Forgot your password?
typodupeerror
Security

New Microsoft SQL Server Worm 290

Posted by timothy
from the worms-crawl-in-and-the-worms-crawl-out dept.
Ian Bell writes: "A new unnamed worm has been released and, once again, Microsoft software is the target. More specifically, this new worm targets Microsoft SQL servers with no administrator passwords set. Once the server is infected, it logs onto Internet Relay Chat (IRC) servers and is ready to receive commands and act accordingly. Although this can be a fairly malicious worm, it is very unlikely to infect many servers due to the fact that majority of Microsoft SQL servers have administrator passwords."
This discussion has been archived. No new comments can be posted.

New Microsoft SQL Server Worm

Comments Filter:
  • Password (Score:2, Insightful)

    by LinuxOnHal (315199)
    I think if someone got this one, they probably deserve it. If it attacks computers that don't have passwords, they could have prevented it. NetBIOS shares are a big hole too, without a password. Its a given.
    • Re:Password (Score:4, Insightful)

      by leucadiadude (68989) on Sunday November 25, 2001 @06:21AM (#2609663) Homepage
      Nobody deserves to be hacked. I found it quite sad that this story has no posts (so far) commenting that the person(s) who created and released a malicious piece of software are a**holes. hopefully it's that this goes without saying.

      Yes, I agree with the sentiment that if you do not secure your boxen, you are an idiot. But if you don't, you do not deserve to be victimised.

      If I accidentally leave my front door unlocked, do I deserve to be robbed/vandalised?
      • Re:Password (Score:2, Insightful)

        by CaNuK (143746)
        If you always leave your front door unlocked, you can expect to be robbed/vandalised, whether you deserve it or not. The perpetrators of the crime likely do not consider how deserving their victims are. All they need is opportunity. I think that we realize that this type of threat is a fact of life, and the idea should be to safeguard against it, since we are not going to snuff out this type criminal activity any time soon.

        If you are responsible for a house, you should know well enough to lock it.

        Maybe the problem is that MS software often ends up in uncapable or unaware hands.
  • by LionMan (18384)
    I must take pity on Microsoft for their situation - being so large and omnipresent, they are a constant target of attack. Of course, their situation would be a lot simpler if they released source so that these things could be fixed by anyone as soon as a problem pops up, but that is a whole philosophical problem for Microsoft, so I can only pity them, not aid them.
    • by Osty (16825) on Sunday November 25, 2001 @02:59AM (#2609333)

      Of course, their situation would be a lot simpler if they released source so that these things could be fixed by anyone as soon as a problem pops up

      Who says you need source to fix problems? In this case, it's as simple as setting a password for th sa user. Anyway, the point is moot because this only affects SQL Server 7 and older. SQL Server 2000 makes you jump through hoops if you want to leave the sa password blank (as well, SQL auth isn't even the default. Instead, Windows domain auth is the default). Anyway, the point here is that source is absolutely not required to fix this problem. Just a small amount of brainpower, that's all.

      • >> Who says you need source to fix problems? In this case, it's as simple as setting a password for th sa user.

        Word up. The people this worm will affect are those who should know better. It's not like my gramma's running SQL Server, after all. (If she were, nobody would ever know the password. Some people's memory is quite the security device.)

      • It's even easier than that:

        DON'T OFFER THE FSCKING SERVICE AT ALL TO AN UNTRUSTED NET! That's a REALLY BASIC security rule.

        sheesh. Even *WITH* passwords, you don't see my MySQL server hanging out there for the world to see. The world doesn't need to see it, so why would I have it hanging out there?

    • Pray tell oh humble supporter of Open Source, how do you plan to use source code to solve the problem of an incompetent user?
      • Well, you'd really just do some rewriting, and not let it function without some sort of password set. It doesn't make the user less stupid, but it would stop stupid worms like this from spreading.
    • Hey, this is not a question of opensource vs close-source. It is a problem of stupidity. Any person who is stupid enough to leave a database server open to Internet access and without the admin password set deserves a lesson or two. It can just happen to any other OS or database system.
  • A move befitting for Microsoft would be to prosecute those people that get infected with the worm. However, Microsoft probably won't put much effort into finding whoever made the virus. They don't seem to care about virus writers, unless there were a virus that caused CD burners to write copies of Microsoft products..
    • However, Microsoft probably won't put much effort into finding whoever made the virus.

      Every noticed that nobody puts that much effort into finding whoever made the latest IIS worm or Outlook virus (calling a spade a spade)? Follow the money. Without a more-or-less constant stream of IIS worms, Word Macro viruses or Outlook viruses, the "good guys", the anti-virus industry, wouldn't be able to turn a profit. That scanner that detects 8734 known viruses? No need to ever update it, if there's no new Windows viruses.

