Slashdot Mirror
MS SQL Server Worm Wreaking Havoc
defile writes "Since about midnight EST almost every host on the internet has been receiving a 376 byte UDP payload on port ms-sql-m (1434) from a random infected server. Reports of some hosts receiving 10 per minute or more. internetpulse.net is reporting UUNet and Internap are being hit very hard. This is the cause of major connectivity problems being experienced worldwide. It is believed this worm leverages a vulnerability published
in June 2002. Several core routers have taken to blocking port 1434 outright.
If you run Microsoft SQL Server, make sure the public internet can't access it. If you manage a gateway, consider dropping UDP packets sent to port 1434." bani adds "This has effectively disabled 5 of the 13 root nameservers."
Outside a firewall for no apparent reason is a tool. That being said, we live in a world of idiots. Why?
NGSSoftware alerted Microsoft to this problem on the 17th of May 2002 and
they have produced a patch that resolves these issues.
This is January 25 2003 if I'm not mistaken. Are these the same people that leave their cars unlocked with the keys in the ignition?
Whoever puts a database outside a firewall? and then leave its external port open???
Sysadmins like that should be dragged into the street and shot.
Wouldn't it be nicer if the owners of these machines bother patching the fucking things though?
As far as I'm concerned, boxes SHOULD be able to stand on their own without firewalls. A firewall just adds another layer.
Sounds like you're advocating armadillo security to me - hard on the outside, soft on the inside.
Get your own free personal location tracker
Depends. If you're protecting your network, you are right: "allow required traffic, block everything else". If you're providing network services to others, they probably don't want to beg you everytime they need to open a port. In that case it's "filter bad traffic, allow everything else".
Consider a VPN dude.
Seriously though, you should have upgraded!
Firewalls promote softer security.
"Oh, it's OK because it's behind the firewall..."
I think firewalls make people lazy. Imagine if we didn't have firewalls. We'd have to keep our passwords good, our services minimal, and make sure we were running the latest, most secure daemons.
Get your own free personal location tracker
Actualy I suspect most ISP's probably operate a policy of blocking only problem ports. Imagine how annoying it would be if your ISP/coloc host blocked everything except http, telnet and smtp on the grounds that one day there might be a vunerability in some of the other services that run on other ports... I suspect they wouldnt be my coloc host for long at all
No, it's a very reasonable one. Yes, you still need to patch, use non-blank SA passwords and the other things you suggest, but if you have an SQL server (any SQL server) directly visible to the Internet then you are either a fscking moron or have a very abnormal circumstance. A database server is a backend server, and should be completely hidden from the Internet by not one but two layers of firewalls.
Basically, in this day and age, your setup from the Internet in to your internal LAN, should be (as a minimum):
Internet router(s) => Firewall(s) => Web servers (HTTP, mail relays, proxies, VPN termination, etc.) => Firewall(s) => backend servers (SQL, internal mail etc..) => Internal network.
Some of these networks can quite easily be different ports on the same physical firewall, but I'm limited by ASCII. Alternatively, if you have no backend servers, that segment can obviously be omitted altogether.
Firewall rulesets can, and should, apply to outbound as well as inbound traffic and allowing traffic to flow cleanly accross multiple firewalls should be limited as much as possible. At a pinch, you could put your backend servers (if any) directly on the internal LAN, and get by with a single, three port firewall, but this should be the absolute minimum setup if you are hosting connections from the Internet. Sticking a two port firewall between your network and the Internet is simply not good enough anymore.
With resonable DMZ capable firewalls available for less than $500, either as a dedicated box, or old PC running the open source apps of your choice, there is no fiscal reason for even the smallest of companies not to be secure. As ever, the real reason is lack of a clue when it comes to matters of security.
UNIX? They're not even circumcised! Savages!
No reason? Really? What about distributed servers taking to a central database? Desktop software that queries a remote database? Remote administration of a remote database?
That's what VPNs are for, my friend.
AND verisign will be down for certain hours while
-
ping -f 255.255.255.255 # if only
So you contributed 3 servers to the global pool of zombie boxen, by sheer laziness? Thanks. The patch has been out for 6 months. I think the proper term is "fucktard".
I want to delete my account but Slashdot doesn't allow it.
When the last set of bind exploits came out no-one said "Unplug all your DNS servers", why is this any different?
