Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Microsoft SQL Server Worm

Posted by timothy on from the worms-crawl-in-and-the-worms-crawl-out dept.

Ian Bell writes: "A new unnamed worm has been released and, once again, Microsoft software is the target. More specifically, this new worm targets Microsoft SQL servers with no administrator passwords set. Once the server is infected, it logs onto Internet Relay Chat (IRC) servers and is ready to receive commands and act accordingly. Although this can be a fairly malicious worm, it is very unlikely to infect many servers due to the fact that majority of Microsoft SQL servers have administrator passwords."

10 of 290 comments (clear)

  1. Re:Microsoft always a target by Osty · · Score: 5, Insightful

    Of course, their situation would be a lot simpler if they released source so that these things could be fixed by anyone as soon as a problem pops up

    Who says you need source to fix problems? In this case, it's as simple as setting a password for th sa user. Anyway, the point is moot because this only affects SQL Server 7 and older. SQL Server 2000 makes you jump through hoops if you want to leave the sa password blank (as well, SQL auth isn't even the default. Instead, Windows domain auth is the default). Anyway, the point here is that source is absolutely not required to fix this problem. Just a small amount of brainpower, that's all.

  2. Too Incompetent To Keep Their Job by Carnage4Life · · Score: 5, Insightful
    IMHO, anybody who
    1. installs database software without setting the password (Heck, installs any software that has passwords without changing the default) and

    2. exposes their corporate database to the web
    is too incompetent to keep their job. I seriously believe that infections like this should start becoming yardsticks that system administrators are hired and fired against. Seriously, if your corporate network gets infected by Code Red, Sircam or this new SQL server worm it is a sign that somebody somewhere is not doing their job. This goes for UNIX boxen as well, if you're hit by a BIND, sendmail or wu-ftpd exploit then your sys admin is a waste of money and you are better off hiring some college kid who needs the experience. It'll be cheaper and you probably will get better service anyway.
    1. Re:Too Incompetent To Keep Their Job by Lumpy · · Score: 5, Interesting

      you obviously dont deal with custom vertical apps. or the real world in particular.

      we have 5 SQL servers that are forced to run with no password. because our critical software that uses it is hard coded to not have a password for SQL server.

      I had asked the vendor 5 times within the past 3 years to change this, and then asked upper management to as the vendor.

      What was I told? "It's not an important issue"

      so not I get to be spanked this monday when 10 sql servers all start to try and connect to irc through the firewall.

      So in response to you, I am more competent than 60% of the MS admins in my state. but when you have your hands tied by management you cant do crap but grab a mop and clean up after managements messes all the time... (examples? outlook, trying to run 700,000 users on a MS email server cluster,and brain dead morons wanting to have one super data center and pay for fat pipes to each office instead of having resources at each office. hmmm one disaster and this company is 100% screwed.)

      oh and your "yardsticks" comment...
      first the manager of the IS department or even the CTO should be the one getting publically fired. as they are usually the ones tying the hands of the admins and preventing them from doing their jobs.

      if a shop get's hit with any exploit, fire the manager first and the techs last.

      --
      Do not look at laser with remaining good eye.
    2. Re:Too Incompetent To Keep Their Job by dillon_rinker · · Score: 4, Interesting

      I seriously believe that infections like this should start becoming yardsticks that system administrators are hired and fired against.

      Another poster has indicated that sometimes stupid management decisions prevent you from doing what you know is optimal. If YOU know something's stupid, but your manager tells you to do it anyway, get it in writing (or at least in email). Do NOT do anything potentially harmful to your company unless you have it in writing. Claim that it's part of your documentation procedures, that all non-vendor recommended configurations must be documented.

      If your boss refuses to provide direction in writing, send a memo or email confirming your conversation and letting the boss know that you're going to do what he said. When you're done, send another one saying so, reminding the boss that the situation is nonoptimal and encouraging him to provide you with the resources or permission to optimize things again. Be sure to keep a hard copy of this communication. If your boss is a big enough weenie, you might want to keep a copy at home.

      Keep in mind that a good email admin can alter emails on the server and leave no tracks, so if you're the email admin, instructions in email are irrelevant. Same is true (but for a different reason) if the email admin is in the boss's pocket.

      This advice is probably not applicable to a lot of readers who are already job-hopping and don't care if they do more. Good for you. Some of us, though, (myself included), like our positions and stay in them, and therefore must learn to weather a succession of pointy-haired bungee-boss types. So far I've outlasted three in two years.

      Finally, remember this:
      All human endeavors are political. Those who don't think they're playing politics are merely playing politics badly.

  3. Re:Stupid....Marketing Department by Soko · · Score: 4, Insightful

    No, it's not hard for the coders - but it would make life difficult for the support people. How many of them would get the inevitable "Ah installed yer ESS-Queuu-Elll thingy, and now it's buggin' me fer a paisswerd. What's wit thet?" from thier targeted users? The Marketing Department at Microsoft would be up in arms, saying "Why did you make this hard for people to install?!!? FIX IT NOW!!!

    MS has always played to the LCD in computerdom - there are relatively few who have the wherewithall and curiosity to know exactly what they're doing with the tools Microsoft gives them. It's been the job of Marketing to educate the users the product has been sold to. When they can't handle it properly, it's then dumped on to the Support people. No wonder Microsoft foists it's support on it's vendors - saves them a bundle.

    Example: Joe CFO wants the website up and running now, and gives the job to New Intern who doesn't have a clue. If New Intern can't get it running now, he blames his tools - namely MS, who hear about it from Joe CFO. So, figuring this out beforehand, Microsoft make it as easy as possible to get a SQL server running now - security be damned. New Intern has no authority to spend US$ 100 per call (or whatever it is) in order to contact someone who actually knows the scoop, and just blithely continues on. Microsoft make a sale, trap another customer, and get $ from supporting thier insecure product - as well as upgrades in order to get more security.