    • Interesting. I think randomly accessing the A: drive and infecting its boot sector would also be a bad virus symptom. It's scary when security seems less and less up to them and more up to us.
  • "When you install SQL, at no point does it ask you for an administrator username and password -- this is installed as standard, and once it is up and running the password still remains blank." wow .. so i guess now the administrators using microsoft sql have to be smart enough to set the password :) but seriously, this is a very bad programming 'feature' .. if you can call it feature. At least be kind enough and set the password to something default .. oh wait, that won't help it at all :)
    • Installers for the last couple versions of mssql do indeed ask you to set the sa password, but allow you to override that with the "blank password" checkbox. So since SQL 7.0, you have to go out of your way to have a blank password.

      I've done contract development at quite a few places that had publicly exposed sql servers with blank sa passwords.
    • Actually it asks you for an administrator password and if you leave it blank it tells you clearly that this may be a security risk. But hey I've seen some people leave it blank anyways. I'm no DBA but yet I know that I have to set a password. Anyone who have "really worked" with MS SQL knows that.

      All routers have default passwords setup, I don't see anyone complaining.
    • Well, the last SQL server I setup (SQL Server 7) it gave me 2 options for the password 1.) Use this username and password (fields here) 2.) Use NT authentication. Which usually isn't set to null. Also, if I'm full of crap and it doesn't ask for a password, I'd be curious if it accepts connections other than localhost by default. MySQL doesn't ever ask for a password. But it remains slightly secure because it doesn't allow connections other than localhost by default.
      • SQL 7 and 8 (aka 2000) do ask you for a password, and scold you if you leave it blank. However they do accept connections from anyone by default. I can't find a way to restrict access by IP, though. I guess you just have to set a decent password. Maybe I'm wrong, but it's too bad - if the web server is the only machine that needs to hit the sql server, it really shouldn't accept connections from anyone else. I've heard "but we're behind a firewall" too many times as an excuse for poor security internally. Users punch holes through firewalls, and nothing protects you against a malicious employee.
        • Use IPSEC's port filtering to block 1433 connections if you can't afford, or don't trust your firewall.
        • I can't find a way to restrict access by IP.

          A properly designed network doesn't need this. First, all SQL servers should be subnetted into an internal address space, only routeable by other internal machines like the web server. Then your firewall has port 80 open and NAT's to your web server. Unless you compromise the web server and are able to write malicious code on it, there's no way to get to even ping the SQL server.
          • I'm not one for putting all of my eggs in one basket. My desktop is behind a firewall, but you can bet the IIS it's running is patched against code red. The SQL Server personal on my machine has a password set. I probably don't need to take these precautions, but I should do it anyway.
  • by Anonymous Coward
    here is what i read

    "A new unmaned worm has been released"

    Cool, atleast M$ cares about its pilots .. waitaminute
  • Good. (Score:2, Funny)

    by x136 (513282)
    More specifically, this new worm targets Microsoft SQL servers with no administrator passwords set.

    Ooh, ooh! I know! We can call it the Dumbass Worm!
    Seriously though, If you don't set up an admin password on your server, you deserve to be hacked. Mercilessly.
  • by gkuchta (451185)
    New halitosis worm reported to affect people who haven't installed the new toothpaste module.
  • Is it really so hard for Microsoft to *require* you to put in an administrator password? The three seconds it would have taken to add in that common-sense functionality could have averted the whole thing. Everything about this worm just reeks of stupidity, on both Microsoft and especially the administrators' part.
    • Re:Stupid (Score:2, Informative)

      by iso (87585)
      They do, except for in SQL Server '97. All recent versions make you set a password by default. This worm will only exploit SQL Server '97.
    • Or even, at least, set the use/pass to that of the current user by default.
    • by Soko (17987) on Sunday November 25, 2001 @03:48AM (#2609432) Homepage
      No, it's not hard for the coders - but it would make life difficult for the support people. How many of them would get the inevitable "Ah installed yer ESS-Queuu-Elll thingy, and now it's buggin' me fer a paisswerd. What's wit thet?" from thier targeted users? The Marketing Department at Microsoft would be up in arms, saying "Why did you make this hard for people to install?!!? FIX IT NOW!!!

      MS has always played to the LCD in computerdom - there are relatively few who have the wherewithall and curiosity to know exactly what they're doing with the tools Microsoft gives them. It's been the job of Marketing to educate the users the product has been sold to. When they can't handle it properly, it's then dumped on to the Support people. No wonder Microsoft foists it's support on it's vendors - saves them a bundle.

      Example: Joe CFO wants the website up and running now, and gives the job to New Intern who doesn't have a clue. If New Intern can't get it running now, he blames his tools - namely MS, who hear about it from Joe CFO. So, figuring this out beforehand, Microsoft make it as easy as possible to get a SQL server running now - security be damned. New Intern has no authority to spend US$ 100 per call (or whatever it is) in order to contact someone who actually knows the scoop, and just blithely continues on. Microsoft make a sale, trap another customer, and get $ from supporting thier insecure product - as well as upgrades in order to get more security.

