Slashdot Mirror
New "SQLsnake" Microsoft Worm
sevenn writes "A new worm, targeting the Microsoft SQL daemon, has been sweeping the net. It uses massive scanning, default passwords, exploits against vulnerable versions and even attempts to brute force passwords.
Here is the (vague) Microsoft bulliten,
the SANS analysis,
and a securityfocus article"
Already over a thousand compromised system- you're apparently only vulnerable
if you run MS SQL, but the worm is causing a substantial spike in traffic to
port 1433 on the net.
McAfee's description. The AV vendors are calling it Spida, instead of snake.
Who needs MS SQL Server? Are you telling me that thousands of companies with a load of data are installing SQL Server without having a database admin to do the work? Sweet, they deserve what they get. What kind of people install SQL Server without putting a password for the SA account? Apparently, plenty :)
Long live human stupidity.
Symantec has produced a more informative bulletin; however, they have entitled the worm "Digispid" as opposed to SQLsnake.
Do you like German cars?
Perhaps there just isn't good documentation on this, but this issue wouldn't be a problem if the SQL Server databases were properly installed and maintained.
First of all, a DB should never be outside a firewall. It's not necessary.
Second of all, this issue is aided by databases installed with blank admin passwords.
I don't know how you solve this. You can't prevent people from installing software. I guess Microsoft's new MBSA will point out the blank password issue and any patches missing, but...
I'm sorry.. but according to the topic post it said:
and even attempts to brute force passwords.
So either you're telling me, the writer lied... OR... it doesn't just attack blank passwords... so which is it?
www.slightlycrewed.com - Because aren't we all?
According to Sophos (www.sophos.com) there are two vesions out.
the first one just attempts the 'default' null passwd and 'sa' username (the administrator).
The second tries a brute force attack on the passwd.
So no change from trying to telnet into a *nix box as root then....
I've gotten over 80k probes in two days at work and several hundred on my single IP address at home.
I kind of gave up and just ACL'd it on the border router since the volume makes it almost a DoS of my intrusion detection.
From the artice.. "Many Microsoft SQL administrators fail to set a strong password for the system account, which by default has a "null" or non-existent password, SecurityFocus warned yesterday in an alert to ARIS users."
But what they didn't address is why would you even expose the SQLServer to the internet to begin with? A SQL server user can do a lot of damage with the sa account. Might as well give them a CMD prompt. There's really no need to have that port open to the outside at all.
I wonder how many internet servers answer port 1521 to SYS/CHANGE_ON_INSTALL. Could PL/SQLsnake be next?
'Same speed C but faster'
<sarcasm>
Holy shit! A flaw in microsoft software? How did this happen???Arent Microsoft systems the most secure systems available???
</sarcasm>
GOD DAMNIT , MODERATE ME!
This one isn't $M bashing! It's STUPID SYSTEM ADMINISTRATOR/STUPID DBA bashing.
Microsoft is semi-innocent on this one.
NOTE: They make their products so even a stupid administrator can install it, and this worm is proof of that!
I take no responsibility for what I say. Even though I'm never wrong
I'm waiting for the day when people stop saying "We got another worm." and start saying "We just got Microsofted again".
Outdoor digital photography, mostly in New Engl
I'm glad to know why the log full of probes on 1433. I had found it was SQL, but i didn't know it was a new worm.
Can't we track down these jerks privately, and give them blanket parties, ala Full Metal Jacket? They won't find any vulnerabilities in my systems, but the extra traffic on my network and cost in disk usage from the logs is as bad as spam.
IANAS(I Am Not A Sadist), but I think I would experience actual pleasure in witnessing spammers and virus/worm writers suffering severe physical pain. I don't mean polite shadenfreude, but sick, sadistic glee. I'm just sick of their puerile crap.
Many exploitable holes such as these can be attributed in part to the management mentality that one or two over-worked, under trained "computer people" can handle professional system/network administration.
Frequently SysAdmins started their jobs in another field, like Engineering, and were sort of migrated over. Little formal training was given, let alone budget for. Most smaller (sub-Fortune 500) operations were more of a congealed mass than a designed network.
