[thelist] MSSQL Worm
Anthony Baratta
Anthony at Baratta.com
Wed May 22 12:47:01 CDT 2002
At 08:09 AM 5/22/2002, Garrett Coakley wrote:
>--
>A mounting trail of evidence has security experts warning that a new
>Internet worm targeting Microsoft SQL servers could be on the loose.
This worm looks for MS SQL servers that have no password for the "sa"
account. By default with a MS SQL 7.0 installation, you are no prompted for
an "sa" password. However with SP3 the SP installation will look for an
"sa" password and if it does not exist make you put one it. MS SQL 2000
does not suffer from this brain dead installation problem.
With Windows 2000 you can use the IPsec "filters" to deny access to port
1433 from only approved IPs. I don't have it working yet for myself, but
when I do I'll write it up and post on eVolt.
Lastly - make sure you have the latest SP and hotfixes installed. There are
a ton of buffer overflows with extended store procedures that can be used
to "root" your box if the attacker has been able to divine your ODBC
account login information.
---
Anthony Baratta
President
Keyboard Jockeys
"Conformity is the refuge of the unimaginative."
More information about the thelist
mailing list