Slashdot Mirror
New "SQLsnake" Microsoft Worm
sevenn writes "A new worm, targeting the Microsoft SQL daemon, has been sweeping the net. It uses massive scanning, default passwords, exploits against vulnerable versions and even attempts to brute force passwords.
Here is the (vague) Microsoft bulliten,
the SANS analysis,
and a securityfocus article"
Already over a thousand compromised system- you're apparently only vulnerable
if you run MS SQL, but the worm is causing a substantial spike in traffic to
port 1433 on the net.
Same ball game, different inning.
EOU
(adopts Chris Morris voice) "Using a *special tool*"
McAfee's description. The AV vendors are calling it Spida, instead of snake.
Get your clubs - the bigger the better and start clubbing your favorite whipping boy. :P
Seriusly, if they have the offending email account hosted on a free e-mail server, it would be easy to stop the propagation by disabling it.
Return the bells of Balangiga.
Who needs MS SQL Server? Are you telling me that thousands of companies with a load of data are installing SQL Server without having a database admin to do the work? Sweet, they deserve what they get. What kind of people install SQL Server without putting a password for the SA account? Apparently, plenty :)
Long live human stupidity.
Many Microsoft SQL administrators fail to set a strong password for the system account, which by default has a "null" or non-existent password, SecurityFocus warned yesterday in an alert to ARIS users.
It's almost unbelievable that sysadmins do not use strong passwords for system accounts. In this era of rampant viruses and worms, you'dfigure they'd get the hint by now.
I am the evil aardvark!
Symantec has produced a more informative bulletin; however, they have entitled the worm "Digispid" as opposed to SQLsnake.
Do you like German cars?
The worm only attacks SQL Servers with blank sa (administrator) passwords. It isn't a security hole that needs patching. It's just poor administrators.
SQLTeam.com - For SQL Server developers and Administrators
Perhaps there just isn't good documentation on this, but this issue wouldn't be a problem if the SQL Server databases were properly installed and maintained.
First of all, a DB should never be outside a firewall. It's not necessary.
Second of all, this issue is aided by databases installed with blank admin passwords.
I don't know how you solve this. You can't prevent people from installing software. I guess Microsoft's new MBSA will point out the blank password issue and any patches missing, but...
According to Sophos (www.sophos.com) there are two vesions out.
the first one just attempts the 'default' null passwd and 'sa' username (the administrator).
The second tries a brute force attack on the passwd.
So no change from trying to telnet into a *nix box as root then....
I've gotten over 80k probes in two days at work and several hundred on my single IP address at home.
I kind of gave up and just ACL'd it on the border router since the volume makes it almost a DoS of my intrusion detection.
From the artice.. "Many Microsoft SQL administrators fail to set a strong password for the system account, which by default has a "null" or non-existent password, SecurityFocus warned yesterday in an alert to ARIS users."
But what they didn't address is why would you even expose the SQLServer to the internet to begin with? A SQL server user can do a lot of damage with the sa account. Might as well give them a CMD prompt. There's really no need to have that port open to the outside at all.
I wonder how many internet servers answer port 1521 to SYS/CHANGE_ON_INSTALL. Could PL/SQLsnake be next?
'Same speed C but faster'
<sarcasm>
Holy shit! A flaw in microsoft software? How did this happen???Arent Microsoft systems the most secure systems available???
</sarcasm>
GOD DAMNIT , MODERATE ME!
I've got ethereal listening on port 1433 (my capture filter just reads 'port 1433') and I've seen no traffic on that port. Well, to be 100% truthful, some napshare hosts are connecting from port 1433, but they're not looking for ms-sql!
I'm waiting for the day when people stop saying "We got another worm." and start saying "We just got Microsofted again".
Outdoor digital photography, mostly in New Engl
I'm shocked, shocked, that you would imply that Microsoft would do something so stupid.
get yer weekly M$ patch for the weekly worm\virus what else is new???
this is getting to be a routine for M$FT's crapware...
to Unix systems to be calling the MS SQL server a daemon?
I am the Alpha and the Omega-3
Stupid fucking admins... there's a tool available for W2K boxes that checks to make sure all security patches have been applied to all server software up to the minute. All you gotta do is run it! It works great. Dumb fuckers.
k b; en-us;Q303215
http://support.microsoft.com/default.aspx?scid=
This virus is completely reliant upon the "sa" administrator account to the SQL Server being left with a blank password. Frankly, anyone who leaves their system in this configuration is lazy and deserves to contract a virus to teach them a lesson. Now whether or not your average MCSE falls into that category . . .
--- Don't be a player hater: I meta-mod ALL negative mods as Unfair.
Many exploitable holes such as these can be attributed in part to the management mentality that one or two over-worked, under trained "computer people" can handle professional system/network administration.
Frequently SysAdmins started their jobs in another field, like Engineering, and were sort of migrated over. Little formal training was given, let alone budget for. Most smaller (sub-Fortune 500) operations were more of a congealed mass than a designed network.
Then, when the LAN wasn't hooked to the Internet, and some poor schmuck install MS BackOffice and wanted to instal SMS Server, it told him he had to install SQL Server. A couple of quick clicks and you're done. Odds are, he clicked thru the admin password not thinking he'd EVER touch MS SQL other than as a backend for SMS.
Pity the new admin who inherits such a setup. You think a new admin is given time to actually check a network configuration out, much less do a proper security, performance, license audit? Nope. Get in and tell me why Outlook is saying my deleted folder is empty. I haven't emptied it since 1998 and everything was always there before when I needed it!
Stupid worms/viruses/exploits will prevail until the MENTALITY of management changes. Computers run most modern business, they are not an afterthought. The people that take care of them should be properly trained, with proper budgets. Periodic PM (preventative maintenance) needs to be allowed, scheduled and performed.