Then, when the LAN wasn't hooked to the Internet, and some poor schmuck install MS BackOffice and wanted to instal SMS Server, it told him he had to install SQL Server. A couple of quick clicks and you're done. Odds are, he clicked thru the admin password not thinking he'd EVER touch MS SQL other than as a backend for SMS.
Pity the new admin who inherits such a setup. You think a new admin is given time to actually check a network configuration out, much less do a proper security, performance, license audit? Nope. Get in and tell me why Outlook is saying my deleted folder is empty. I haven't emptied it since 1998 and everything was always there before when I needed it!
Stupid worms/viruses/exploits will prevail until the MENTALITY of management changes. Computers run most modern business, they are not an afterthought. The people that take care of them should be properly trained, with proper budgets. Periodic PM (preventative maintenance) needs to be allowed, scheduled and performed.
I feel pity for the admins who have to deal with these worms. I feel nothing but contempt for the management process that let them get in this position.
Learning HOW to think is more important than learning WHAT to think.
First of all, if you attempt to set a blank admin password for SQL Server it gives you a warning that doing so is a very bad idea. None the less, you'd be surprised at how many are blank (or just use sa/sa). The article makes it sound like the default sa password is blank - this is NOT the case. Also, although you cannot disable the sa account, you can rename it during setup.
Secondly, as has already been pointed out here, your database server should not be exposed to the net in general. There is usually very little reason to do so. If you need to let other machines access the SQL box from abroad, create an IP Security filter that only allows port 1433 for a specific subnet or ip address.
Don't complain that you got rooted when your login is root/root.
Natural != (nontoxic || beneficial)
What was ASP is now Perl.(look at the link before you click, then look at the address bar after you arrive). What was SQL Server is now MySQL. And what was IIS is now Apache.
I'm sleeping much better these days now that I don't have to scramble every week there is another hideous security flaw announced. Not to mention they(MS) recently stated if they opened their source, even worse flaws would be revealed.
As the new Rush song(Secret Touch) says, "The way out is the way in".
No, Thursday's out. How about never - is never good for you?
A few things;
/.'s, I have to put forth the real issue here which is bad sysadmin. True, m$'s strategy is 'fast, easy, fun', and while it is probably better practice to lock everything down on install vs. not, it's not a m$ problem so much as it is an admin problem.
One, ok, so, another m$ "exploit". Why does it always have to have this "see, we told you" attitude? After a while, you get tired of finger pointing. Especially when it's all action and little thought. Think? Nah, I'll just complain first and then eat my foot later.
Two, any IDIOT that puts their SQL server on a public network deserves to get it cracked. This would be the same for any db on a public network. I mean, c'mon, a null sa password?! If someone told you to jump off a cliff, would you? Common sense yo! Jeeze..
Fellow
I've worked for companies which take the easy road (hire dumb people to do smart things) and the hard road (smart peeps, smart things) and that's what this is all about. Not m$ as much as the companies that are cost cutting everywhere (except when it comes to executive perks), especially IT.
It is true that m$ does have a lot of security through obscurity issues, but it would be time well spent jumping on the cracked systems than m$. Because, honestly, they don't care. These systems can me made as secure/insecure as the sysadmin wants, so it's really their fault.
I've been noticing a more-than-usual amount of probes to port 1433 on my firewall during the past couple of days, although it seems to have really spiked up since last night. DShield seems to prove this, as their "movie" demonstrates.
In Soviet Russia, Jesus asks: "What Would You Do?"
Some of the DBA's I have worked with love a blank SA password. They also love to write scripts that attach with SA and a blank password. I hope this will teach them to stop being stupid...
I guess they can use next.
What OS do you want to abuse today?
A massive "unlocked door" worm has been ravaging users of Schlage locks. Aparrently hackers have been breaking into houses with Schlage locks installed. 9 out of 10 users were found to have installed the locks but never engaged the locking mechanism, and many times had left the key in the knob.
sPh
To quote security focus article:
'According to SANS incident handler Johannes Ullrich, a preliminary analysis shows the code, which has been dubbed "SQLsnake," attempts to log in to the SQL administrator's account on a remote server using a "brute force" password cracker.'
So, it inflicts even systems, that do not have blank sa password. It only inflicts those systems, instantly.
In dream society, people could be given the ability to mod replies. In real life, it would be disaster.
