Slashdot Mirror
New "SQLsnake" Microsoft Worm
sevenn writes "A new worm, targeting the Microsoft SQL daemon, has been sweeping the net. It uses massive scanning, default passwords, exploits against vulnerable versions and even attempts to brute force passwords.
Here is the (vague) Microsoft bulliten,
the SANS analysis,
and a securityfocus article"
Already over a thousand compromised system- you're apparently only vulnerable
if you run MS SQL, but the worm is causing a substantial spike in traffic to
port 1433 on the net.
Perhaps there just isn't good documentation on this, but this issue wouldn't be a problem if the SQL Server databases were properly installed and maintained.
First of all, a DB should never be outside a firewall. It's not necessary.
Second of all, this issue is aided by databases installed with blank admin passwords.
I don't know how you solve this. You can't prevent people from installing software. I guess Microsoft's new MBSA will point out the blank password issue and any patches missing, but...
I'm sorry.. but according to the topic post it said:
and even attempts to brute force passwords.
So either you're telling me, the writer lied... OR... it doesn't just attack blank passwords... so which is it?
www.slightlycrewed.com - Because aren't we all?
This one isn't $M bashing! It's STUPID SYSTEM ADMINISTRATOR/STUPID DBA bashing.
Microsoft is semi-innocent on this one.
NOTE: They make their products so even a stupid administrator can install it, and this worm is proof of that!
I take no responsibility for what I say. Even though I'm never wrong
Yes it is highly standard practice to have an SQL server and noone in the building that has a clue to run it let alone what it is. The vendor of some "critical" app usually installs it (from a copy the vendor has on hand) and advises the customer.. "you need to buy MS SQL server to be legal".. well we know where that goes.... (50% ignore them and never even think of buying it, the other 50% look for it, see the price and then crap their pants, deciding not to buy the overpriced product)
so yes, it is very common. and it will remain very common as long as there are software vendors making SQL based apps and NOT including a legal copy of SQL server, and a SQL maintaince contract in the price of the product.
Do not look at laser with remaining good eye.
Many exploitable holes such as these can be attributed in part to the management mentality that one or two over-worked, under trained "computer people" can handle professional system/network administration.
Frequently SysAdmins started their jobs in another field, like Engineering, and were sort of migrated over. Little formal training was given, let alone budget for. Most smaller (sub-Fortune 500) operations were more of a congealed mass than a designed network.
Then, when the LAN wasn't hooked to the Internet, and some poor schmuck install MS BackOffice and wanted to instal SMS Server, it told him he had to install SQL Server. A couple of quick clicks and you're done. Odds are, he clicked thru the admin password not thinking he'd EVER touch MS SQL other than as a backend for SMS.
Pity the new admin who inherits such a setup. You think a new admin is given time to actually check a network configuration out, much less do a proper security, performance, license audit? Nope. Get in and tell me why Outlook is saying my deleted folder is empty. I haven't emptied it since 1998 and everything was always there before when I needed it!
Stupid worms/viruses/exploits will prevail until the MENTALITY of management changes. Computers run most modern business, they are not an afterthought. The people that take care of them should be properly trained, with proper budgets. Periodic PM (preventative maintenance) needs to be allowed, scheduled and performed.
I feel pity for the admins who have to deal with these worms. I feel nothing but contempt for the management process that let them get in this position.
Learning HOW to think is more important than learning WHAT to think.
Along comes e-mail, the Internet, databases, web sites, etc. Joe Enthusiastic runs into the President's office and says, "Mr. Smith! I have found a great new way to communicate with our customers!". Mr. Smith, though he is 90 years old, takes a look and says, "Yeah, that looks interesting. Buy one and set it up".
So the company buys one (database server, e-mail server, web site, etc.) and sets it up according the skimpy directions in the box. It works for a while, then blows up, seriously damaging the business.
NOW the company is told, oh, you should have known. You should have known the instructions in the box were incomplete and dangerous. You should have known you needed an 80k/year DBA to use that. You should have known the product was dangerous. You should have known...
