New Microsoft SQL Server Worm

Ian Bell writes: "A new unnamed worm has been released and, once again, Microsoft software is the target. More specifically, this new worm targets Microsoft SQL servers with no administrator passwords set. Once the server is infected, it logs onto Internet Relay Chat (IRC) servers and is ready to receive commands and act accordingly. Although this can be a fairly malicious worm, it is very unlikely to infect many servers due to the fact that majority of Microsoft SQL servers have administrator passwords."

Microsoft always a target

[LionMan]

I must take pity on Microsoft for their situation - being so large and omnipresent, they are a constant target of attack. Of course, their situation would be a lot simpler if they released source so that these things could be fixed by anyone as soon as a problem pops up, but that is a whole philosophical problem for Microsoft, so I can only pity them, not aid them.

Re:default password == blank

[CaptainSuperBoy]

SQL 7 and 8 (aka 2000) do ask you for a password, and scold you if you leave it blank. However they do accept connections from anyone by default. I can't find a way to restrict access by IP, though. I guess you just have to set a decent password. Maybe I'm wrong, but it's too bad - if the web server is the only machine that needs to hit the sql server, it really shouldn't accept connections from anyone else. I've heard "but we're behind a firewall" too many times as an excuse for poor security internally. Users punch holes through firewalls, and nothing protects you against a malicious employee.

Re:Not so, not so...

[WasterDave]

I've seen shops where the sa account was kept blank so ASP "programmers" wouldn't have to bother with remembering a password.

In the unlikely event of an ASP programmer:
a, Giving a shit about security and
b, Realising that in all probability the IIS box will be owned at some point, and therefore his source code will become (effectively) public knowledge...

What options do these... delightful individuals... have for not having a plaintext password stored in the .asp source for connecting to the database? Can they, for instance, keep the password in the registry? (and hence it can be changed on a regular basis, good lord)

For extra points, how to do it on php? Yes, I am in the process of developing something under php and am a tad concerned about this.

Dave

Re:Too Incompetent To Keep Their Job

[Lumpy]

you obviously dont deal with custom vertical apps. or the real world in particular.

we have 5 SQL servers that are forced to run with no password. because our critical software that uses it is hard coded to not have a password for SQL server.

I had asked the vendor 5 times within the past 3 years to change this, and then asked upper management to as the vendor.

What was I told? "It's not an important issue"

so not I get to be spanked this monday when 10 sql servers all start to try and connect to irc through the firewall.

So in response to you, I am more competent than 60% of the MS admins in my state. but when you have your hands tied by management you cant do crap but grab a mop and clean up after managements messes all the time... (examples? outlook, trying to run 700,000 users on a MS email server cluster,and brain dead morons wanting to have one super data center and pay for fat pipes to each office instead of having resources at each office. hmmm one disaster and this company is 100% screwed.)

oh and your "yardsticks" comment...
first the manager of the IS department or even the CTO should be the one getting publically fired. as they are usually the ones tying the hands of the admins and preventing them from doing their jobs.

if a shop get's hit with any exploit, fire the manager first and the techs last.

Re:Too Incompetent To Keep Their Job

[dillon_rinker]

I seriously believe that infections like this should start becoming yardsticks that system administrators are hired and fired against.

Another poster has indicated that sometimes stupid management decisions prevent you from doing what you know is optimal. If YOU know something's stupid, but your manager tells you to do it anyway, get it in writing (or at least in email). Do NOT do anything potentially harmful to your company unless you have it in writing. Claim that it's part of your documentation procedures, that all non-vendor recommended configurations must be documented.

If your boss refuses to provide direction in writing, send a memo or email confirming your conversation and letting the boss know that you're going to do what he said. When you're done, send another one saying so, reminding the boss that the situation is nonoptimal and encouraging him to provide you with the resources or permission to optimize things again. Be sure to keep a hard copy of this communication. If your boss is a big enough weenie, you might want to keep a copy at home.

Keep in mind that a good email admin can alter emails on the server and leave no tracks, so if you're the email admin, instructions in email are irrelevant. Same is true (but for a different reason) if the email admin is in the boss's pocket.

This advice is probably not applicable to a lot of readers who are already job-hopping and don't care if they do more. Good for you. Some of us, though, (myself included), like our positions and stay in them, and therefore must learn to weather a succession of pointy-haired bungee-boss types. So far I've outlasted three in two years.

Finally, remember this:
All human endeavors are political. Those who don't think they're playing politics are merely playing politics badly.

Why there are unset passwords

[Tom7]

Having had the distinct displeasure of working with MS SQL before, I think I can lend some insight into why SQL server gets installed with no sa password.

There are lots of companies out there that make custom software, or domain-specific software, and sell it for lots of money. Most of the software they make is database stuff for busineses, (so, there might be a company that specializes in a database product for food manufacturers, etc.).

These apps, if they are for NT, usually need MS SQL server. Usually, the person installing them doesn't know anything about SQL server, they just bought it for the first time along with the app. The installation instructions tell them to do a certain thing, they do it, and viola, SQL server is installed with a default or empty password. (To their credit, the versions of MS SQL I've used are very happy to install without setting a password for the administrator.) Most of these people probably don't realize that the software can be accessed over TCP/IP. After all, remote accessibility over the internet in Windows is a relatively new thing (as opposed to the UNIX world).

So yes, this is stupid, but it is not as braindead as installing redhat and stubbornly skipping the step where it asks you to choose a root password. You have to understand what SQL server is about, which is not as common as it perhaps should be, because SQL server is typically seen as an *accessory* to the real app they are installing.

Use nmap to before you buy something online.

[Error27]

According to the most recent netcraft survey 1 in 10 servers running IIS as a e-commerce website or a secure website still has a back door installed from the Code Red virus.

I don't know how they got the figures. But Netcraft is traditionally very even handed and reasonable.

This new virus probably won't help those figures very much.

So remember... If you buy from a web site running IIS you have a 10% chance that your credit card number is going to be sent directly to a guy who calls himself Hax0rDo0d.

I don't want to flame MS for this since customers demand that no password be installed by default. But on the other hand theres no need to go over board and buy from hax0red web sites just to be nice.