I feel pity for the admins who have to deal with these worms. I feel nothing but contempt for the management process that let them get in this position.
Learning HOW to think is more important than learning WHAT to think.
This worm (or snake) uses javascript as it's testing and construction tool. Is this the first major worm to do this? I'm asking only about worms, not web exploits or the like.
SARC Analysis
Sophos' Write-Up
If over 1,000 boxen are already compromised, I have to wonder about SARC's statement that this is 'unlikely to spread.'
--Kylus
Idiot-proof something, and Life will build a better Idiot.
First of all, if you attempt to set a blank admin password for SQL Server it gives you a warning that doing so is a very bad idea. None the less, you'd be surprised at how many are blank (or just use sa/sa). The article makes it sound like the default sa password is blank - this is NOT the case. Also, although you cannot disable the sa account, you can rename it during setup.
Secondly, as has already been pointed out here, your database server should not be exposed to the net in general. There is usually very little reason to do so. If you need to let other machines access the SQL box from abroad, create an IP Security filter that only allows port 1433 for a specific subnet or ip address.
Don't complain that you got rooted when your login is root/root.
Natural != (nontoxic || beneficial)
What was ASP is now Perl.(look at the link before you click, then look at the address bar after you arrive). What was SQL Server is now MySQL. And what was IIS is now Apache.
I'm sleeping much better these days now that I don't have to scramble every week there is another hideous security flaw announced. Not to mention they(MS) recently stated if they opened their source, even worse flaws would be revealed.
As the new Rush song(Secret Touch) says, "The way out is the way in".
No, Thursday's out. How about never - is never good for you?
Is there a practicle scenario where you would want your SQL server to be listening on the outside interface? Or does it just bind to 0.0.0.0:1433 by default?
-mlr
A few things;
/.'s, I have to put forth the real issue here which is bad sysadmin. True, m$'s strategy is 'fast, easy, fun', and while it is probably better practice to lock everything down on install vs. not, it's not a m$ problem so much as it is an admin problem.
One, ok, so, another m$ "exploit". Why does it always have to have this "see, we told you" attitude? After a while, you get tired of finger pointing. Especially when it's all action and little thought. Think? Nah, I'll just complain first and then eat my foot later.
Two, any IDIOT that puts their SQL server on a public network deserves to get it cracked. This would be the same for any db on a public network. I mean, c'mon, a null sa password?! If someone told you to jump off a cliff, would you? Common sense yo! Jeeze..
Fellow
I've worked for companies which take the easy road (hire dumb people to do smart things) and the hard road (smart peeps, smart things) and that's what this is all about. Not m$ as much as the companies that are cost cutting everywhere (except when it comes to executive perks), especially IT.
It is true that m$ does have a lot of security through obscurity issues, but it would be time well spent jumping on the cracked systems than m$. Because, honestly, they don't care. These systems can me made as secure/insecure as the sysadmin wants, so it's really their fault.
I've been noticing a more-than-usual amount of probes to port 1433 on my firewall during the past couple of days, although it seems to have really spiked up since last night. DShield seems to prove this, as their "movie" demonstrates.
In Soviet Russia, Jesus asks: "What Would You Do?"
Some of the DBA's I have worked with love a blank SA password. They also love to write scripts that attach with SA and a blank password. I hope this will teach them to stop being stupid...
I guess they can use next.
What OS do you want to abuse today?
The latest event in my firewall log is an attempted attack from these guys.
Doesn't say much for the quality of their SQL Server training course.
Day 1, lesson 1 should be change the admin password after installation.
A massive "unlocked door" worm has been ravaging users of Schlage locks. Aparrently hackers have been breaking into houses with Schlage locks installed. 9 out of 10 users were found to have installed the locks but never engaged the locking mechanism, and many times had left the key in the knob.
sPh
To quote security focus article:
'According to SANS incident handler Johannes Ullrich, a preliminary analysis shows the code, which has been dubbed "SQLsnake," attempts to log in to the SQL administrator's account on a remote server using a "brute force" password cracker.'
So, it inflicts even systems, that do not have blank sa password. It only inflicts those systems, instantly.
In dream society, people could be given the ability to mod replies. In real life, it would be disaster.
Why doesn't a clueless user friendly ISP implement a virus scan service on their end that sends an alert should it discover a virus?
Easy sell when you can say your ISP:
- removes the need for virus scanners (save $200+)
- saves on virus code updates
- saves the time to allow you to do your work rather than sys admin
Chuck in a warning about how you are not held reponsible if something does slip through and your away.You heard it here first.
The bulletin MS02-020 was just released about a month ago. Only the admins that place a top priority on patches (such as myself) are safe.
I supported NT server for MS for over a year and can attest to the number of admins out there that rely too heavily on anti-virus software. When nimda spread and took over a buttload of systems, it was for this very reason. The thing spread before it could be researched and DAT files updated.
Here's some solid advice for NT/2000/XP/.NET admins:
Use the hfnetchk tool to monitor all NT based computers on your network for installed patches using the syntax hfnetchk -h host1,hotst2,host3 -v -z -s 1. It will also check for SQL, I.E., and IIS patches. Other products such as Office will have to be checked manually. At least Office has the officeupdate web site for easy installation that the users can do. Block email attachments with extensions that viruses use. Have anti-virus software installed that checks avery 2 or 3 hours for updates. Have a properly configured firewall (Blocks well known attacks) in place that only allows incoming session requests for what services are to be made available to the Internet. Lock down any services that are open to the Internet. Have strong passwords for all admin accounts (At least 10 random characters) and create a new one for each admin account once every few months. Same thing goes for any account that can authenticate in any way from the Internet (8 characters and changing every 6 months or so should be okay). If domain authentication is going to be provided to the Internet for some stupid reason, hack the registry so only NTLM v2 is used. Configure all windows computers to use the Peer-Peer node type 0x2. Use switches instead of hubs to prevent evesdropping and assign MAC addresses to ports for your servers to avoid MAC address spoofing. Most of these things are a one time setup. The ones that require maintenance are worth the trouble.
