Slashdot Mirror
New Microsoft SQL Server Worm
Ian Bell writes: "A new unnamed worm has been released and, once again, Microsoft software is the target. More specifically, this new worm targets Microsoft SQL servers with no administrator passwords set. Once the server is infected, it logs onto Internet Relay Chat (IRC) servers and is ready to receive commands and act accordingly. Although this can be a fairly malicious worm, it is very unlikely to infect many servers due to the fact that majority of Microsoft SQL servers have administrator passwords."
Who says you need source to fix problems? In this case, it's as simple as setting a password for th sa user. Anyway, the point is moot because this only affects SQL Server 7 and older. SQL Server 2000 makes you jump through hoops if you want to leave the sa password blank (as well, SQL auth isn't even the default. Instead, Windows domain auth is the default). Anyway, the point here is that source is absolutely not required to fix this problem. Just a small amount of brainpower, that's all.
- installs database software without setting the password (Heck, installs any software that has passwords without changing the default) and
- exposes their corporate database to the web
is too incompetent to keep their job. I seriously believe that infections like this should start becoming yardsticks that system administrators are hired and fired against. Seriously, if your corporate network gets infected by Code Red, Sircam or this new SQL server worm it is a sign that somebody somewhere is not doing their job. This goes for UNIX boxen as well, if you're hit by a BIND, sendmail or wu-ftpd exploit then your sys admin is a waste of money and you are better off hiring some college kid who needs the experience. It'll be cheaper and you probably will get better service anyway.Installers for the last couple versions of mssql do indeed ask you to set the sa password, but allow you to override that with the "blank password" checkbox. So since SQL 7.0, you have to go out of your way to have a blank password.
I've done contract development at quite a few places that had publicly exposed sql servers with blank sa passwords.
No, it's not hard for the coders - but it would make life difficult for the support people. How many of them would get the inevitable "Ah installed yer ESS-Queuu-Elll thingy, and now it's buggin' me fer a paisswerd. What's wit thet?" from thier targeted users? The Marketing Department at Microsoft would be up in arms, saying "Why did you make this hard for people to install?!!? FIX IT NOW!!!
MS has always played to the LCD in computerdom - there are relatively few who have the wherewithall and curiosity to know exactly what they're doing with the tools Microsoft gives them. It's been the job of Marketing to educate the users the product has been sold to. When they can't handle it properly, it's then dumped on to the Support people. No wonder Microsoft foists it's support on it's vendors - saves them a bundle.
Example: Joe CFO wants the website up and running now, and gives the job to New Intern who doesn't have a clue. If New Intern can't get it running now, he blames his tools - namely MS, who hear about it from Joe CFO. So, figuring this out beforehand, Microsoft make it as easy as possible to get a SQL server running now - security be damned. New Intern has no authority to spend US$ 100 per call (or whatever it is) in order to contact someone who actually knows the scoop, and just blithely continues on. Microsoft make a sale, trap another customer, and get $ from supporting thier insecure product - as well as upgrades in order to get more security.
Critisize them as you want - but Microsoft has a good business model in getting everyone and thier puppy into what should be advanced products. Then they try to educate thier users as to why security is important. Backwards as it is, it seems to be working for them, too.
"Depression is merely anger without enthusiasm." - Anonymous
by THE_MESSENGER, Troll Staff Writer
HELSINKI - It has just been learned that any Linux box with an unset "root" password in vulnerable to remote compromise, says Dick Johnson, Linux hacker and security analyst. "The attack is very simple," John reports. "Pretty much all you have to do is log in. Then you have complete control of the system." This security problem is believed to be caused by a fundamental flaw in the design of the UNIX family of operating systems, which is the model for the Linux kernel, a popular Cheap Software product. Johnson elaborates: "Those UNIX guys just didn't account for administrators who are too stupid to set root passwords."
However, knowledge of this flaw fairly widespread within the Linux community. In fact, the only person known to be unaware of a password-less root account's grave implications is Timothy Gaybone, an "editor" for the popular Cheap Software news website "Slashdot.org." While Timothy is a hardcore Windows 98 user, the recent posting of an article detailing a similar security problem relating to Microsoft's SQL Server 2000 relational database product leads many analysts to believe that he is unaware of Linux's problem as well. DOJ crytoanalyst Harry Blotter guesses that Timothy's "reliance on Windows 98 is probably the root cause of his ignorance. After all, Windows 98 doesn't require login passwords."
