Is this for real

**sim** · 25th January 2003

I just recieved this e-mail is it for real or a hoax.

WARNING! SQL Server worm on the loose!!!!!!!!!!!
you have a sql server connected to the Internet? READ!
Friday night it seems a SQL server worm broke out and its coming in on SQL port 1434 then flooding it and bringing the server to its knees and won't respond to other services. shut it off and patch NOW. It seems to have impact in whole Internet performance.

CERT-CC Vulnerability Note VU#370308

Reachability %

SecurityFocus HOME Mailing List BugTraq

Microsoft Security Bulletin MS02-039 and get the patch

Or install SP3 NOW !!!!! Download SQL Server 2000 SP3...

I'm not 100% sure about this matter at the moment but better patch / prevent.

Spread this warning !!!!!!!

Keep looking at http://winxp.bink.nu for more info as this will develop further

**graham.edmon** · 1st February 2003

well question one is

do you have SQL server installed on your web machine?

if you do.. my second question is....

WHY!!!!!!

first solution is to uninstall it, and put it on another machine that isn't directly connected to the net

second solution is change the port SQL server uses for managment suite connection, in SQL properties, and advanced depending on version.

third solution is install a fire wall, and only allow SQL Server to talk to the LAN and not the INTERNET.

when it comes down to it, anyone using any database on the internet, unless it is ABSOLUTELY necessary for it to be exposed to the whole world (can't think of any reason it should be) should always host the database on a different box or lock of all SQL server ports to the external world.

SQL server in its default configuration is OPEN, and when I say OPEN.. i mean OPEN!!!!! its easy to cease control over the machine and execute any system command.

its late, so I am not going to get into it indepth, but you should

-- delete ALL stored procedures that allow system commands to be executed.. if you need to use them in your DB then you are using it wrong!
-- make sure your SA account has a STRONG password set.
-- close of the ports to the external world, any info you need from the database can be done through other means...

**Aido** · 1st February 2003

MS SQL commands are great - nothing like a good xp_cmdshell when you're bored

Seriously though, anyone who has an internet facing db server is ****ing retarded.

Web wise, the only things that should be directly accessible on the internet are the presentation tier servers - the application tier and backend database tiers should be hidden away in a separate DMZ / physical network, more than one layer would be even better.

Shit, that kid from Wales got locked up for scanning TCP/1434 and exploiting some wankly set up machines which had a blank SA password and were using SQL authentication - you'd have thought that some people would have gotten a ****ing clue by now

Even presentation servers allowing data transfer thru TCP/80 aren't safe thanks to the various buffer overflows, cgi-bin exploits and what have you, but leaving App servers and database servers accessible via the net is just asking for trouble..

As for MS getting infected, you can practically guarantee that some knob somewhere had their laptop connected to the net without any firewall software installed and got infected, then went and introduced the infected host into the internal infrastructure - doesn't matter how much security you've got externally if you've got no way of controlling what is connected to the network - and unfortunately in companies that size it's pretty much impossible until after the event...

**graham.edmon** · 1st February 2003

Originally posted by Aido
As for MS getting infected, you can practically guarantee that some knob somewhere had their laptop connected to the net without any firewall software installed and got infected, then went and introduced the infected host into the internal infrastructure - doesn't matter how much security you've got externally if you've got no way of controlling what is connected to the network - and unfortunately in companies that size it's pretty much impossible until after the event... [/B]

True, but..

1. Any correctly configured infrastructure should have antivirus on ALL file servers/ and print buffers
2. the DMZ should have a connection/ or antivirus facility to prevent viruses from being sent from the internal infrastructure.

AS for SQL... couldn't agree more.. but I think most of the vunerability is because of the users.. even oracle installs by default with three levels of entry into the database, with username and password set (thankfully not as stupid as MS, and leaving the password blank). the problem is that there are two many people/companies out there that think that a product is safe out of the box....

how many people here have installed the drivers for a piece of hardware directly off the CD when they got with it? rather than going to see if they have a newer version....? and ended up getting problems?

**Aido** · 1st February 2003

Originally posted by graham.edmon
True, but..

1. Any correctly configured infrastructure should have antivirus on ALL file servers/ and print buffers
2. the DMZ should have a connection/ or antivirus facility to prevent viruses from being sent from the internal infrastructure.

Can see exactly where you're coming from but could any anti-virus software have prevented this - NAV couldn't detect it, you just get a removal tool to use after the event... Do many AV programs offer constant memory scanning nowadays? The ones I've seen just hook into the IRP stack for filesystem monitoring..

Wouldn't be at all surprised if we see firewalls / IDS systems advance again and start inspecting all MS SQL traffic, hell, we've already got URLScan & SecureIIS so where's SecureSQL?!

As for number 2, I've been to a few large multinational companies and they literally have an unfiltered route out to the internet from all clients which is crazy - I could telnet, ssh, even use NetBIOS traffic out from the internal LAN - that's just asking for trouble since as you say, as soon as an internal host gets infected it can begin proping & infecting external hosts....

Originally posted by graham.edmon
AS for SQL... couldn't agree more.. but I think most of the vunerability is because of the users.. even oracle installs by default with three levels of entry into the database, with username and password set (thankfully not as stupid as MS, and leaving the password blank). the problem is that there are two many people/companies out there that think that a product is safe out of the box....

how many people here have installed the drivers for a piece of hardware directly off the CD when they got with it? rather than going to see if they have a newer version....? and ended up getting problems?

Are they still using scott / tiger?!

As for MS you can find SQL Brute Force programs to brute force the SA account - it's never going to be safe. If you've got the time and the CPU power, you'll eventually get in if the passwords are not constantly changed correctly....

You're right there though, a lot of people don't really understand how a product works and leave everything at default settings, I think that's where MS have finally got something right and IIS6 only has extremely basic options enabled by default - you want extra functionality - you enable it. Takes some of the onus away from them now.

What worries me is the new SQL based filesystem, they're going to absolutely have to sort out the SQL authenticated mechanism since otherwise if you get SA access to the SQL side you've essentially got full rights to all files & folders - have any of you played with this yet?? Know there were some betas knocking about but I never heard if they contained this functionality....