Obvious proof that O sama B in L auden is using slashdot to pass commands to his t errorist c ells.
Better hunker down boys, the feces is about to impact the rotary oscillator. Again.
Just take advantage of the iptables MIRROR target, let them have even more fun when their packets bounce straight back to them with the source and destination addresses switched around :o)
If your accounting software uses MSSQL as a backend and was installed by accounting consultants, you probably need to pay special attention to this alert. Odds are, they didn't set an sa password when it was installed either -- mine wasn't.
"Lawyers are for sucks."
- Doug McKenzie
Moron, it's "I got a snake, mang!" =)
The Microsoft Data Engine (MSDE) that comes with the .NET SDK is just a stripped down version of SQL server. Unfortunately enough, it's got enough "features" to make it vulnerable to attack. Sure I'm just stating the obvious, but I've already talked to 3 boneheaded .NET developers that insist that they're not running SQL Server. Imagine what I found on port 1433...
Okay, so there's a new MS-SQL worm going about. And it goes after default-install systems, of which there are around 1000 or so (now compromised, according to the article).
Big deal.
The problems, IMO, are not specific to Microsoft, no matter what this article may or may not imply. It's also a matter of getting trained and clueful admins in house to handle production-level servers, instead of just foisting the job off to the nearest PFY.
Granted, I'm not the most sympathetic voice in the crowd towards Microsoft. If what I've read is anywhere close to accurate, the government should immediately pull Microsoft's plug and migrate all critical systems and applications to [insert name of favorite *nix-type system here] in the shortest time possible. But clueful sysadmins and DBAs are the first, best line of defense against such attacks. Anyone care to dispute that?
End of vent. Coffee and croissants are being served in the community building next door. And be careful, the coffee's hot.
All the world's an analog stage, and digital circuits play only bit parts.
How much is the Microsoft solution cost your business today. Linux Admins are sitting back and watching the NT guys say "Poor Bastards Microsoft Screwed Them Again When Will They Ever Learn Linux" MySQL is an option perhaps if you are using Micro$oft VirusWare you should consider a migration to Linux GNU right now. Think about it if you had Linux GNU you could be hanging out with the Linux Admins instead of tending to another MicroCrashVirusBSOD alert. Hey how much did that Microsoft solution that Bill Gates cost your company today did you sign up for Microsofts Tier 5 Extortion Support Plan how many $$$ to Microsoft Extortion Support Center. Dont worry it will be fixed in the next release which only runs on XP of course you want to sign up for the Enterprise Screw Your A$$ Extortion Agreement and sign up for Microsofts Premier Bend Over and Say Cheese Support. Of course Linux Unix and Lunch boxes will now become Windows boxes and you will have to get a license and passport before connecting to the Micro$oft .Net Network Enterprise which is controled by the Borg in Redmond. "All Your Data Boxen and A$$'$ Belong To Micro$oft".
Will slashdot post a story each and every time a new worm is out ?
BoD
BoD
One of the nice things I've noticed about MySQL (having used MSSQL as well) is that I can have MySQL prevent people from connecting based on IP addresses, even if they have the proper username/password credentials. I could never find a way to do this in MSSQL - is there a way of doing this? Yes, it's not perfect, but it's definitely a nice extra that MySQL offers which I've not seen in MSSQL. Again, if it can be done, someone let me know.
Also, why does the SQL Server run at all without a password? IIRC in the latest versions the installation prompts you for an 'sa' password to set, but earlier ones didn't do that. Why not just disable the program - when running it having a popup say 'hey - I won't run unless you set a password!' and be done with these types of 'holes' (yes, it's really just lazy admins, but the computer should be doing more thinking for me at this level - perhaps Clippit could bounce up and demand a password be set?)
creation science book
My LINUX server got 51 failed attempts from this M$ problem yesterday... Will people ever learn?
DISCLAIMER:
I don't believe what I write, and neither should you.
Christ, don't you ever READ what you post!!!
I uninstalled MS SQL a couple months ago. I converted everything to MySQL, and trashed MS SQL. I'm feeling pretty smart right now, of couse, I wouldn't have been effected anyway because I had a strong password on the SA account.
Now I need to convince the execs to convert from Win NT to Linux......I'm tired of playing MS daily patch game.
Cheers.
ProgrammingArt
"Could have" or "could've," not "could of." This one is getting really bad nowadays, and it's embarrassing. I mean, listen: "I could of touched Natalie Portman." Could OF? That doesn't make any sense!
"It's" = short for "it is." "It's petrified!" Not "its petrified!"
"Its" = possessive. "Drowning in its piss," not "drowning in it's piss."
"You're" = short for "you are." "You're a dork."
"Your" = possessive. "Your grits are hot."
Now repeat after me: "Yes, playing with computers is fun, but I should probably take a break every now and then, and reading a book once every month or so is probably not such a bad idea."
Not that I'm a fan of MS's security, but the null password was fixed (literally) years ago. SQL Server 2000 requires a password for the sa account when you set it up. You can override it if you really want, but thats not MS's fault.
- N
+--------------------- You idiot! I told you we were facing the wrong way!
A patch a day keeps the micro$oft worms away.
I am a firewall engineer/tech. As bad as I hate to say it, but, especially with the tech industry being in the shape it's in right now, things like this help assure that I will have a job for the foreseeable future.
Also here's another article about the worm, for those who care.
