using SQL Server, and never even wondering about anything like security.
There is plenty of fault to go around here: the small business bears some responsibility--they're buying a tool without providing the resources to use the tool appropriately. But there are lots of small vendors out there that fancy themselves as Microsoft OEMs and ISVs, assembling kit computers, doing the basic install with zero configuration (or security updates) and plugging the box into the client's network. This is precisely the market for Microsoft's Small Business Server--a low budget tool, and frequently completely unprotected.
And sometimes it's the client
Sometimes the client absolutely insists on shooting himself in the foot. I have a proposal outstanding to a warehousing firm--they're dragging their feet, and part of the reason is that they don't want to pay for two servers. (One is publicly accessible, the other [which has the SQL Server installed] is not.) Why can't we use the same box as the web server and the SQL Server? Well, gosh--because then anybody with SQL Enterprise Manager can connect on port 1433, and keep retrying passwords as long as he wants--the login dialog never times out.
You heard it here first: this worm will affect a lot more companies that you'd think.
What really blows my mind is how many programmers use the blank sa password, so that the SQL administrators have no choice about leaving it blank. OK, so I have taken a few too many support calls of this nature, but really....
LedgerSMB: Open source Accounting/ERP
No. Mac may have some "security through rarity", but OS X is not obscured. Neither are its web services nor its SQL implementations.
So I have to ask, what are you talking about?Yep, we give them a login, aliased to SA, and SA has a password, but they do have "an" SA password
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
I'm not one for putting all of my eggs in one basket. My desktop is behind a firewall, but you can bet the IIS it's running is patched against code red. The SQL Server personal on my machine has a password set. I probably don't need to take these precautions, but I should do it anyway.
This post deserves a heap of insightfuls. I used to think that ease-of-use isn't important for linux - before I read this post. I used to think 'Linux will get easy when it's done'. Now I realize that every day it's not easy is another day for micros~1 to increase its marketshare and profitability which it will use to squelch its perceived competition.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)