      Critisize them as you want - but Microsoft has a good business model in getting everyone and thier puppy into what should be advanced products. Then they try to educate thier users as to why security is important. Backwards as it is, it seems to be working for them, too.
      • There's another reason why sysadmins go for the password-free, no-security approach. It's easier, in the short term, yes, but there's also remote administration. Many sysadmins either (a) refuse to give out passwords to the people who actually use/run the servers, or (b) make those passwords empty so that they can control the machines from somewhere else in the organization without fear of interference from the local users. Going with route (a) is better from a security standpoint, but tends to infuriate the local users; if you leave the password empty, then as long as the local users aren't clued enough to turn it on themselves you're fine.

  • If a site is stupid enough to not protect their MS-SQL server with a firewall, they are probably dimwitted enough not to put an administrative password on, too.
  • Before you trash Microsoft, for "YAW" (yet another worm).
    But you should trash dumbass SQL Admins who don't set passwords!! WTF, yeah, their installer may not prompt them, but shouldnt someone who knows how to log into an NT or 2K know at least, "Hey, maybe this thing has a password too".
    If they don't know that, they should take a sharp stick in the eye.
    • you need a password to log into 2K or NT??
    • "Before you trash Microsoft, for "YAW" (yet another worm). But you should trash dumbass SQL Admins who don't set passwords!!"

      Right you are. In fact, I can't think of ANY microsoft worm, except those that are propagated by opening e-mail attachments, that is harmless to properly patched/administered machines.

      So if someone is a worm victim, they either unthinkingly opened an attachment or didn't keep their machines up to date. Either way it was preventable. (Now there's the issue as to who's liable when trouble results from worms ... but I won't go there.)

      • So if someone is a worm victim, they either unthinkingly opened an attachment or didn't keep their machines up to date. Either way it was preventable.

        Actually, microsoft has created alot of reluctance amongst more experienced users to keep up to date.

        Many service packs have actually broken systems in the past - making people who know what they are doing reluctant to apply a service pack until they are sure that it really works.

        Also, many security updates depend on these service packs. In fact, some of microsofts own update reporting system will not see the patches until they are running on an up to date service pack.

        It becomes a catch 22 - either way, you are dammed (well, you certainly would have been in the past). Maybe microsoft will not make these sort of errors again. Hmmm, did I just say that? ;)

        So, I'm not sure its totally preventable on MS software.
        • Many service packs have actually broken systems in the past - making people who know what they are doing reluctant to apply a service pack until they are sure that it really works.

          That's so true. MS had a bad habit of adding new features in Service Packs, and this of course, caused some issues. Luckily, since Win2k, they have been doing a *great* job of testing and working with service packs. Basically now they are just big security fixes (which is great!).

          Also, many security updates depend on these service packs. In fact, some of microsofts own update reporting system will not see the patches until they are running on an up to date service pack.
          Also so true. Microsoft has had many problems with security checkers not deteching missed-patches unless you are the latest service pack.


          Really though, this is entirely preventable. My last job had literally hundreds of Win2k servers (big server farm). I worked with IT regurarly to test and deploy fixes and patches. We ran perhaps 225-235 IIS webservers (load balanced) with a nice 8-way cluster for the database backend (SQL-2k). Of course, our SQL boxen were not internet accessible, didnt run in SQL-Authentication Mode (and hence, no "sa" silliness), and were well patched.

  • I mean, any software listening to the internet for administrating purpose without a password should buy the admin a nice warm place between cardboard boxes and the joys of unemployement.
    • Also any company that sells software that horribly insecure by default should be thrown out on the street.

      Perhaps you don't remember the Red Hat Pirhana episode? In the Linux world software with a default password is considerred shocking and outrageous. Even if it's pre 1.0 like Pirhana was.

  • by Carnage4Life (106069) on Sunday November 25, 2001 @03:02AM (#2609344) Homepage Journal
    IMHO, anybody who
    1. installs database software without setting the password (Heck, installs any software that has passwords without changing the default) and

    2. exposes their corporate database to the web
    is too incompetent to keep their job. I seriously believe that infections like this should start becoming yardsticks that system administrators are hired and fired against. Seriously, if your corporate network gets infected by Code Red, Sircam or this new SQL server worm it is a sign that somebody somewhere is not doing their job. This goes for UNIX boxen as well, if you're hit by a BIND, sendmail or wu-ftpd exploit then your sys admin is a waste of money and you are better off hiring some college kid who needs the experience. It'll be cheaper and you probably will get better service anyway.
    • not corporate database servers at all (some probably, but not most). It's most likely going to hit Joe SixPack that installed his warez copy of Windows XP and SQL Server 2000 on his primary computer which is hooked up to his cable modem 24/7 and he has no idea that SQL server has a password at all.
    • There's a stripped-down version of MS SQL Server which is bundled with a lot of software (including Microsoft Office, but it's not installed by default). AFAIK, it doesn't even include a GUI tool to set the administrator password. An additional problem is that many people who install this bundled MS SQL Server version don't know what they are doing and that they are opening a gaping security hole. (Some people might suggest to drop "bundled" in the previous sentence.)
    • by Lumpy (12016) on Sunday November 25, 2001 @09:05AM (#2609833) Homepage
      you obviously dont deal with custom vertical apps. or the real world in particular.

      we have 5 SQL servers that are forced to run with no password. because our critical software that uses it is hard coded to not have a password for SQL server.