I see this a lot talking to clients - they're convinced they can treat information processing just like they treat other commodity services/items (photocopiers, etc). When talking to clients, many of them have a 'DIY' approach to save money - outside consultants or expensive employees are often viewed as unncessary. Perhaps one day they will be, but for now, it's a requirement to have someone who knows what they're doing operate these things (in this case, databases). Probably half the time I know people are thinking we're trying to pull one over on them, thinking they don't need someone who knows what they're doing ("Hey, my cousin's business set up a webserver in 10 minutes and they don't even use computers! It can't be that hard!") Sometimes they're right, but at this stage of development, it's still a gamble they *shouldn't* take.
creation science book
Think of a new way...
1.) Make your product easy to install
2a.) Use a default setting for an internet port
2b.) Use a default user account for deeper 'analysis'
3.) Write worm (or wait for someone to do it)
4.) Start worm (or wait for someone to do it)
5.) Measure the uproar you caused usenet thread length (or wait for someone to do it)
Refine method at will.
Advantage of this method: It is easier to post messages into newsgroups than returning business reply mail cards. Cost is spread around the world.
Limitation of this method: You get numbers of poorly installed products only.
Proposal: Let's provide an open port for each piece of free (as in beer) or open (as in source) software so we can measure numbers there, too.
-- You Gotta Do What You Gotta Do
> Already over a thousand compromised system
Grepping my firewall logs for hits to port 1433, I find 1078 hits since midnight, from 39 unique IP addresses.
The majority appear to be dynamic residential addresses -- attbi.com, swbell.net, pacbell.net. Only a few resolve to static addresses. Here's one of the sites that probed me:
http://210.90.207.4/admin.inc
LMAO!
Sorry, I don't mean to be flaimbait or a troll... but I can't just sit here and listen to that crap.
This is not microsoft's fault - ANY time a password is left blank or default there is going to be a problem. This is stupid admins (or lack of admins) not an MS problem totally.
...And when they came for me, there was no one left to speak out for me." - Martin Niemoeller (1892-1984)
If the administrator installed MSSQL and chose integrated security mode, that machine is not vulnerable, however, if the administrator chose mixed mode and did not set a password for the username "sa" then that machine is vulnerable.
I've not seen that particular bit of advise on any of the pages, though.
DanH
Cav Pilot's Reference Page
UNIX - Not just for Vestal Virgins anymore
Why The X-Box Network Will Fail
New "SQLsnake" Microsoft Worm
yuk yuk yuk etc
By the time you finish reading this sentence will end.
The thing that strikes me about a lot of things like this is that they are immediately exploited by the anti-virus software writers, but not by the big Unix/Linux vendors.
If I was in IBM I would have a budget set aside to ramp up a scary campaign about this and every other big worm/exploit - I'd be buying the spots right now to go on the offensive.
Gentlemen, your opponent is drowning, so throw the son of a bitch an anvil.
Ok, first of all you clearly haven't worked for any business, small, medium or large. If you have, then it won't be in business very long.
Second, companies *should be* and *are* responsible for security on their computer systems. By your logic, you would also claim that a company shouldn't have to buy locks, cameras or security personal for their buildings, because how would they have known that people exist that can break into a building. Your reasoning is flawed and feeble.
A business is an educated entity. And for your information, the business world, from small to multinational, is going to continue to use the internet in more and more ways for their business. You may not buy it, but that's your mistake.
Moderation: Put your hand inside the puppet head!
About two years ago, I was hired by a dot com (which has since layed me off) to do some database work. I had several years of Oracle DBA experience and one of the things they wanted me to do was be the SQL Server DBA. Imagine my surprise when I discovered that their SQL Server machine was not behind a firewall and had the default blank password for the "sa" user. This database stored the orders and account information (including credit card numbers) for several e-commerce sites. There were some junior programmers fresh out of college on the project working on code that a consulting company had originally supplied. The junior programmers didn't want me to change the "sa" password because everything was hardcoded to use the "sa" account (a bad thing) without the password (even worse). Management didn't want to clean the credit card numbers out of the database because "we might need them in the future". It took several weeks of me kicking up a fuss to get them to let me change the password and remove the credit card numbers. AFAIK, they never moved it behind a firewall.
Sometimes a company just deserves to go out of business.
Not only that, but you normally need a Commercial Driver's License to sit behind one of those.
We're all saying that qualified sysadmins are necessary, but do we really want to go to *licensed* sysadmins? I have this ugly feeling that at some point, it may well take a license to make that final connection to the Internet. At that point, your ISP will be the licensed party, and you will have to use provided software on a acceptable platform. How many ISPs will allow you to connect on your own authority, assuming that you are licensed, is the next question.
The living have better things to do than to continue hating the dead.
Before you release any system especially out in the open you have to take the due dilligance and verify its security... At least to a minimal extent.
T.
SoftLogic Solutions
http://www.softlogic.8m.com
No kidding. Management are so busy shorting the company's stock or faking business to pump it up in an effort to get more money, coke and whores that they don't even understand that just because the server's don't crash 10 times a day they're not shorting their technology infrastructure.
Slashdot's filters SUCK like HELL.
/all" and appends this information to send.txt. This script then runs sqldir.js and appends all of the server's database \ \client\\c onnectto\\dsquery).
m inistrati on/2000/security.asp.
i se_pr otection/vulnerabilitya se.php
.Name the service "MS/SQL Port Probe".
I've been trying to post the Bugtraq's version of this bug, and all I keep getting is Your comment has too few characters per line.