Maybe because bind was built with the Internet in mind. Besides, who in their right mind (I know its redundant), would expose a database server to the Internet, whether that be Oracle, MySQL, PostgreSQL, MSSQL or anything of this nature. It should be hidden completely behind an application layer, preferrably behind a firewall.
Remember to all: This isn't about bashing Micro$oft per se, but rather bashing sysadmins who expose a database out on the net.
What was that about mission critical applications?
Worms that do this sort of thing will continue ad infinitum. The reason is that there's no financial detriment to having one of your own boxes act as a zombie and send out tons and tons of packets. None whatsoever. There's no central accountability. That's the way the Net is set up. I don't see any way around it.
No, once this blows over it's time to apply the fucking patch. It's been available for six months mind you.
scott
There are a lot of home users/business that have SQL server installed and no firewall set up. Just like code red this thing is infecting personal boxes, therefore adding to the high volumes we see. I have SQL on one of my machines at home, behind two linux based firewalls, and when I use any tool to connect to a database I am given all sorts of choices. Most of the IP addys I see belong to other cable users. I wonder how many have kept up on their patches? The problem is any fool without any training can install this stuff on their computers, I think home users are the main reason that simple worms like this are so successful.
This adds a third layer of security, in addition to the 'secure firewall' and the 'secure desktop'. If, god forbid, someone gets through your firewall, you'll at least know it.
And I'm talking about logging outgoing traffic, also. After all, if your firewall is set up correctly you can't have any random incoming traffic...but you'll have lots of outgoing. They have NIDS to detect suspicious traffic, or you can just get a huge dump and start filtering out things you know are okay.
And it's about the only way you'll ever catch that some idiot is running an ICQ from three years ago with a known buffer overflow or something stupid. Neither firewalls nor updated desktop machines can protect you from your own users, only log files of network traffic can do that.
If corporations are people, aren't stockholders guilty of slavery?
I think not. There were three simple things that would have saved your ass, first apply the patch, second don't allow everyone in the world to connect to your database server, and last turn off the box if you don't know how to secure it. I also work for a company that uses SQL Server for the backend of our web apps, but I don't have any interesting stories for you. I think our admin was asleep in bed when this all when down, but that is because he did all the hard work ahead of time.
You put your webserver on a DMZ, and let it (and only it) talk to the database server through the firewall. Any 2-tier client-server app should be going through a VPN or other secure tunnel.
The only way to do security is to have multiple layers, and to ruthlessly apply the priciple of least privilidge (you get only those permissions you ABSOLOUTELY need and nothing more).
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
--I thought this too, but I mean semi seriously. I stayed up real late watching it to make sure it wasn't a 'war' prelude. All the second world potential badguys have a cyber attack part of their assymetrical warfare plans, that's just freely available data you can read about.
My "oh crap,no internet" communications plans are a heap-o shortwaves and scanners. Better than nuthin. I know all the commercial am and fm and tv stations will all get taken over by the fema boxes, and start spewing dotgov propaganda (moreso than normal), so I'd be more monitoring some more "unregulated" sources.
The bad assumption people are making here is that there's "no reason to break this rule." Well, unfortunately, this is just not so.
In my case, a project involved upsizing a client's access database, and then transferring it from my dev machine to an ISP's SQL Server instance. The client has a dynamic IP address, and they would never even consider the cost of using a VPN. My SQL Server ports were open for only 3 weeks, during the transition period, and would have been shut down next week.
I kept up on service packs (I was up to SP2), and had installed every SQL Server security patch I could find. I had a non-guessable sa password. I got it anyway.
So why is that? I'm not sure. But I have some observations about the manner in which you're supposed to keep SQL Server (and other MS applications for that matter) current which bear seriously on the issue:
Anywhere? I can't find it today. Maybe it exists and I just didn't notice it. That would be atrocious site design. Or maybe a simple, centralized "MS SQL Server 2000 Security Page" with ordered patch list and instructions doesn't even exist. That's just atrocious.
All I can find is top-level references to service packs and an unqualified link to an all-microsoft download search page. When you select SQL Server 2000 in it, you get everything, not in order, patches thrown together with samples, evaluation downloads, etc.