      I had asked the vendor 5 times within the past 3 years to change this, and then asked upper management to as the vendor.

      What was I told? "It's not an important issue"

      so not I get to be spanked this monday when 10 sql servers all start to try and connect to irc through the firewall.

      So in response to you, I am more competent than 60% of the MS admins in my state. but when you have your hands tied by management you cant do crap but grab a mop and clean up after managements messes all the time... (examples? outlook, trying to run 700,000 users on a MS email server cluster,and brain dead morons wanting to have one super data center and pay for fat pipes to each office instead of having resources at each office. hmmm one disaster and this company is 100% screwed.)

      oh and your "yardsticks" comment...
      first the manager of the IS department or even the CTO should be the one getting publically fired. as they are usually the ones tying the hands of the admins and preventing them from doing their jobs.

      if a shop get's hit with any exploit, fire the manager first and the techs last.

      • There is a lot of stupid custom software written that needs MS SQL server with an admin account that has an empty or fixed password. I have installed this stuff before.

        It's crappy stuff, but I don't pick it, and I don't think I have the business understanding to know how to pick something better that is still useful to the company.

        All you can do is try to turn off remote access or firewall the thing...
    • by dillon_rinker (17944) on Sunday November 25, 2001 @11:16AM (#2610037) Homepage
      I seriously believe that infections like this should start becoming yardsticks that system administrators are hired and fired against.

      Another poster has indicated that sometimes stupid management decisions prevent you from doing what you know is optimal. If YOU know something's stupid, but your manager tells you to do it anyway, get it in writing (or at least in email). Do NOT do anything potentially harmful to your company unless you have it in writing. Claim that it's part of your documentation procedures, that all non-vendor recommended configurations must be documented.

      If your boss refuses to provide direction in writing, send a memo or email confirming your conversation and letting the boss know that you're going to do what he said. When you're done, send another one saying so, reminding the boss that the situation is nonoptimal and encouraging him to provide you with the resources or permission to optimize things again. Be sure to keep a hard copy of this communication. If your boss is a big enough weenie, you might want to keep a copy at home.

      Keep in mind that a good email admin can alter emails on the server and leave no tracks, so if you're the email admin, instructions in email are irrelevant. Same is true (but for a different reason) if the email admin is in the boss's pocket.

      This advice is probably not applicable to a lot of readers who are already job-hopping and don't care if they do more. Good for you. Some of us, though, (myself included), like our positions and stay in them, and therefore must learn to weather a succession of pointy-haired bungee-boss types. So far I've outlasted three in two years.

      Finally, remember this:
      All human endeavors are political. Those who don't think they're playing politics are merely playing politics badly.
    • IMHO, anybody who installs database software without setting the password (Heck, installs any software that has passwords without changing the default) and exposes their corporate database to the web is too incompetent to keep their job. I seriously believe that infections like this should start becoming yardsticks that system administrators are hired and fired against.

      I so agree with you. But you'll find unsecured SQL Server databases exposed to the public Internet all the time. I've seen it particularly with Small Business Server (package of Microsoft Back Office products, including SQL Server). A small company buys a package deal from a local vendor--they start hosting their own web pages, using SQL Server, and never even wondering about anything like security.

      There is plenty of fault to go around here: the small business bears some responsibility--they're buying a tool without providing the resources to use the tool appropriately. But there are lots of small vendors out there that fancy themselves as Microsoft OEMs and ISVs, assembling kit computers, doing the basic install with zero configuration (or security updates) and plugging the box into the client's network. This is precisely the market for Microsoft's Small Business Server--a low budget tool, and frequently completely unprotected.

      And sometimes it's the client
      Sometimes the client absolutely insists on shooting himself in the foot. I have a proposal outstanding to a warehousing firm--they're dragging their feet, and part of the reason is that they don't want to pay for two servers. (One is publicly accessible, the other [which has the SQL Server installed] is not.) Why can't we use the same box as the web server and the SQL Server? Well, gosh--because then anybody with SQL Enterprise Manager can connect on port 1433, and keep retrying passwords as long as he wants--the login dialog never times out.

      You heard it here first: this worm will affect a lot more companies that you'd think.