The bulletin MS02-020 was just released about a month ago. Only the admins that place a top priority on patches (such as myself) are safe.
I supported NT server for MS for over a year and can attest to the number of admins out there that rely too heavily on anti-virus software. When nimda spread and took over a buttload of systems, it was for this very reason. The thing spread before it could be researched and DAT files updated.
Here's some solid advice for NT/2000/XP/.NET admins:
Use the hfnetchk tool to monitor all NT based computers on your network for installed patches using the syntax hfnetchk -h host1,hotst2,host3 -v -z -s 1. It will also check for SQL, I.E., and IIS patches. Other products such as Office will have to be checked manually. At least Office has the officeupdate web site for easy installation that the users can do. Block email attachments with extensions that viruses use. Have anti-virus software installed that checks avery 2 or 3 hours for updates. Have a properly configured firewall (Blocks well known attacks) in place that only allows incoming session requests for what services are to be made available to the Internet. Lock down any services that are open to the Internet. Have strong passwords for all admin accounts (At least 10 random characters) and create a new one for each admin account once every few months. Same thing goes for any account that can authenticate in any way from the Internet (8 characters and changing every 6 months or so should be okay). If domain authentication is going to be provided to the Internet for some stupid reason, hack the registry so only NTLM v2 is used. Configure all windows computers to use the Peer-Peer node type 0x2. Use switches instead of hubs to prevent evesdropping and assign MAC addresses to ports for your servers to avoid MAC address spoofing. Most of these things are a one time setup. The ones that require maintenance are worth the trouble.
I've got the bandwidth. If we all set up something like this, maybe it'd hurt a little bit, and compromised systems will be slowed more, and maybe be noticed.
/etc/services:1433 1433/tcp wormstomper #crapflood
/etc/inetd.conf:wormstomper stream tcp nowait dd if=/dev/katz wormstomper
If your accounting software uses MSSQL as a backend and was installed by accounting consultants, you probably need to pay special attention to this alert. Odds are, they didn't set an sa password when it was installed either -- mine wasn't.
"Lawyers are for sucks."
- Doug McKenzie
Spreading implies that it's continuing to infect more hosts. If it has already infected all infectable hosts, then it's not able to infect more hosts. If we assume that the random number generator it's using is at least decent, then the number of probes on port 1433 point toward the worm having hit all IP addresses several times (excluding the few addresses that the worm doesn't target -- it skips over 192.0.0.0/8, for example, despite there being a number of legitimate IP addresses in the range).
So with very, very few exceptions, I suspect that most people are either already infected or completely immune, at least as far as the null password worm goes. The brute force cracking worm might be able to spread more, given that it has to employ quite a bit more effort to get into a host.
The Microsoft Data Engine (MSDE) that comes with the .NET SDK is just a stripped down version of SQL server. Unfortunately enough, it's got enough "features" to make it vulnerable to attack. Sure I'm just stating the obvious, but I've already talked to 3 boneheaded .NET developers that insist that they're not running SQL Server. Imagine what I found on port 1433...
One of the nice things I've noticed about MySQL (having used MSSQL as well) is that I can have MySQL prevent people from connecting based on IP addresses, even if they have the proper username/password credentials. I could never find a way to do this in MSSQL - is there a way of doing this? Yes, it's not perfect, but it's definitely a nice extra that MySQL offers which I've not seen in MSSQL. Again, if it can be done, someone let me know.
Also, why does the SQL Server run at all without a password? IIRC in the latest versions the installation prompts you for an 'sa' password to set, but earlier ones didn't do that. Why not just disable the program - when running it having a popup say 'hey - I won't run unless you set a password!' and be done with these types of 'holes' (yes, it's really just lazy admins, but the computer should be doing more thinking for me at this level - perhaps Clippit could bounce up and demand a password be set?)
creation science book
This one isn't $M bashing! It's STUPID SYSTEM ADMINISTRATOR/STUPID DBA bashing.
And who marketed their systems on the basis of not needing well trained administrators? That's right Microsoft...
NOTE: They make their products so even a stupid administrator can install it, and this worm is proof of that!
That's half the problem, they make systems the stupid think they can administer. Making something easy to install has very little to do with if it is easy to administer.