Internet Security Systems Security Alert May 21, 2002 - Microsoft SQL Spida Worm Propagation
Synopsis:
ISS X-Force has learned of a worm that is spreading via Microsoft SQL
servers. The Spida worm is responsible for large amounts of Internet traffic as well as millions of TCP/IP probes at the time of this alert's publication. This worm attempts to locate and login to MS/SQL servers with the "sa" account and a blank password. Once a vulnerable computer is found, the worm will infect that target, send its configuration and password information to an external host, and begin scanning for new targets.
Impact:
Although the Spida worm is not destructive to the infected host, it may generate a damaging level of network traffic when it scans for additional targets. The scanner bundled with the worm is multi-threaded and is capable of scanning with 100 threads. A large amount of network traffic is created by the worm, which scans both internal and external IP addresses for vulnerable servers.
Description:
The Spida worm propagates via Microsoft SQL installations with administrator accounts that have no passwords defined. Although Microsoft recommends that the "sa" account be set upon installation, many servers are not properly secured. If the worm finds a vulnerable
server, it will attempt to execute its startup script by running the "xp_cmdshell" function, which is the SQL call used to execute system
commands within SQL queries.
The main function of the Spida worm is to export an infected server's SAM password database and forward information about its network and
database configuration.
The worm installs all of its files into the \Windows\system32 directory except for services.exe, which is installed into the
\Windows\system32\drivers directory. Each of these files has a distinct function which is outlined below:
sqlprocess.js - This is the worm's main payload. It holds IP address arrays which are later used in the services.exe scanner. It executes
"ipconfig
information to send.txt. It then executes pwdump2 and appends the password hashes to send.txt, then runs clemail.exe and mails send.txt to ixltd@postone.com.
After the email is sent, send.txt is destroyed and services.exe is run to scan for other vulnerable servers. This information is appended to rdata.txt, which the worm uses to attempt to propagate with the username "sa" and a null password. The sqlprocess.js file sets the registry value dbmssocn to configure the SQL server to use the Winsock TCP/IP library
instead of the default DBNETLIB library:
(HKLM\\software\\microsoft\\mssqlserver
It also turns on the NetDDE service, allowing SQL to use the DDE protocol.
sqlexec.js - This is a script used by sqlprocess.js to execute xp_cmdshell. sqlinstall.bat is run within this instance of xp_cmdshell.
sqldir.js - Collects a list of databases on the infected system. Later, sqlprocess.js writes this information in send.txt to send to ixltd@postone.com.
run.js - This script passes time information to and from timer.dll.
sqlinstall.bat - Installs the worm then hides the files.
clemail.exe - Simple mail program used to email out the send.txt file.
services.exe - Scanner used by the worm to scan for other SQL servers
on
port 1433. This information is appended into the rdata.txt file. This file is multi-threaded and scans internal IP addresses before performing
an external IP address sweep.
pwdump2.exe - Injects samdump.dll into lsass.exe (a Windows program
that
performs the authentication of log-on credentials) in order to grab raw NTpassword hashes.
samdump.dll - Uses the same API that msv1_0.dll uses to capture Windows password hashes.
timer.dll - A counter used for installation and other functionality of the worm.
Recommendations:
Microsoft SQL Server customers should refer to the following address for information and securing Microsoft SQL Server:
http://www.microsoft.com/sql/techinfo/ad
ISS Database Scanner product implemented a check for a blank administrator password in December of 1998. Database Scanner customers are encouraged to enable this check if they have not done so. For more information, refer to:
http://www.iss.net/products_services/enterpr
_assessment/scanner_datab
ISS RealSecure Network Sensor customers may use the following connection event to detect access attempts to the SQL Server port. Follow the
instructions below to apply the connection event to your policy. This connection event will detect legitimate connection attempts to MS/SQL
servers.
1. Choose a policy you want to use, and click Customize.
2. Select the Connection Events tab.
3. Click Add on the right hand side of the dialog box.
4. Create a Connection Event.
5. Type in a name of the event, such as "MS/SQL Port Probe".
6. In the Response field for the event, select the responses you want
to
use.
In the Protocol field, select TCP.
In the Dest Port/Type field click the pull down box and create an entry
for TCP port 1433:
a. Click Add.
b. Select TCP Protocol.
c
d. Use 1433 for the port number.
e. Click OK.
f. Select the entry just created.
7. Save changes and close the window.
8. Click Apply to Sensor or Apply to Engine depending on the version of
RealSecure.
To create a user-defined event RealSecure Server Sensor:
1. Open the desired policy.
2. Expand the Connections tree on the Protect view.
3. Expand the User Defined Suspect Connections branch.
4. Click Add to add a new User Defined Suspect Connections event
5. Name the event, SQL_Connection.
6. Select the desired responses under the response column.
7. Enter "1433" under the port column.
8. Save the Policy and apply it to the sensor.
ISS BlackICE customers should monitor and/or enable the "SQL Port
Probe"
event. This event will detect probes by the Spida worm.
ISS X-Force will provide assessment support for this vulnerability in
an
upcoming X-Press Update for Internet Scanner.
______
About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.
Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If
you
wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email xforce@iss.net for
permission.
Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard
to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet
Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.
here's a topic for further discussion....
/. schadenfreude about dumb-ass sysadmins not setting the 'sa' password eventually going to be for naught? The problem is still MS's poorly thought-out standard of mixing code with data...
Now that the cat is out of the bag that MSSQL is "in play" as a target, I wonder if sealing 1433 and the sa password are enough to head off future attacks.
The linked articles explain how the worm replicates by essentially logging on as an SQL client and storing a copy of itself in the database. Ingenious, but relatively easy to defend. However, couldn't future versions infect any-old-user's PC using standard email/windows virus techniques and then look for an ODBC connection which would hopefully, by now, be configured with a no-longer-blank sa password to seed a new infection? It might even hit more systems because it gets you inside the firewall that closed off 1433?