There are no reports of websites compromised by this latest Linux vulnerability, although many industry experts suspect that, oddly enough, Slashdot.org may have been breached years ago. "Rob Malda's personal workstation has probably been cracked -- his spell-checkers have been deleted," Dick Johnson explains.
"Although this can be a fairly malicious worm, it is very unlikely to infect many servers due to the fact that majority of Microsoft SQL servers have administrator passwords."
Not in my experience, sadly. In most of the corporate environments I've seen MS-SQL Server installed, the sa account has had no password. You may wonder what their logic was... "nobody would know how to hack it, and it's just a development server anyhow."
Yeah, right... a development server exposed to the net. That's not the worst of it, though. I've seen shops where the sa account was kept blank so ASP "programmers" wouldn't have to bother with remembering a password. This shitty practice is amazingly common.
It's usually very difficult to reason with the management types on this sort of thing. Most of these people view the database server as a magic box where their information is kept, not as a system that needs to be properly secured. By and large, most corporate types I've talked to actually believed you'd have to have physical access to the machine. I can't say how many times I've heard them say things like "oh, that's what the Administrator logon password in NT is for, right?". Uh, no try again...
It would probably be impossible to accurately say how many people are running with open sa accounts, because to stand up and admit it would be career suicide for any "database admin". Then again, given the lack of knowlege concerning this among the management types, maybe they wouldn't take so much flack after all. In the end, they could always blame Microsoft for letting them set up the account with a blank password to begin with (dumb, but I can see them saying that).
Web hosting by geeks, for geeks. Now starting at $4/month (USD)!
If you're gonna email, use the public key!
SQL 7 and 8 (aka 2000) do ask you for a password, and scold you if you leave it blank. However they do accept connections from anyone by default. I can't find a way to restrict access by IP, though. I guess you just have to set a decent password. Maybe I'm wrong, but it's too bad - if the web server is the only machine that needs to hit the sql server, it really shouldn't accept connections from anyone else. I've heard "but we're behind a firewall" too many times as an excuse for poor security internally. Users punch holes through firewalls, and nothing protects you against a malicious employee.
Coincidentally, when you run the installer for MSSQL 2000, it prompts you to change the administrator password. Anyone who doesn't is an ignorant fool.
The problem isn't really that the password is empty. It would be just as bad with *any* default password. Remeber "scott" "tiger" on Oracle?
Nobody deserves to be hacked. I found it quite sad that this story has no posts (so far) commenting that the person(s) who created and released a malicious piece of software are a**holes. hopefully it's that this goes without saying.
Yes, I agree with the sentiment that if you do not secure your boxen, you are an idiot. But if you don't, you do not deserve to be victimised.
If I accidentally leave my front door unlocked, do I deserve to be robbed/vandalised?
The installment you refer to doesn't listen to a TCP/IP port, you have to configure that yourself in the registry. Therefor these installments are not vulnerable.
Never underestimate the relief of true separation of Religion and State.
Comment removed based on user account deletion
Having had the distinct displeasure of working with MS SQL before, I think I can lend some insight into why SQL server gets installed with no sa password.
There are lots of companies out there that make custom software, or domain-specific software, and sell it for lots of money. Most of the software they make is database stuff for busineses, (so, there might be a company that specializes in a database product for food manufacturers, etc.).
These apps, if they are for NT, usually need MS SQL server. Usually, the person installing them doesn't know anything about SQL server, they just bought it for the first time along with the app. The installation instructions tell them to do a certain thing, they do it, and viola, SQL server is installed with a default or empty password. (To their credit, the versions of MS SQL I've used are very happy to install without setting a password for the administrator.) Most of these people probably don't realize that the software can be accessed over TCP/IP. After all, remote accessibility over the internet in Windows is a relatively new thing (as opposed to the UNIX world).
So yes, this is stupid, but it is not as braindead as installing redhat and stubbornly skipping the step where it asks you to choose a root password. You have to understand what SQL server is about, which is not as common as it perhaps should be, because SQL server is typically seen as an *accessory* to the real app they are installing.
I don't know how they got the figures. But Netcraft is traditionally very even handed and reasonable.
This new virus probably won't help those figures very much.
So remember... If you buy from a web site running IIS you have a 10% chance that your credit card number is going to be sent directly to a guy who calls himself Hax0rDo0d.
I don't want to flame MS for this since customers demand that no password be installed by default. But on the other hand theres no need to go over board and buy from hax0red web sites just to be nice.
The reason all these worms target Microsoft is not because they hold the majority, it's because it's like shooting fish in a barrel...