    Critisize them as you want - but Microsoft has a good business model in getting everyone and thier puppy into what should be advanced products. Then they try to educate thier users as to why security is important. Backwards as it is, it seems to be working for them, too.

    --
    "Depression is merely anger without enthusiasm." - Anonymous
  4. And in other news... by Anonymous Coward · · Score: 4, Troll
    Linux boxes compromised
    by THE_MESSENGER, Troll Staff Writer

    HELSINKI - It has just been learned that any Linux box with an unset "root" password in vulnerable to remote compromise, says Dick Johnson, Linux hacker and security analyst. "The attack is very simple," John reports. "Pretty much all you have to do is log in. Then you have complete control of the system." This security problem is believed to be caused by a fundamental flaw in the design of the UNIX family of operating systems, which is the model for the Linux kernel, a popular Cheap Software product. Johnson elaborates: "Those UNIX guys just didn't account for administrators who are too stupid to set root passwords."

    However, knowledge of this flaw fairly widespread within the Linux community. In fact, the only person known to be unaware of a password-less root account's grave implications is Timothy Gaybone, an "editor" for the popular Cheap Software news website "Slashdot.org." While Timothy is a hardcore Windows 98 user, the recent posting of an article detailing a similar security problem relating to Microsoft's SQL Server 2000 relational database product leads many analysts to believe that he is unaware of Linux's problem as well. DOJ crytoanalyst Harry Blotter guesses that Timothy's "reliance on Windows 98 is probably the root cause of his ignorance. After all, Windows 98 doesn't require login passwords."

    There are no reports of websites compromised by this latest Linux vulnerability, although many industry experts suspect that, oddly enough, Slashdot.org may have been breached years ago. "Rob Malda's personal workstation has probably been cracked -- his spell-checkers have been deleted," Dick Johnson explains.

  5. Not so, not so... by trilucid · · Score: 4, Insightful


    "Although this can be a fairly malicious worm, it is very unlikely to infect many servers due to the fact that majority of Microsoft SQL servers have administrator passwords."

    Not in my experience, sadly. In most of the corporate environments I've seen MS-SQL Server installed, the sa account has had no password. You may wonder what their logic was... "nobody would know how to hack it, and it's just a development server anyhow."

    Yeah, right... a development server exposed to the net. That's not the worst of it, though. I've seen shops where the sa account was kept blank so ASP "programmers" wouldn't have to bother with remembering a password. This shitty practice is amazingly common.

    It's usually very difficult to reason with the management types on this sort of thing. Most of these people view the database server as a magic box where their information is kept, not as a system that needs to be properly secured. By and large, most corporate types I've talked to actually believed you'd have to have physical access to the machine. I can't say how many times I've heard them say things like "oh, that's what the Administrator logon password in NT is for, right?". Uh, no try again...

    It would probably be impossible to accurately say how many people are running with open sa accounts, because to stand up and admit it would be career suicide for any "database admin". Then again, given the lack of knowlege concerning this among the management types, maybe they wouldn't take so much flack after all. In the end, they could always blame Microsoft for letting them set up the account with a blank password to begin with (dumb, but I can see them saying that).

    Web hosting by geeks, for geeks. Now starting at $4/month (USD)!
    If you're gonna email, use the public key!

    1. Re:Not so, not so... by Lumpy · · Score: 4, Insightful

      uhh simple....
      dont let any ASp program or programmer have sa access.
      if you cant write your app to use a regular SQL account then get the hell out of the business.

      It is amazing how many "programmers" require administrative access to databases or resources for no reason whatsoever. give them a user account, if they forget their password, publically humiliate them by yelling "what? are you so stupid that you cant remember a password? why did they hire you if your that stupid?" This is reserved for programmers only... sales people and marketing are allowed to forget their password daily, we know they are that stupid, but a programmer has ZERO excuse.

      First, if the programmer asks for admin access, laugh them out of the office. if they ask again tell them to do it at home on their own time (Unpaid). if they ask a third time start back at the top.

      --
      Do not look at laser with remaining good eye.
  6. Re:Password by leucadiadude · · Score: 4, Insightful

    Nobody deserves to be hacked. I found it quite sad that this story has no posts (so far) commenting that the person(s) who created and released a malicious piece of software are a**holes. hopefully it's that this goes without saying.

    Yes, I agree with the sentiment that if you do not secure your boxen, you are an idiot. But if you don't, you do not deserve to be victimised.

    If I accidentally leave my front door unlocked, do I deserve to be robbed/vandalised?

  7. Why there are unset passwords by Tom7 · · Score: 4, Interesting


    Having had the distinct displeasure of working with MS SQL before, I think I can lend some insight into why SQL server gets installed with no sa password.

    There are lots of companies out there that make custom software, or domain-specific software, and sell it for lots of money. Most of the software they make is database stuff for busineses, (so, there might be a company that specializes in a database product for food manufacturers, etc.).

    These apps, if they are for NT, usually need MS SQL server. Usually, the person installing them doesn't know anything about SQL server, they just bought it for the first time along with the app. The installation instructions tell them to do a certain thing, they do it, and viola, SQL server is installed with a default or empty password. (To their credit, the versions of MS SQL I've used are very happy to install without setting a password for the administrator.) Most of these people probably don't realize that the software can be accessed over TCP/IP. After all, remote accessibility over the internet in Windows is a relatively new thing (as opposed to the UNIX world).

    So yes, this is stupid, but it is not as braindead as installing redhat and stubbornly skipping the step where it asks you to choose a root password. You have to understand what SQL server is about, which is not as common as it perhaps should be, because SQL server is typically seen as an *accessory* to the real app they are installing.