And I'm supposed to check here... every week? Sounds sensible on the surface, but if they really wanted to prevent trouble:
IT'S SO BLOODY SIMPLE. Yet they didn't bother.
Compare this to redhat, where there's one tool, up2date, and it works for everything. And you are trivially notified by email when there's an update.
At any rate, we can at least tell people a convenient fix - go install SQL Server 2000 SP3.
What's the bottom line? I had a reason to have the port open. And I had a not-for-nothing false sense of security that I was protected against this vulnerability. And most of all, if this was RedHat (for instance) I would never have had this problem - because I would have been notified the moment the patch was available, and would have installed it in a heartbeat, through their single, consistent, easy-to-use interface; and so would tens of thousands of others.
Want to Know How to Cheat the GPL? Read On!
No, once this blows over it's time to apply the fucking patch. It's been available for six months mind you.
The patch does not affect routers stupid. Just because his routers are all lit up with massive amounts of traffic, does not mean that his servers are unpatched!
My link was down for 4 hours from the flooding with everything all lit up, and I'm not even running an SQL server.
I'm out of my mind right now, but feel free to leave a message.....
Not to mention every starcraft and diablo player :P
N.
"Nothing strengthens authority so much as silence." - Charles de Gaulle
My intial thought on this was that this isn't MS's fault and we shouldn't be bashing them for this worm; almost every os and daemon out there has had it's holes and exploits and MS has already put out the fix so it's in the admins hands now.
But on second thought, when I look at the serious impact of the worms that have been created for MS products and their vulnerabilities the last few years, the obvious becomes apparent: admins of MS OS's and processes on them are a LOT slower to patch than any of their counterparts (read: stupider). And the thing is, MS knows this, they specifically market to the stupid/lazy admins. They're the "easy" OS, they sell their products by telling people that you just install them and never worry about them again. I've taken too many MS courses (I am an MSCE and MSCDBA if they haven't expired on me, but I couldn't care less) and not once was patching the operating systems or server processes ever mentioned during all those courses, which is amazing to me.
And hey, to each their own I guess... apparently there aren't enough intelligent or well read admins around so there is a demand for these products and this approach. But if that's the case, then I think it has to be said that MS has a greater responsibility to create products free from exploits than anyone else, if they're marketing and teaching the idea that you don't need to patch.
It's by creating that laissez faire attitude towards administration that MS is directly responsible for the proliferation of these worms.
----- sXe
This is a bad analogy. A better analogy is this:
Firewalls promote an all-or-nothing way of thinking that I routinely encounter at work. Firewalls only mitigate the risk of running insecure services, but the false assurances of perimeter security they offer frequently lead to a careless internal security posture, vulnerable both to insider attack and firewall failure/misconfiguration.
Uhm.. you're probably completely susceptible to this. You see, that little clicky thingie you clicked in the thingie was written by the same people that sent you that software with the bug that causes this problem.
You, and the rest of you non-engrossed, non-technical people who don't have $15.00 to put a NIC in a 486 firewall that you can pick up at the dump, but plenty of money to shell out system upgrades every few years... You're causing this problem. You, personally.
First, by buying and deployng a server OS by an untrustworthy organization, followed by not even complying with thier reccomendations of protecting, securing, and updating that server.
Then, by saying "Whew! Dodged that bullet" after you CLICKED ON A CHECK BOX is not quite the same as.. oh.. patching it, securing it behind a firewall and testing it for packet traffic... THESE are the "basics" of your box and the internet. Not what your manual, the context sensitive help, or what MS' Marketing department tell you.
Was that non-technical enough for you? Stop being smug, and stop being part of the problem.
Sounds like a damn good advice to me. Why the hell should either of those be exclusive?
It's very BAD advice! What happens when you blindly apply the patch and find out your mission critical app won't run anymore? A little QA testing would show you that on a test system instead of your live servers. If a firewall rule can protect you, use that, then QA the patch and apply if it is safe.
Consider that sometimes, the 'security patch' just disables a feature that 'nobody uses anyway' (except for your mission critical app, that is). Other times, it doesn't fix the hole, it just changes it's shape a little. In that case, you go from a hole you know about and can guard against at the firewall to one you don't know exists that has less information about it available.
It's not purely a dig at MS (though their track record for quality patches is spotty), any sudden change to widely deployed software runs the risk of causing a problem for sombody's configuration.