In other words, is all the
"Lawyers are for sucks."
- Doug McKenzie
Think about the possiblity that holes might be put in firewalls to allow such traffic between corporate sites, that would be another good way to blame the users. That way, every desktop with Access 2000 could be burnt by this. Wow, think of a coroprate cluster fuc, functioning that way. Then imagine a cluster of corperations. BARF.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Or "Hooked on Phonics" or something...
free alternatives
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
Two different looks, two different payloads. One queries then tries the blank PW before brute-forcing, the other fires and forgets.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
As a MS SQLI think the real problem here is not with the MS SQL Server software (the "sa" password problem is also shared with Oracle), but with the management. They often have the MS Windows Admin / Help Desk people also manage the SQL Server database. The Windows Admins usually do not have the time or expertise to adequetely manage the complex DBMS servers. They really need "specialist" DBA's who are familiar with both general DBMS issues and with MS SQL Server in particular.
OK, so how long before you recommend to admins that they update every hour? Or require continuous persistent updating?
Not only is there not enough bandwidth at an admin's site to handle the anti-virus updates alone (never mind vendor patches), the anti-virus firms don't have enough bandwidth to service all those admins all at once.
I think Rob Rosenberger described it best.
Use Evolution instead of Outlook? Bewa
fucking jew
Burn me once, shame on you. Burn me twice, shame on me. How many times are people going to let themselves be burnt by Microsoft's intentionaly easy to break and push onto software?
All the trolls keep ssying, "Linux is not ready for the desktop." Hmphf! I'm so sick of that bull. M$ is not ready for anything. If it really were easier to get work done on M$ desktops and they could be protected, management might be justified in continuing to order new M$ junk. But it's not.
Debian kicks M$'s but, and Red Hat has all the bells and whistles any corporate user could want. At work, I've got one virtual desktop with tiny picutes on a single bar at the bottom of my screen. There's no way to segregate projects, so I have to cycle the little buttons and place keeping fails. A "power user" in the next cube has two freaking monitors eating his desk top, how stupid! The environment lacks useful scripting, and it's impossible to run processes on other M$ machines without getting out of your seat. Walk, click, click, click, where's the automation? Every two years the file formats change enough to make everyone "upgrade". The GUI's constant flux requires constant relearning, and seems to make less sense with every new improvement. Stability is a joke, as is speed. My first 486 gave comperable perfomance and speed back in 1993. It just burns me up. When I go home I sit at a single chair and look into a single good monitor and can control and run processes on any number of computers I can set up behind my firewall. At home, I move plenty of big pictues and files, no problems. Things at home HAVE gotten faster with new hardware. Why do people at management level put up with this expensive, invasive, rights denying, won't even work well with itself junk?
Someone somewhere is going to get the desk top switchover started and M$ is going to vanish. Poof, back into the cloud of hot air they started with.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
I didn't need all that karma anyway.
BRENT ROCKWOOD, EST'd 1975
It used to be the recommended way of setting up SQL Server. MS has always been lax about recommending VB programmers following strict guidelines, since it makes it more work to administer. One of the benefits was it was easy to setup. So easy in fact that "almost anyone" could setup a SQL Server. Any company dumb enough to follow what MS recommends with reguard to security deserves to get hacked and loose business.
I don't want to beat on MCSEs any more than they already get it, but MS has cultivated a large number of semi-competent admins for their systems. Therefore, when patches come up, there are a large number of people who DON'T apply the patch and may not even know they are running the service!
C'mon, Code Red is still out there! Not to say that all MCSEs are incompetent, but let's compare it to Java certification. (since I'm a Java dork)
When someone tells me they are Java certified, my eyes glaze over. It means very little (to me) and I still want to devle into their tech knowledge. But it seems like MCSE opens the door to a greater degree, and it shouldn't
Computer Science is Applied Philosophy
You all should be concerned Microsoft is in the process of "Innovating" the SQL file structure of Yukon into Blackcomb making it a new file system for their .NET. Since this runs default on Workstations with no security or administrators tools like XP Home full Raw Sockets imagine the damage this can cause for the whole internet. Blackcomb is the next great extension of Microsoft Windows NT.
Unfortunately, Joe 90 year old usually got where he is because he had the family influence and inherited wealth to buy his way to the top. Laissez-faire capitalism favors those who already have the capital, and the entrenched wealth tends to nepotism regardless of ability. Government corruption and incompetence in regulated capitalisms can lead to equally bad outcomes.
Not that I'm against capitalism, you understand; it's much more successful in large economies than any alternatives available.
I'm just pointing out the realities of current (American, at least) business practices. I don't have any sympathy for the stupid gits either; hey, maybe this sort of thing will introduce a little Darwinian selection on the hereditary CEO class.
You go out and buy a truck for transportation, you should make sure the driver has a license.
You buy a milling machine to make parts, you should hire a machinist to operate it.
You install/buy a database, you should hire a DBA.
A realization that I've come to is that despite what software makers assert, computers are not easy. And they shouldn't be easy. There is a lot of stuff happening inside a computer/network and it takes a trained professional to set it up correctly in the first place and keep it running there after. These companies should be doing a cost benefit analysis of adding a database and hire a contractor to maintain it if they can't afford a full time DBA.
When we noticed this a year ago, we replaced our Xerox printers with a linux-baed solution.
We're saving over $100,000 a year on the deal. We find that linux-savvy professionals are cheaper than that, so it's an increase in security and staff expertise for less money overall.
Chew that, Xerox.
is to put SQL Server on a port other than 1433. Of course for an existing installation, this could be a major change. But if you're setting up a new SQL Server, use another port. This is assuming you are using SQL Server and not another superior database product (like Oracle).