I see this a lot talking to clients - they're convinced they can treat information processing just like they treat other commodity services/items (photocopiers, etc). When talking to clients, many of them have a 'DIY' approach to save money - outside consultants or expensive employees are often viewed as unncessary. Perhaps one day they will be, but for now, it's a requirement to have someone who knows what they're doing operate these things (in this case, databases). Probably half the time I know people are thinking we're trying to pull one over on them, thinking they don't need someone who knows what they're doing ("Hey, my cousin's business set up a webserver in 10 minutes and they don't even use computers! It can't be that hard!") Sometimes they're right, but at this stage of development, it's still a gamble they *shouldn't* take.
creation science book
> Already over a thousand compromised system
Grepping my firewall logs for hits to port 1433, I find 1078 hits since midnight, from 39 unique IP addresses.
The majority appear to be dynamic residential addresses -- attbi.com, swbell.net, pacbell.net. Only a few resolve to static addresses. Here's one of the sites that probed me:
http://210.90.207.4/admin.inc
LMAO!
If the administrator installed MSSQL and chose integrated security mode, that machine is not vulnerable, however, if the administrator chose mixed mode and did not set a password for the username "sa" then that machine is vulnerable.
I've not seen that particular bit of advise on any of the pages, though.
DanH
Cav Pilot's Reference Page
UNIX - Not just for Vestal Virgins anymore
Why The X-Box Network Will Fail
New "SQLsnake" Microsoft Worm
yuk yuk yuk etc
By the time you finish reading this sentence will end.
The thing that strikes me about a lot of things like this is that they are immediately exploited by the anti-virus software writers, but not by the big Unix/Linux vendors.
If I was in IBM I would have a budget set aside to ramp up a scary campaign about this and every other big worm/exploit - I'd be buying the spots right now to go on the offensive.
Gentlemen, your opponent is drowning, so throw the son of a bitch an anvil.
Ok, first of all you clearly haven't worked for any business, small, medium or large. If you have, then it won't be in business very long.
Second, companies *should be* and *are* responsible for security on their computer systems. By your logic, you would also claim that a company shouldn't have to buy locks, cameras or security personal for their buildings, because how would they have known that people exist that can break into a building. Your reasoning is flawed and feeble.
A business is an educated entity. And for your information, the business world, from small to multinational, is going to continue to use the internet in more and more ways for their business. You may not buy it, but that's your mistake.
Moderation: Put your hand inside the puppet head!
Not only that, but you normally need a Commercial Driver's License to sit behind one of those.
We're all saying that qualified sysadmins are necessary, but do we really want to go to *licensed* sysadmins? I have this ugly feeling that at some point, it may well take a license to make that final connection to the Internet. At that point, your ISP will be the licensed party, and you will have to use provided software on a acceptable platform. How many ISPs will allow you to connect on your own authority, assuming that you are licensed, is the next question.
The living have better things to do than to continue hating the dead.
How pedestrian can we get here?
"Only in their dreams can men truly be free 'twas always thus, and always thus will be."
--Tom Schulman
No kidding. Management are so busy shorting the company's stock or faking business to pump it up in an effort to get more money, coke and whores that they don't even understand that just because the server's don't crash 10 times a day they're not shorting their technology infrastructure.
here's a topic for further discussion....
/. schadenfreude about dumb-ass sysadmins not setting the 'sa' password eventually going to be for naught? The problem is still MS's poorly thought-out standard of mixing code with data...
Now that the cat is out of the bag that MSSQL is "in play" as a target, I wonder if sealing 1433 and the sa password are enough to head off future attacks.
The linked articles explain how the worm replicates by essentially logging on as an SQL client and storing a copy of itself in the database. Ingenious, but relatively easy to defend. However, couldn't future versions infect any-old-user's PC using standard email/windows virus techniques and then look for an ODBC connection which would hopefully, by now, be configured with a no-longer-blank sa password to seed a new infection? It might even hit more systems because it gets you inside the firewall that closed off 1433?
In other words, is all the
"Lawyers are for sucks."
- Doug McKenzie
free alternatives
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
Two different looks, two different payloads. One queries then tries the blank PW before brute-forcing, the other fires and forgets.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
Such companies do exist - we use www.messagelabs.com and point our domain's MX records to it and relay it out to them. This gives us virus filtering in both incoming and outgoing mail. When a virus is caught, the postmaster (or whoever we specify) is sent an email explaining what happened.