    • What really blows my mind is how many programmers use the blank sa password, so that the SQL administrators have no choice about leaving it blank. OK, so I have taken a few too many support calls of this nature, but really....
  • I assume this worm attacks MSDE [microsoft.com] too? MSDE is a stripped down version of SQL server intended as an alternative to using an Access database... I believe MS Project and Visio both use it, for example. A product I worked on uses it too; originally the PHB types wanted it to install with no password, because they didn't think our users would be able to remember a password. I tried to convince them that it was a Very Bad Idea to not have a password, but only managed to get a compromise: the installer asks if they want a password or not, and it defaults to no password :(

    P.S. Does anyone know if there's a way to keep MSDE from listening on TCP/IP connections? There's Named Pipes, but from what I was able to tell, that only works on WinNT, and not on 9x.

    • Compaq Insight Manager XE uses this (MSDE) too. Account 'SA' (SQL Admin) with no password. It's included on the Management CD, packed with all of their servers.
  • It's the FBI's Magic Lantern at work. Does anyone doubt that Al Queda's terrorist cells run IIS? Honi soit qui mal e pense.

    k.
    • Yes, it's true, Al Queda runs Microsoft software. In fact, the justice department is going to use that as a backup prosecution. If the terrorism charges are dropped, it is hoped that the terrorists will get life in prison for software piracy. Hey! They got Al Capone on income tax evasion, didn't they?
  • That some 5c2|p7 k|dd|3 bet $5 with each of his/her friends that he/she could write something out of a worm kit that he could get a LOT of corperate data and that most people can't set a password?

    Seriously, hang the dork that EVER sets blank passwords. This will help clean out the gene pool. Thank you, and God Bless.
  • systems wrongly configured with Microsoft SQL Server software

    I couldn't have said it better myself. :)
  • You know, back in the "good-ol'-days" of 1993, we didn't need no stinking passwords on our servers. You could leave holes in your software so big you could drive a mack-truck through and be completely safe. I tell you, it's those no-good kids that have nothing better to do that to drop out of school after only a Masters degree under their belt and turn to a life of crime destroying the saviour--Microsoft. uhm, yeah.. That's it :)
  • ...should switch to Linux/Apache. That way all they would have to do is remember to keep the patches current... umm... nevermind.

    • SQL Server is a database engine. Apache is a web server. Replacing one with the other wouldn't do you much good..
    • Ever installed MySQL? It comes configured by default with no root password, just like MSSQL. If someone wrote a worm that took advantage of improperly-secured MySQL servers, that worm would do just as much damage (if not more, considering how widespread MySQL is) as this MSSQL worm. It's the administrator's problem, not the software's.

      Coincidentally, when you run the installer for MSSQL 2000, it prompts you to change the administrator password. Anyone who doesn't is an ignorant fool.

      • It just occurred to me that MySQL actually doesn't allow connections from anywhere other than localhost by default, so my statement that a MySQL worm could do more damage than this MSSQL worm was probably in error. Ignore me. Even so, this is still a user problem more than a software problem.
  • by Anonymous Coward on Sunday November 25, 2001 @03:58AM (#2609450)
    Linux boxes compromised
    by THE_MESSENGER, Troll Staff Writer

    HELSINKI - It has just been learned that any Linux box with an unset "root" password in vulnerable to remote compromise, says Dick Johnson, Linux hacker and security analyst. "The attack is very simple," John reports. "Pretty much all you have to do is log in. Then you have complete control of the system." This security problem is believed to be caused by a fundamental flaw in the design of the UNIX family of operating systems, which is the model for the Linux kernel, a popular Cheap Software product. Johnson elaborates: "Those UNIX guys just didn't account for administrators who are too stupid to set root passwords."

    However, knowledge of this flaw fairly widespread within the Linux community. In fact, the only person known to be unaware of a password-less root account's grave implications is Timothy Gaybone, an "editor" for the popular Cheap Software news website "Slashdot.org." While Timothy is a hardcore Windows 98 user, the recent posting of an article detailing a similar security problem relating to Microsoft's SQL Server 2000 relational database product leads many analysts to believe that he is unaware of Linux's problem as well. DOJ crytoanalyst Harry Blotter guesses that Timothy's "reliance on Windows 98 is probably the root cause of his ignorance. After all, Windows 98 doesn't require login passwords."

    There are no reports of websites compromised by this latest Linux vulnerability, although many industry experts suspect that, oddly enough, Slashdot.org may have been breached years ago. "Rob Malda's personal workstation has probably been cracked -- his spell-checkers have been deleted," Dick Johnson explains.

  • Not so, not so... (Score:4, Insightful)

    by trilucid (515316) <pparadis@havensystems.net> on Sunday November 25, 2001 @04:04AM (#2609458) Homepage Journal

    "Although this can be a fairly malicious worm, it is very unlikely to infect many servers due to the fact that majority of Microsoft SQL servers have administrator passwords."