Believe in things of which no person has ever learned
Just FYI, the article should've mentioned this is a problem for SQL Server 7, not the current version which is SQL 2000(?)
this is not a sig
Well, I'll just wait here for that...
---- It puts the lotion on its skin or else it gets the hose again. It does this whenever it's told.
Microsoft Data Engine (MSDE) is just as vulnerable to this worm as a full blown SQL server. Unfortunately, this fact is not really advertised by neither Microsoft advisory nor most of other Antivirus vendors. It is unfortunate because there are a lot of products that use the MSDE as a "hidden" SQL server, and from my experience most of these applications DO NOT CHANGE THE 'SA' PASSWORD. Even worse is the fact that most of the applications using MSDE break when the SA password is changed. Some of the apps that use MSDE: Tumbleweed MMS (formerly Worldsecure, a "security product" relies on blank SA password for proper operation), CyberCop scanner, Microsoft Visio, Visual Studio, etc.
...that I don't run MS SQL, because my firewall has reported TCP probes on port 1433 to my computer.
I'm sorry, but this has to be one of the biggest fallacies in the open source world. MySQL is not a decent SQL server. In fact, it's hard to call MySQL an SQL server at all, being as it's 'support' for SQL standards is absurd - the project makes up keywords as it goes along. It's far more accurate it to consider it an abstraction to the file system. There are no subselects, nor stored SQL procedures. If MySQL was non-free but with exactly the same codebase it would be ripped apart by the programming intelligensia.
PostgreSQL is better, but has an archilies heal with hard coded attribute sizes.
tlhf
xxx
I'm sorry, but MS SQL is more comparative with Oracle or DB2 than either of the free databases.
I think this sort of worm should be included with software. You install the software, the worm attacks it, and warns you of potential dangers that you may have been unaware of. Say a clueless user downlaods a piece of software (i.e. Kazaa) and would like to know what exploits are possible. Virii and the like are the way to discover and bring to light these defeiciencies. The only problem is that you can't trust the authors . . . but wouldn't you rather know that you have ports/services/passwords open to public scrutiny?
Check it out go to Exam Cram or even to Microsofts Site and take a sample exam and see how the tests are for fucking morans. Microsoft Certifications are just a way to keep sucking more money out of your ass just ask the MSCE who was certified under NT4 had to upgrade to Windows 2000 and now will be forced to upgrade to Windows XP. Of course if you like being a Microsoft Mouse on a wheel and giving up your cheese go right ahead but your still a bunch of dumb bastards that should be banned from the server room. Fact if your MSCE was so smart why did they leave their SQL open without strong passwords. Microsoft Disney because thats what they are. Do this back when you installed NT4 you had to feed a lot of information into the install or create a batch file with all the things you wanted in a deployment. Now with WinBlowsChunks 2000 just pop in the CD and let WinCrashBSOD do all its Black Magic behind the scenes setting all those items for you like send DBA data back to Redmond ........... you say that not so well how do you know did you audit the install logs and registry hive and do you have the source code to make sure there are no rouge libraries and apis like send all you companys money and companys secrets to Bill Gates and Microsoft who have a different use for "Data Mining". Trust your Company and Network with Microsoft after they have admitted there products are full of holes and a security threat to anyone running them. You must be a Microsoft MSCE because you are one dumb bastard if you trust Microsoft with your Data.
Er, wait....
This kind of poor system administration just goes to show that anyone with a little time and money can get certified and get a cushy job and a Microsoft system engineer, regardless of intelligence level.
I don't have much experience with certifications, but it would seem that you hear of propagated system administration problems rooted in poor certified sys admins on Microsoft systems than any other deployment platform. That could be based on the number of systems maintained or the sheer intelligence level required to attain that position. I'll let the general populous decide.
Does Windows have Daemons? I thought they were immortal entities. How could an immortal entity live in a Universe that comes to an end every few weeks at best?
Maybe (relatively) long-running processes on Windows should be called Aengels.
(Yes, I know Microsoft uses the beige Microsoftian term "services".)
That's the only virus thats ever hit me. Had it on every single floppy for my XT, and didn't figure it out till I tried to install my first hard drive (10 megs). The virus loaded int ram on insertion, and would immedietly reinfect the disk once it was cleaned, if you did anything other than turn the computer off.
Play Command HQ online
Most tools/software on the server itself connect via named pipes local on the system anyway. So these tools will not have a lot of problems. Most SQLServer's exposed on the internet are installed on systems which also run IIS, thus 1 server for the complete stack of servers for a webapplication. Having this port open is not needed.
Start the server network utility and change the port on the TCP/IP protocol. Click OK and restart the MSSQLSERVER service.
btw, Oracle is superior in which way? Oracle has also a 'default' password: empty or a default well known password.. it doesn't matter. People simply should understand what they put online.
When I start a little tool on my online SQLServer machine I get 4 servers listed which run on the same network segment as my server (in the co-located rack at my ISP). a) these servers are running the server service, which shouldn't be running, b) these servers have port 1433 open and c) have set their server to not hide it for the outside world.
Pretty basic stuff that should be switched off, but isn't because the admins probably don't know that it's necessary to switch it off or even how to do that.
Again, an admin-flaw, not a softwareflaw.
Never underestimate the relief of true separation of Religion and State.
Microshafted seems more appropriate.
Geez, it's a good thing Microsoft hasn't released any source code, then we might get a virus or worm in a Microsoft product.
The recommended way has always been: trusted connections, at least since 7.0. (which is pretty old by now). The 6.5 legacy from sybase had a different policy due to the lack of good integration with NT security.
So the SA account is never needed: connect using trusted connections.
Examples most of the time mention 'sa' with no password, but that are examples, what way should they then mention a connection string?
Never underestimate the relief of true separation of Religion and State.