It works very well and adds an extra level of security.
Burn me once, shame on you. Burn me twice, shame on me. How many times are people going to let themselves be burnt by Microsoft's intentionaly easy to break and push onto software?
All the trolls keep ssying, "Linux is not ready for the desktop." Hmphf! I'm so sick of that bull. M$ is not ready for anything. If it really were easier to get work done on M$ desktops and they could be protected, management might be justified in continuing to order new M$ junk. But it's not.
Debian kicks M$'s but, and Red Hat has all the bells and whistles any corporate user could want. At work, I've got one virtual desktop with tiny picutes on a single bar at the bottom of my screen. There's no way to segregate projects, so I have to cycle the little buttons and place keeping fails. A "power user" in the next cube has two freaking monitors eating his desk top, how stupid! The environment lacks useful scripting, and it's impossible to run processes on other M$ machines without getting out of your seat. Walk, click, click, click, where's the automation? Every two years the file formats change enough to make everyone "upgrade". The GUI's constant flux requires constant relearning, and seems to make less sense with every new improvement. Stability is a joke, as is speed. My first 486 gave comperable perfomance and speed back in 1993. It just burns me up. When I go home I sit at a single chair and look into a single good monitor and can control and run processes on any number of computers I can set up behind my firewall. At home, I move plenty of big pictues and files, no problems. Things at home HAVE gotten faster with new hardware. Why do people at management level put up with this expensive, invasive, rights denying, won't even work well with itself junk?
Someone somewhere is going to get the desk top switchover started and M$ is going to vanish. Poof, back into the cloud of hot air they started with.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Maybe you don't really want to post a huge comment that will require readers to click through anyway (it's too big to display at once).
How about posting a link to the ISS Alert instead? Is that so hard?
I didn't need all that karma anyway.
BRENT ROCKWOOD, EST'd 1975
I don't want to beat on MCSEs any more than they already get it, but MS has cultivated a large number of semi-competent admins for their systems. Therefore, when patches come up, there are a large number of people who DON'T apply the patch and may not even know they are running the service!
C'mon, Code Red is still out there! Not to say that all MCSEs are incompetent, but let's compare it to Java certification. (since I'm a Java dork)
When someone tells me they are Java certified, my eyes glaze over. It means very little (to me) and I still want to devle into their tech knowledge. But it seems like MCSE opens the door to a greater degree, and it shouldn't
Computer Science is Applied Philosophy
Typical. You are telling me that anyone who gets burnt by M$ junk is a moron? That makes a whole lot of morons out there. Shame on you for blaming the user again. Thank you, AC and Sheldon for doing it so nastily with words like "incompetent", "stupid". We know what you M$ fan boys really think of people who don't waste all day restarting, patching, and running in circles for Bill Gates.
To think that the parent post was marked as flamebait.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
is to put SQL Server on a port other than 1433. Of course for an existing installation, this could be a major change. But if you're setting up a new SQL Server, use another port. This is assuming you are using SQL Server and not another superior database product (like Oracle).
Believe in things of which no person has ever learned
Well, I'll just wait here for that...
---- It puts the lotion on its skin or else it gets the hose again. It does this whenever it's told.
In Norton AV Corp, you set up one machine on the network as a server, let that one grab the updates, then distribute it to the clients. Best thing is, Corp doesn't need to reboot when it gets updates.
Great for lowbandwidth sites.
Does Windows have Daemons? I thought they were immortal entities. How could an immortal entity live in a Universe that comes to an end every few weeks at best?
Maybe (relatively) long-running processes on Windows should be called Aengels.
(Yes, I know Microsoft uses the beige Microsoftian term "services".)
Most tools/software on the server itself connect via named pipes local on the system anyway. So these tools will not have a lot of problems. Most SQLServer's exposed on the internet are installed on systems which also run IIS, thus 1 server for the complete stack of servers for a webapplication. Having this port open is not needed.
Start the server network utility and change the port on the TCP/IP protocol. Click OK and restart the MSSQLSERVER service.
btw, Oracle is superior in which way? Oracle has also a 'default' password: empty or a default well known password.. it doesn't matter. People simply should understand what they put online.