    Not in my experience, sadly. In most of the corporate environments I've seen MS-SQL Server installed, the sa account has had no password. You may wonder what their logic was... "nobody would know how to hack it, and it's just a development server anyhow."

    Yeah, right... a development server exposed to the net. That's not the worst of it, though. I've seen shops where the sa account was kept blank so ASP "programmers" wouldn't have to bother with remembering a password. This shitty practice is amazingly common.

    It's usually very difficult to reason with the management types on this sort of thing. Most of these people view the database server as a magic box where their information is kept, not as a system that needs to be properly secured. By and large, most corporate types I've talked to actually believed you'd have to have physical access to the machine. I can't say how many times I've heard them say things like "oh, that's what the Administrator logon password in NT is for, right?". Uh, no try again...

    It would probably be impossible to accurately say how many people are running with open sa accounts, because to stand up and admit it would be career suicide for any "database admin". Then again, given the lack of knowlege concerning this among the management types, maybe they wouldn't take so much flack after all. In the end, they could always blame Microsoft for letting them set up the account with a blank password to begin with (dumb, but I can see them saying that).

    Web hosting by geeks, for geeks. Now starting at $4/month (USD)! [trilucid.com]
    If you're gonna email, use the public key!
    • Re:Not so, not so... (Score:3, Interesting)

      by WasterDave (20047)
      I've seen shops where the sa account was kept blank so ASP "programmers" wouldn't have to bother with remembering a password.

      In the unlikely event of an ASP programmer:
      a, Giving a shit about security and
      b, Realising that in all probability the IIS box will be owned at some point, and therefore his source code will become (effectively) public knowledge...

      What options do these... delightful individuals... have for not having a plaintext password stored in the .asp source for connecting to the database? Can they, for instance, keep the password in the registry? (and hence it can be changed on a regular basis, good lord)

      For extra points, how to do it on php? Yes, I am in the process of developing something under php and am a tad concerned about this.

      Dave

      • Very good questions, actually :). I haven't done ASP in a long, long time, but I recall that there is a mechanism built in that allows you to retrieve login information from a file that isn't publicly available. There's probably other neat hacks to get the info from the registry, too.

        Under Perl or PHP, you can do it by storing the login info in a file that's chmod'ed to disallow access to all but your userid. Now, in this scenario, your script has to run as your userid (instead of the web server uid [Apache or Nobody]), which can be accomplished via suEXEC or a cgi wrapper. Either way, same effect. In this event, there are only a few ways someone could snag the password (running a proggy to directly interface to the memory space of your program [unlikely], get root access to the server [you'd have more to worry about in that case], or monitoring the network wire [if you were accessing the password on a remote machine via cleartext]).

        I guess my point is this: there are ways to avoid the "passwords in the script" problem in most languages/systems. Of course, if the target environment is Winows 9x, you're going to have oodles of problems with access permissions, but nobody runs productions servers on 9x, right? :)

        Web hosting by geeks, for geeks. Now starting at $4/month (USD)! [trilucid.com]
        If you're gonna email, use the public key!
        • Very good questions, actually :). I haven't done ASP in a long, long time, but I recall that there is a mechanism built in that allows you to retrieve login information from a file that isn't publicly available. There's probably other neat hacks to get the info from the registry, too.

          Don't do either. Set a specific password for the user IIS runs as (IUSR_, and IWAM_ if you use out of process), and tell IIS to use those account details. Then duplicate the user name and password on the SQL box, and use Trusted authentication only. No passwords stored anywhere, except the SAM database

      • by Lumpy (12016) on Sunday November 25, 2001 @09:59AM (#2609891) Homepage
        uhh simple....
        dont let any ASp program or programmer have sa access.
        if you cant write your app to use a regular SQL account then get the hell out of the business.

        It is amazing how many "programmers" require administrative access to databases or resources for no reason whatsoever. give them a user account, if they forget their password, publically humiliate them by yelling "what? are you so stupid that you cant remember a password? why did they hire you if your that stupid?" This is reserved for programmers only... sales people and marketing are allowed to forget their password daily, we know they are that stupid, but a programmer has ZERO excuse.

        First, if the programmer asks for admin access, laugh them out of the office. if they ask again tell them to do it at home on their own time (Unpaid). if they ask a third time start back at the top.
      • There is a very simple object model for getting settings out of the Registry. All of our DB passwords, etc. are stored in the Registry. In ASP.NET it's stored in an XML file (Web.Config) which is much nicer.

        BTW: ALL of our DB accounts only allow access to the Stored Procedures for the necessary DB (different logins for each DB). There is NEVER any actual SQL in the code. This is a Good Thing(tm).
      • Simple.

        You restrict the rights to the file. If you are very paranoid that the source code itself could somehow be displayed (I've seen it happen, when somebody re-configures the server without your knowledge, so PHP comes up as plaintext!!!), then put the passwords in a separate file, and ensure that that file (better yet, a separate directory) is not able to be displayed AT ALL by the web server (I do this on my site). Your PHP, or embedded perl, or whatever, then simply reads the database authentication info from that file.

