Warning!!!! MS SQL Worm on the loose
22 May 2002, 07:06 AM
#1
Scooby Regular
Thread Starter
There appears to be a self-propergating worm on the loose which attacks MS SQL servers on port 1433 by first pinging the port and then trying to logon with as SA using a blank password (the default config). It then runs a script to report back that the box has been rooted.
If you are running MS SQL make sure that you do the following
1. Make sure you block Internet access to TCP1433
2. Make sure you have a password on your SA account.
3. Disable TCP/IP Network Libraries if you're not using them.
4. Drop all eXtended Procedures (XP_) if you can.
More information as I get it.
Jeff
If you are running MS SQL make sure that you do the following
1. Make sure you block Internet access to TCP1433
2. Make sure you have a password on your SA account.
3. Disable TCP/IP Network Libraries if you're not using them.
4. Drop all eXtended Procedures (XP_) if you can.
More information as I get it.
Jeff
22 May 2002, 07:46 AM
#3
Scooby Senior
Join Date: Feb 2000
Location: West Midlands
Posts: 5,763
Likes: 0
Received 0 Likes
on
0 Posts
Jeff,
i was just about to start a new topic with a question about the MS-SQL-S port, because i have been getting loads of firewall blocks happening recently (e.g. this morning only FIVE seconds after connecting!).
Seems like you have already answered my question
Thanks for the info, and let us know if you find out any more,
cheers,
mb
p.s. A blank default password? - madness [img]images/smilies/mad.gif[/img]
i was just about to start a new topic with a question about the MS-SQL-S port, because i have been getting loads of firewall blocks happening recently (e.g. this morning only FIVE seconds after connecting!).
Seems like you have already answered my question
Thanks for the info, and let us know if you find out any more,
cheers,
mb
p.s. A blank default password? - madness [img]images/smilies/mad.gif[/img]
22 May 2002, 08:08 AM
#4
Scooby Regular
Thread Starter
It now appears that there are 2 seperate worms running around (do worms run ?). Both of them appear to be doing similar things. They both appear to have orginated from South Korea....!
Jeff
Jeff
22 May 2002, 08:14 AM
#5
Scooby Regular
Thread Starter
If you want early warning of this type of event you should subscibe to DShield at
www.dshield.org
Jeff
www.dshield.org
Jeff
22 May 2002, 09:44 AM
#7
Scooby Regular
Thread Starter
About 4000 SQL machines have been compromised now....more info at
http://www.incidents.org/diary/diary.php?id=156
It will also infect versions of
Visio
Access
Project
Visual Studio 6
All of these have the ability to run a cut down version of SQL callled MSDE which installs without an SA password (!)
Jeff
[Edited by Jeff Wiltshire - 5/22/2002 9:47:46 AM]
http://www.incidents.org/diary/diary.php?id=156
It will also infect versions of
Visio
Access
Project
Visual Studio 6
All of these have the ability to run a cut down version of SQL callled MSDE which installs without an SA password (!)
Jeff
[Edited by Jeff Wiltshire - 5/22/2002 9:47:46 AM]
Trending Topics
22 May 2002, 01:37 PM
#8
Scooby Regular
Thread Starter
The AV vendors have started putting out updated files to detect this now.....
It turns out that this worm (SQLsnake) adds a guest account into your Domain Admin group as part of the script......
Jeff
It turns out that this worm (SQLsnake) adds a guest account into your Domain Admin group as part of the script......
Jeff
Thread
Thread Starter
Forum
Replies
Last Post
charlesr
General Technical
9
28 September 2015 09:16 AM
TylerD529
Lighting and Other Electrical
5
20 September 2015 12:10 PM