Check out Mimer SQL Engine
Way to make my machines more secure. Perhaps I should just start posting the admin passwords on the web. I am also going to start securing my house with a screen door.
Windows Longhorn is going to run a a database file system, isn't it?
That database is probably going to be powered by SQL Server, right?
Oh well...I guess SQL Server will eventually join Outlook/OE as the most exploited software ever made.
"Evil will always triumph because good is dumb." -- Dark Helmet
I've just mailed this to a couple of security lists I take part in. Posting here seems like a good idea (although now, of course, I am outed as a SQL Server user)
Please feel free to forward these recommendations to any other lists as you see fit. However, as with all system changes, things can go wrong. Make sure you have backups. I take no responsibility if your SQL server dies. Or if the sun fails to come up :)
use master
exec sp_dropextendedproc 'xp_cmdshell'
sp_OACreate sp_OADestroy sp_OAGetErrorInfo sp_OAGetProperty sp_OAMethod sp_OASetProperty sp_OAStop
The same goes for registry sps
xp_regaddmultistring xp_regdeletekey xp_regdeletevalue xp_regenumvalues xp_regremovemultistring
use master
select name, Password
from syslogins
where password is null
order by name
Finally, MS have released a bulletin
Port "LAEE"? What does that stand for?
Transcript show: self sigs atRandom.
I've been messing with MySQL and PostgreSQL a bit recently, and I have some experience with MS SQL as well.
This bug is obviously MS's fault, the default install of MS SQL allows connections from anywhere, what is that? I don't even think there is a per IP or IP range block you can put specifically on MS SQL.
In contrast MySQL and PostgreSQL both default install with only local host allowed to connect to the DB. And, the admin has to specifically *ALLOW* hosts or IP ranges to connect.
Obviously, a brute force attack on a specific TCP port number will not work against MySQL or PostgreSQL, as the connection will be refused outright, unless the worm can also spoof IP's.
Dumb defaults MS, once again.
If you are running Microsoft Products now is an excellent time to move to Linux GNU. This worm is bad but it could mutate into a more nasty worm one where a virus piggy backs with a more destructive payload. Klez aleady has some variations with a very nasty payload like format your hard drive erase your bios. It is clear that it is not safe to trust your computers, your data, and your network to Microsoft Products. Time for a class action lawsuit against Microsoft for knowingly shipping defective products.
And get someone with a license to drive it and they perform regular maintenance on it.
And they get someone with the skills to use it.
You are a complete and utter numpty. Do people actually pay you money to provide services?
Government of the people, by corporate executives, for corporate profits.
True, anyone installing administering software (like MS SQL Server) should be wise enough to ensure that the defaults accounts are secure. However, what if it you are not directly administering it? For instance, lab managment software from Altiris installs the MS SQL engine with a blank SA password (and I don't believe it offers a built-in way to change it). Lots of areas use this software and perhaps failed to realize they were also managing MS SQL server (although on a very junior level).
A client recently had their Win consultant in to install new hardware for the mail server. Took the first one down, and the mail spooled as designed on the backup mx I run on Linux for 'em. Consultant did the Win software install and suddenly the new machine took all the mail spooled for it and rejected it as having "no such user." With Win, to install the software is to turn it on. Never mind that it should be configured before going live. Not like *nix, where if I install sendmail it isn't running until I explicitly run it.
MS should be sure that installing software does not ever, in itself, enable it, when that software is any sort of daemon. Ought to be illegal.
"with their freedom lost all virtue lose" - Milton
Who the hell gets a virus these days? Only idiots that will open anything and everything that is sent to them via e-mail. Frankly, they need this to teach them a lesson. I've been working with computers for 10 years now. I have had many PCs and laptops and none, I mean none, have ever been infected by a virus. To hell with all these stupid antivirus programs. It's all hype. The midless consumer, who has no idea what a computer is, goes out and buys one and is drilled over and over again about virus protection. Maybe someone should show these people how to use a computer first.
The subject basically says it. The only way to get this worm is through a feat of absolute stupidity. You didn't change the default password on install. And before you blame Microsoft for not forcing you to, perhaps you should read up on your documentation of MySQL.
And for those stating that some new Microsoft products automatically install SQL Server, those installations have SQL authentication disabled by default, so the 'sa' account isn't accessable, period.
Micro$oft roxorz
Any SA that isn't a total idiot would not expose port 1433 to the Internet in the first place. These morons deserve to be compomised on many levels...
The last MSSQL Server worm attacked the same weaknesses...blank sa passwords & port 1433.
Just change the port if you can afford to (i.e if you don't have too many apps to reconfigure) & follow standard Admin practices regarding security accounts.
A year and a half from awareness to patch on one of those vulnerabilities. At least. What can a sysadmin do when faced with that?
Why, switch to PostgreSQL, of course! Faster, more secure, source available for verification or modification, closer to SQL-92 and subsequent standards, portable. What more could you want?
Oh, yes: it's free as well as Free.
Got time? Spend some of it coding or testing
Digispid.ide
8.3 letters
They store their IDEs on MS-DOS?
Got time? Spend some of it coding or testing
D'oh... I've been using port 1433 for some time now for SSH tunneling as it is the lowest numbered port above 1023 that is allowed through the corp firewall... I guess it's not going to be a security problem, but I'm changing it just to avoid excess traffic, and to stay even more invisible.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
One big change between SQL 7 and 2000 is that it's harder to leave the sa password blank. It's still possible, but at least you've been told. Not quite a "HEY STUPID" message, but it's pretty close.
I'm normally pretty MS Hostile, but even I don't really blame MS for this one. This is a PEBKAC. Problem Exists Between Keyboard and Chair.
"Live Free or Die." Don't like it? Then keep out of the USA