    • The practice of a blank 'sa' password started with Sybase (MS SQL Server was originally a licensed version of Sybase). Oracle is no better, it has well known default passwords for the 'system' and 'sys' accounts. The real problem is installation tools that don't make it mandatory to set a password for all non-default accounts.
  • by Anonymous Coward
    I apologize in advance for this rant, but I'm currently in a battle with
    the executives at a client firm (I consult) over this exact issue. At
    once I feel both vindicated in that this is finally a real threat, and
    infuriated that I have to fight with these morons over questions that are
    really this obvious.

    Not to defend Microsoft, but the main reason that there is no default
    password on this sort of setup is because Microsoft assumes the
    following:

    1. This software will be run by monkeys (monkeys in power is our business
    model).
    2. Monkeys can't remember a password.
    3. Monkeys won't understand the need for one anyway.

    This is not directly Microsoft's fault, but rather the nature of business
    in general. M$ makes so much money off of this because business wants to
    employ monkeys (they're cheap, you see).

    Sadly, I have to crack Administrator passwords on NT, say, once every two
    weeks, because someone "forgot" it.

    Heck, Milnet was a playground for hackers because of default and blank
    passwords for almost two decades. Same reason.

    Sometimes, being a responsible, password-using, security-loving
    administrator in this world is--well--depressing. When I look around at
    my "peers", I see tons of dumbasses that shouldn't even have access to the
    Administrator password, let alone a keyboard. I mean, I actually have
    arguments with these people about even *NEEDING* passwords at all! I get
    defenses like "we're too small to be hacked" or "we don't have anything
    to lose if we get hacked"!

    I mean, seriously, while there are some pretty cool and froody NT admins
    out there, most NT installations began with some primate stuck in front of
    a computer and asked to "make it go".

    I think I just realized that without the M$ crutch, 75% of the so-called
    IT admins wouldn't even be able to find their ass. I hear all the time
    about how Windows has provided "easier tools" and "platform
    standardization". What really happened is that M$ turned the complex and
    exacting task of system administration into a game of "click the
    button" with all of the "hard choices" (like passwords) labeled with
    scary phrases like "Advanced" or "This will require more
    configuration". I suddenly realize that what M$ really did is lower the
    IQ requirement to become an administrator to the point that most of these
    clueless jerks defend M$ because it keeps them from having to shovel
    manure for a living. Really, M$ manipulated the industry by flooding it
    with idiots that must be firmly locked to the Redmond teat--knowing that
    they will do more than Billy G. and the Spin Squad could ever do to defend
    his monopoly!

    So is this situation Microsoft's fault? By design, maybe. Directly,
    no. It is precisely because business *wants* to employ cheap idiots that
    these bugs exist. It's just that M$ catered to that whim and developed a
    horde of pundits that cling to it's ways for their own livelihood.

    The worst part is that I have personally passworded probably 40 SQL
    servers (most of which doubled as a public web server) for small
    businesses. I've created entire password policies for hundreds of
    users. It is enfuriating to me that--despite gross evidence like
    this--whenever I do a security audit, I have to drag these people kicking
    and screaming to use passwords, remember them, make the secure,
    periodically change them and, for god's sake, don't write them down! Is
    that really so much to ask?

    Oh well, at least I get paid to fix it for the three clients I have that
    have INSISTED that their SQL servers have no passwords. The really ironic
    thing is that all three only use SQL server for an accounting package and
    their administration couldn't be bothered with passwords--and now all
    their accounting data is at risk. The ironic humor of this has not
    escaped me.
    • Sometimes, being a responsible, password-using, security-loving
      administrator in this world is--well--depressing. I mean, I actually have arguments with these people about even *NEEDING* passwords at all!

      Loving security is good. Loving passwords is lame. Before I get flamed, let me say that I DO belive that security is an important issue. My gripe is specifically about passwords as the main and (usually) only way to enforce that security.

      Given that the standard marketing manager has at least five passwords to remember - system login, CRM system login, order system login, HR system login, pr()n site login :-) - it's a wonder that you have any security at all left. If admins really want to have an effect on security, get your organization to move away from passwords and onto smart cards or biometric validation. It's a lot easier on you and your users.

    • This post deserves a heap of insightfuls. I used to think that ease-of-use isn't important for linux - before I read this post. I used to think 'Linux will get easy when it's done'. Now I realize that every day it's not easy is another day for micros~1 to increase its marketshare and profitability which it will use to squelch its perceived competition.
  • empty or default (Score:3, Redundant)

    by macpeep (36699) on Sunday November 25, 2001 @06:21AM (#2609662)
    The problem isn't really that the password is empty. It would be just as bad with *any* default password. Remeber "scott" "tiger" on Oracle?
  • Offcourse we've seen reports like this time and time again now but lets also try to grasp the broader picture here. MS is very busy trying to intergrate as much as possible, even beyond the original idea 'one interface, one way to operate'. Nowadays everything seems to be in need of integration and so far we've seen more trouble then good coming from it. Take for example the vb scripting, once the email client got 'infected' by it we've seen virii take advantage of it. At first vb attachments but later the rumours went on about overflow exploits and even emails which basicly got autostarted. So the virii basicly evolved, it started pretty harmless but soon got worse.