Sorry. I am not buying it anymore. And I think the general business world isn't going to buy it much longer. Either the Internet will be abandoned, or there will be heavy, heavy government regulation of who can connect and how. Sort of like the phone company in the 1950's.
My 0.02 anyway.
sPh
The bulletin MS02-020 was just released about a month ago. Only the admins that place a top priority on patches (such as myself) are safe.
I supported NT server for MS for over a year and can attest to the number of admins out there that rely too heavily on anti-virus software. When nimda spread and took over a buttload of systems, it was for this very reason. The thing spread before it could be researched and DAT files updated.
Here's some solid advice for NT/2000/XP/.NET admins:
Use the hfnetchk tool to monitor all NT based computers on your network for installed patches using the syntax hfnetchk -h host1,hotst2,host3 -v -z -s 1. It will also check for SQL, I.E., and IIS patches. Other products such as Office will have to be checked manually. At least Office has the officeupdate web site for easy installation that the users can do. Block email attachments with extensions that viruses use. Have anti-virus software installed that checks avery 2 or 3 hours for updates. Have a properly configured firewall (Blocks well known attacks) in place that only allows incoming session requests for what services are to be made available to the Internet. Lock down any services that are open to the Internet. Have strong passwords for all admin accounts (At least 10 random characters) and create a new one for each admin account once every few months. Same thing goes for any account that can authenticate in any way from the Internet (8 characters and changing every 6 months or so should be okay). If domain authentication is going to be provided to the Internet for some stupid reason, hack the registry so only NTLM v2 is used. Configure all windows computers to use the Peer-Peer node type 0x2. Use switches instead of hubs to prevent evesdropping and assign MAC addresses to ports for your servers to avoid MAC address spoofing. Most of these things are a one time setup. The ones that require maintenance are worth the trouble.
If they need to haul stuff, they buy a truck. If they want to stay in business, they don't leave the keys in it and the windows down while it's parked somewhere in public.
If they need to make copies, they buy a copy machine. If they need machine tools, they buy them. They also tend to keep these things in locked rooms so joe public can't walk in and trash them.
If they buy computer systems, they leave the passwords blank and expect people to not use them. That's not bad programming, it's stupid users.
Yes, but who would put an untrain employee with little drive experience and no experience driving a truck, behind the wheel of a tractor trailer and not expect to have the truck cause an accident?
Any company that sets up a database server with out hiring a qualified admin to set up and maintain it is asking for trouble. A qualified admin should have changed the SA password from null. There really is no reason this behavior should be acceptable.
The Economics of Website Security
Keep in mind that Access XP includes a desktop version of SQL server
This is true, but you need to go back a couple years to get to the root of this (fscking stupid) idea.
Visio 2000 installs it by default as well. I can't remember if anything previous did, but that was my first encounter with this. I would love to buy a bag of whatever those in charge of making this idea a reality, but this is not a small thing. You need to consider the hundreds of thousadns (if not into the millions) that are running software that was created 2 or 3 years ago up to now (and the future holds suit as well).
Can someone please remind me why I have to keep using M$ garbage? OOo is a great package. There are MUCH better webservers out there, and there are MUCH BETTER SQL Servers out there.
I just don't get it...
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
is to put SQL Server on a port other than 1433. Of course for an existing installation, this could be a major change. But if you're setting up a new SQL Server, use another port. This is assuming you are using SQL Server and not another superior database product (like Oracle).
Believe in things of which no person has ever learned
You know what? Your post was brilliant and absolutely correct every step of that way, until you threw in that conclusion. Geez. What a way to ruin a great post.
"Either the Internet will be abandoned, or there will be heavy, heavy government regulation of who can connect and how."
That's just silly.
The number of businesses that rely on the internet to survive, dollar-wise, now far outweigh the number of businesses who are as fed up as you claim. What will happen is that people will make more solid state type servers. Email servers in firmware style setups will be common. Look at Network Attached Storage. What else is that, except a firmwared File Server? Same thing with JetDirect Print Hubs. Beats having to actually run a print server.
THAT is how the industry will respond to the problem you so nicely described.