New Microsoft SQL Server Worm 290
Ian Bell writes: "A new unnamed worm has been released and, once again, Microsoft software is the target. More specifically, this new worm targets Microsoft SQL servers with no administrator passwords set. Once the server is infected, it logs onto Internet Relay Chat (IRC) servers and is ready to receive commands and act accordingly. Although this can be a fairly malicious worm, it is very unlikely to infect many servers due to the fact that majority of Microsoft SQL servers have administrator passwords."
Password (Score:2, Insightful)
Re:Microsoft always a target (Score:5, Insightful)
Who says you need source to fix problems? In this case, it's as simple as setting a password for th sa user. Anyway, the point is moot because this only affects SQL Server 7 and older. SQL Server 2000 makes you jump through hoops if you want to leave the sa password blank (as well, SQL auth isn't even the default. Instead, Windows domain auth is the default). Anyway, the point here is that source is absolutely not required to fix this problem. Just a small amount of brainpower, that's all.
Too bad but we can't blame MS on this one.. (Score:2, Insightful)
Too Incompetent To Keep Their Job (Score:5, Insightful)
Re:Stupid....Marketing Department (Score:4, Insightful)
MS has always played to the LCD in computerdom - there are relatively few who have the wherewithall and curiosity to know exactly what they're doing with the tools Microsoft gives them. It's been the job of Marketing to educate the users the product has been sold to. When they can't handle it properly, it's then dumped on to the Support people. No wonder Microsoft foists it's support on it's vendors - saves them a bundle.
Example: Joe CFO wants the website up and running now, and gives the job to New Intern who doesn't have a clue. If New Intern can't get it running now, he blames his tools - namely MS, who hear about it from Joe CFO. So, figuring this out beforehand, Microsoft make it as easy as possible to get a SQL server running now - security be damned. New Intern has no authority to spend US$ 100 per call (or whatever it is) in order to contact someone who actually knows the scoop, and just blithely continues on. Microsoft make a sale, trap another customer, and get $ from supporting thier insecure product - as well as upgrades in order to get more security.
Critisize them as you want - but Microsoft has a good business model in getting everyone and thier puppy into what should be advanced products. Then they try to educate thier users as to why security is important. Backwards as it is, it seems to be working for them, too.
Not so, not so... (Score:4, Insightful)
"Although this can be a fairly malicious worm, it is very unlikely to infect many servers due to the fact that majority of Microsoft SQL servers have administrator passwords."
Not in my experience, sadly. In most of the corporate environments I've seen MS-SQL Server installed, the sa account has had no password. You may wonder what their logic was... "nobody would know how to hack it, and it's just a development server anyhow."
Yeah, right... a development server exposed to the net. That's not the worst of it, though. I've seen shops where the sa account was kept blank so ASP "programmers" wouldn't have to bother with remembering a password. This shitty practice is amazingly common.
It's usually very difficult to reason with the management types on this sort of thing. Most of these people view the database server as a magic box where their information is kept, not as a system that needs to be properly secured. By and large, most corporate types I've talked to actually believed you'd have to have physical access to the machine. I can't say how many times I've heard them say things like "oh, that's what the Administrator logon password in NT is for, right?". Uh, no try again...
It would probably be impossible to accurately say how many people are running with open sa accounts, because to stand up and admit it would be career suicide for any "database admin". Then again, given the lack of knowlege concerning this among the management types, maybe they wouldn't take so much flack after all. In the end, they could always blame Microsoft for letting them set up the account with a blank password to begin with (dumb, but I can see them saying that).
Web hosting by geeks, for geeks. Now starting at $4/month (USD)! [trilucid.com]
If you're gonna email, use the public key!
Re:Hey Maybe These Admins... (Score:3, Insightful)
Coincidentally, when you run the installer for MSSQL 2000, it prompts you to change the administrator password. Anyone who doesn't is an ignorant fool.
Re:Password (Score:4, Insightful)
Yes, I agree with the sentiment that if you do not secure your boxen, you are an idiot. But if you don't, you do not deserve to be victimised.
If I accidentally leave my front door unlocked, do I deserve to be robbed/vandalised?
Re:Not so, not so... (Score:4, Insightful)
dont let any ASp program or programmer have sa access.
if you cant write your app to use a regular SQL account then get the hell out of the business.
It is amazing how many "programmers" require administrative access to databases or resources for no reason whatsoever. give them a user account, if they forget their password, publically humiliate them by yelling "what? are you so stupid that you cant remember a password? why did they hire you if your that stupid?" This is reserved for programmers only... sales people and marketing are allowed to forget their password daily, we know they are that stupid, but a programmer has ZERO excuse.
First, if the programmer asks for admin access, laugh them out of the office. if they ask again tell them to do it at home on their own time (Unpaid). if they ask a third time start back at the top.
Re:Password (Score:2, Insightful)
If you are responsible for a house, you should know well enough to lock it.
Maybe the problem is that MS software often ends up in uncapable or unaware hands.
Lets not forget about home users with it installed (Score:2, Insightful)
Re:Why Microsoft is being targeted (Score:3, Insightful)
The reason all these worms target Microsoft is not because they hold the majority, it's because it's like shooting fish in a barrel...