When I start a little tool on my online SQLServer machine I get 4 servers listed which run on the same network segment as my server (in the co-located rack at my ISP). a) these servers are running the server service, which shouldn't be running, b) these servers have port 1433 open and c) have set their server to not hide it for the outside world.
Pretty basic stuff that should be switched off, but isn't because the admins probably don't know that it's necessary to switch it off or even how to do that.
Again, an admin-flaw, not a softwareflaw.
Never underestimate the relief of true separation of Religion and State.
The recommended way has always been: trusted connections, at least since 7.0. (which is pretty old by now). The 6.5 legacy from sybase had a different policy due to the lack of good integration with NT security.
So the SA account is never needed: connect using trusted connections.
Examples most of the time mention 'sa' with no password, but that are examples, what way should they then mention a connection string?
Never underestimate the relief of true separation of Religion and State.
I've just mailed this to a couple of security lists I take part in. Posting here seems like a good idea (although now, of course, I am outed as a SQL Server user)
Please feel free to forward these recommendations to any other lists as you see fit. However, as with all system changes, things can go wrong. Make sure you have backups. I take no responsibility if your SQL server dies. Or if the sun fails to come up :)
use master
exec sp_dropextendedproc 'xp_cmdshell'
sp_OACreate sp_OADestroy sp_OAGetErrorInfo sp_OAGetProperty sp_OAMethod sp_OASetProperty sp_OAStop
The same goes for registry sps
xp_regaddmultistring xp_regdeletekey xp_regdeletevalue xp_regenumvalues xp_regremovemultistring
use master
select name, Password
from syslogins
where password is null
order by name
Finally, MS have released a bulletin
I've been messing with MySQL and PostgreSQL a bit recently, and I have some experience with MS SQL as well.
This bug is obviously MS's fault, the default install of MS SQL allows connections from anywhere, what is that? I don't even think there is a per IP or IP range block you can put specifically on MS SQL.
In contrast MySQL and PostgreSQL both default install with only local host allowed to connect to the DB. And, the admin has to specifically *ALLOW* hosts or IP ranges to connect.
Obviously, a brute force attack on a specific TCP port number will not work against MySQL or PostgreSQL, as the connection will be refused outright, unless the worm can also spoof IP's.
Dumb defaults MS, once again.
And get someone with a license to drive it and they perform regular maintenance on it.
And they get someone with the skills to use it.
You are a complete and utter numpty. Do people actually pay you money to provide services?
Government of the people, by corporate executives, for corporate profits.
A client recently had their Win consultant in to install new hardware for the mail server. Took the first one down, and the mail spooled as designed on the backup mx I run on Linux for 'em. Consultant did the Win software install and suddenly the new machine took all the mail spooled for it and rejected it as having "no such user." With Win, to install the software is to turn it on. Never mind that it should be configured before going live. Not like *nix, where if I install sendmail it isn't running until I explicitly run it.
MS should be sure that installing software does not ever, in itself, enable it, when that software is any sort of daemon. Ought to be illegal.
"with their freedom lost all virtue lose" - Milton
A year and a half from awareness to patch on one of those vulnerabilities. At least. What can a sysadmin do when faced with that?
Why, switch to PostgreSQL, of course! Faster, more secure, source available for verification or modification, closer to SQL-92 and subsequent standards, portable. What more could you want?
Oh, yes: it's free as well as Free.
Got time? Spend some of it coding or testing
Digispid.ide
8.3 letters
They store their IDEs on MS-DOS?
Got time? Spend some of it coding or testing
D'oh... I've been using port 1433 for some time now for SSH tunneling as it is the lowest numbered port above 1023 that is allowed through the corp firewall... I guess it's not going to be a security problem, but I'm changing it just to avoid excess traffic, and to stay even more invisible.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
One big change between SQL 7 and 2000 is that it's harder to leave the sa password blank. It's still possible, but at least you've been told. Not quite a "HEY STUPID" message, but it's pretty close.
I'm normally pretty MS Hostile, but even I don't really blame MS for this one. This is a PEBKAC. Problem Exists Between Keyboard and Chair.
"Live Free or Die." Don't like it? Then keep out of the USA