New "SQLsnake" Microsoft Worm

sevenn writes "A new worm, targeting the Microsoft SQL daemon, has been sweeping the net. It uses massive scanning, default passwords, exploits against vulnerable versions and even attempts to brute force passwords. Here is the (vague) Microsoft bulliten, the SANS analysis, and a securityfocus article" Already over a thousand compromised system- you're apparently only vulnerable if you run MS SQL, but the worm is causing a substantial spike in traffic to port 1433 on the net.

Databases shouldn't be outside the firewall

[sheldon]

Perhaps there just isn't good documentation on this, but this issue wouldn't be a problem if the SQL Server databases were properly installed and maintained.

First of all, a DB should never be outside a firewall. It's not necessary.

Second of all, this issue is aided by databases installed with blank admin passwords.

I don't know how you solve this. You can't prevent people from installing software. I guess Microsoft's new MBSA will point out the blank password issue and any patches missing, but...

Re:Another round of M$ bashing

[wizkid]

This one isn't $M bashing! It's STUPID SYSTEM ADMINISTRATOR/STUPID DBA bashing.

Microsoft is semi-innocent on this one.

NOTE: They make their products so even a stupid administrator can install it, and this worm is proof of that!

Reflection on Priorities

[chill]

Many exploitable holes such as these can be attributed in part to the management mentality that one or two over-worked, under trained "computer people" can handle professional system/network administration.

Frequently SysAdmins started their jobs in another field, like Engineering, and were sort of migrated over. Little formal training was given, let alone budget for. Most smaller (sub-Fortune 500) operations were more of a congealed mass than a designed network.

Then, when the LAN wasn't hooked to the Internet, and some poor schmuck install MS BackOffice and wanted to instal SMS Server, it told him he had to install SQL Server. A couple of quick clicks and you're done. Odds are, he clicked thru the admin password not thinking he'd EVER touch MS SQL other than as a backend for SMS.

Pity the new admin who inherits such a setup. You think a new admin is given time to actually check a network configuration out, much less do a proper security, performance, license audit? Nope. Get in and tell me why Outlook is saying my deleted folder is empty. I haven't emptied it since 1998 and everything was always there before when I needed it!

Stupid worms/viruses/exploits will prevail until the MENTALITY of management changes. Computers run most modern business, they are not an afterthought. The people that take care of them should be properly trained, with proper budgets. Periodic PM (preventative maintenance) needs to be allowed, scheduled and performed.

I feel pity for the admins who have to deal with these worms. I feel nothing but contempt for the management process that let them get in this position.

Re:Thousand compromised?

[sphealey]

Are you telling me that thousands of companies with a load of data are installing SQL Server without having a database admin to do the work? Sweet, they deserve what they get. What kind of people install SQL Server without putting a password for the SA account? Apparently, plenty :)

This is a typical Slashdot response, but I don't think most businesspeople would agree. Without in any way excusing Microsoft for their security practices, it may occur to you that 90% or more of businesses exist to do something other than IT functions. They need transportation, they go out and buy a truck. They need a machine tool, they go out and buy one. They need a copy machine, they have one installed. Although some of these tools can certainly be dangerous, there is a basic expectation that when buying, say, a machine tool (a) it will more or less do what it says it will do (b) it won't suddenly explode and destroy an entire city block.

Along comes e-mail, the Internet, databases, web sites, etc. Joe Enthusiastic runs into the President's office and says, "Mr. Smith! I have found a great new way to communicate with our customers!". Mr. Smith, though he is 90 years old, takes a look and says, "Yeah, that looks interesting. Buy one and set it up".

So the company buys one (database server, e-mail server, web site, etc.) and sets it up according the skimpy directions in the box. It works for a while, then blows up, seriously damaging the business.

NOW the company is told, oh, you should have known. You should have known the instructions in the box were incomplete and dangerous. You should have known you needed an 80k/year DBA to use that. You should have known the product was dangerous. You should have known...

Sorry. I am not buying it anymore. And I think the general business world isn't going to buy it much longer. Either the Internet will be abandoned, or there will be heavy, heavy government regulation of who can connect and how. Sort of like the phone company in the 1950's.

My 0.02 anyway.

sPh

Re:Thousand compromised?

[RocketScientist]

If they need to haul stuff, they buy a truck. If they want to stay in business, they don't leave the keys in it and the windows down while it's parked somewhere in public.

If they need to make copies, they buy a copy machine. If they need machine tools, they buy them. They also tend to keep these things in locked rooms so joe public can't walk in and trash them.

If they buy computer systems, they leave the passwords blank and expect people to not use them. That's not bad programming, it's stupid users.