New "SQLsnake" Microsoft Worm

sevenn writes "A new worm, targeting the Microsoft SQL daemon, has been sweeping the net. It uses massive scanning, default passwords, exploits against vulnerable versions and even attempts to brute force passwords. Here is the (vague) Microsoft bulliten, the SANS analysis, and a securityfocus article" Already over a thousand compromised system- you're apparently only vulnerable if you run MS SQL, but the worm is causing a substantial spike in traffic to port 1433 on the net.

Default passwords and servers exposed

[rabtech]

First of all, if you attempt to set a blank admin password for SQL Server it gives you a warning that doing so is a very bad idea. None the less, you'd be surprised at how many are blank (or just use sa/sa). The article makes it sound like the default sa password is blank - this is NOT the case. Also, although you cannot disable the sa account, you can rename it during setup.

Secondly, as has already been pointed out here, your database server should not be exposed to the net in general. There is usually very little reason to do so. If you need to let other machines access the SQL box from abroad, create an IP Security filter that only allows port 1433 for a specific subnet or ip address.

Don't complain that you got rooted when your login is root/root.