    Allthough its hard to look into the future I have a feeling we're on the start of something new and icky. Don't forget that a lot of websites using IIS also have a connection to some SQL server in order to store/retrieve data. This exploit may only be capable of doing harm without a SU password, don't toss it away with "blech, there's no harm in that" and forget all about it. It just might haunt us afterall.

    • >>So the virii basicly evolved, it started pretty harmless but soon got worse.

      I think they've ALL been extremely harmless up to this point. Sure there are still tons and tons of rooted boxes out there from Code Red. But that's not the worst thing that could happen.

      I don't think most people realise the destructive power a million little pcs connected to the internet can have.

      Forget about fifteen year olds DoSing Yahoo and CNN for a couple days. A million computers could easily take out all the phones in DC for a couple days. That would be expensive I think.

      Or instead of just deleting a couple mp3 files the viruses could do harmfull things to the computers they infect. Stuff like destroying the monitor. Then destroying the Bios. Then erasing the hard drive. That's the kind of thing I'm afraid of.

      • Frankly, that's the kind of think I dream of, because at this point, I'm quite convinced that the only way to wake up the *IDIOTS* out there is to destroy what's valuable to them.

        I received my third virus email in a week from one particularly clueless git today. The dumbass keeps opening attachments willy-nilly. Well, I hope the next one screws his boot sector. He needs a clue-by-four upside the head.

        If every dumb asshole out there was to lose their system, they'd *have* to learn to be more careful, wouldn't they? Or am I still giving them far too much credit?
  • "it is very unlikely to infect many servers due to the fact that majority of Microsoft SQL servers have administrator passwords."

    Only the "majority", not "virtually all"? MCSE certification takes another step downwards! And it's already on the 23rd sub basement!

    ttyl
    Farrell
  • can you even charge someone with breaking and entering if your house doesn't actually have a DOOR?

    I second the motion to name this the "dumbass worm"
  • I just recently installed a sample web application from M$, yes it was .Net, and it came with one of these MSDE databases. When I opened up the server manager I was suprise to see several ip addresses in it. There are severaly @home user with SQL Server installed and many with no sa password, don't ask me how I know that. Many of these boxes also have infected IIS installs too. As if I don't get enough code red/ namba hits as it is. I glad I uninstall that thing, because I am sure it didn't have a password and I am not sure how I could set it. Does anyone know about the functionality of the little engines and are they effected by this worm. LT
  • by Tom7 (102298) on Sunday November 25, 2001 @01:06PM (#2610314) Homepage Journal

    Having had the distinct displeasure of working with MS SQL before, I think I can lend some insight into why SQL server gets installed with no sa password.

    There are lots of companies out there that make custom software, or domain-specific software, and sell it for lots of money. Most of the software they make is database stuff for busineses, (so, there might be a company that specializes in a database product for food manufacturers, etc.).

    These apps, if they are for NT, usually need MS SQL server. Usually, the person installing them doesn't know anything about SQL server, they just bought it for the first time along with the app. The installation instructions tell them to do a certain thing, they do it, and viola, SQL server is installed with a default or empty password. (To their credit, the versions of MS SQL I've used are very happy to install without setting a password for the administrator.) Most of these people probably don't realize that the software can be accessed over TCP/IP. After all, remote accessibility over the internet in Windows is a relatively new thing (as opposed to the UNIX world).

    So yes, this is stupid, but it is not as braindead as installing redhat and stubbornly skipping the step where it asks you to choose a root password. You have to understand what SQL server is about, which is not as common as it perhaps should be, because SQL server is typically seen as an *accessory* to the real app they are installing.
  • I worked at a company who's software required the sql password be set to 'sa'. This was software that dealt with millions of dollars of assets. I pointed this security flaw out several times and was ignored.

    I don't work there anymore.
  • According to the most recent netcraft survey 1 in 10 servers running IIS as a e-commerce website or a secure website still has a back door installed from the Code Red virus.

    I don't know how they got the figures. But Netcraft is traditionally very even handed and reasonable.

    This new virus probably won't help those figures very much.

    So remember... If you buy from a web site running IIS you have a 10% chance that your credit card number is going to be sent directly to a guy who calls himself Hax0rDo0d.

    I don't want to flame MS for this since customers demand that no password be installed by default. But on the other hand theres no need to go over board and buy from hax0red web sites just to be nice.

I find you lack of faith in the forth dithturbing. - Darse ("Darth") Vader

Working...