Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

** New Internet Worm In The Wild *** SQLSNAKE

Status
Not open for further replies.
Nov 16, 2000
203
GB
Check out the following article about the above worm.
It attacks servers which have a blank 'sa' password by using the extended sp xp_cmdshell


'SQLsnake' Worm Blamed For Spike In Port 1433 Scans
---------------------------------------------------

By Brian McWilliams, Newsbytes
SAN MATEO, CALIFORNIA, U.S.A.,
21 May 2002, 11:04 AM CST

A mounting trail of evidence has security experts warning that a new Internet worm targeting Microsoft SQL servers could be on the loose.
Since Monday, a sharp spike in remote probes of TCP port 1433, which commonly is used by Microsoft's SQL database, has been reported by many server administrators, according to SecurityFocus, which operates an incident-reporting system called ARIS.







Officials at the SANS Institute, a computer security education and analysis organization, also reported today that they have received "exploit code" that indicates the increase in port 1433 scans may be due to a self-propagating worm rather than to manual probes by would-be attackers.

According to SANS incident handler Johannes Ullrich, a preliminary analysis shows the code, which has been dubbed "SQLsnake," attempts to log in to the SQL administrator's account on a remote server using a "brute force" password cracker.

Once the worm, which is written in JavaScript, has gained SQL administrator access, its author has the ability to execute SQL commands, which include reading and writing files, as well as executing code, SANS said.

The SQLsnake code also appears to e-mail a list of passwords captured from the victim server to a free e-mail account hosted in Singapore.

As of this morning, more than 1,400 systems appear to have been compromised by the worm and are actively probing other servers, according to statistics compiled by SANS.

Potentially infected hosts are spread geographically, with the majority located in Korea, the United States, Canada, France, Taiwan and China, SecurityFocus reported yesterday.

According to SecurityFocus vice president of engineering Alfred Huger, intrusion detection reports suggest the potential worm is specifically targeting Microsoft SQL systems without proper password protection.

Many Microsoft SQL administrators fail to set a strong password for the system account, which by default has a "null" or non-existent password, SecurityFocus warned yesterday in an alert to ARIS users.

Last month, Microsoft issued a patch for a buffer-overflow flaw in its SQL Server version 7 and version 2000. According to Huger, there is no indication so far that the potential worm is targeting that vulnerability.

Earlier this year, Microsoft advised customers that a worm, which was given the name "Voyager Alpha Force," was scanning the Internet for Microsoft SQL servers and attempting to log into administrator accounts that lacked passwords.

To prevent the spread of SQLsnake, security experts advised system administrators to block traffic to port 1433 at the perimeter of their network, and to ensure that all Microsoft SQL servers are patched and properly password-protected.

Microsoft SQL is the most popular Web database, with 68 percent market share, according to Microsoft.

The SANS analysis of SQLsnake is at .

SecurityFocus is at .

Reported by Newsbytes, .
Bernadette
 
Bernadette,

I posted a News item yesterday about the worm. I've just added some more resources that may be helpful in recovering from the worm or preventing infestation.

See Thread183-279012 - "Warning: New SQL Server Virus." Terry L. Broadbent - DBA
Computing Links:
faq183-874 contains "Suggestions for Getting Quick and Appropriate Answers" to your questions.
 
Thanks a million Terry

Bernadette [thumbsup2] Bernadette
 
I'm lucky enough to have a consultant that helps me on our sql servers, and he's had admin passwords on all of them for years. Glen A. Johnson
Microsoft Certified Professional
gjohn76351@msn.com
"Accident is the name of the greatest of all inventors."
Mark Twain (1835-1910), U.S. author.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top