http://www.newsbytes.com/news/02/176701.html By Brian McWilliams, Newsbytes SAN MATEO, CALIFORNIA, U.S.A., 21 May 2002, 11:04 AM CST A mounting trail of evidence has security experts warning that a new Internet worm targeting Microsoft SQL servers could be on the loose. Since Monday, a sharp spike in remote probes of TCP port 1433, which commonly is used by Microsoft's SQL database, has been reported by many server administrators, according to SecurityFocus, which operates an incident-reporting system called ARIS. Officials at the SANS Institute, a computer security education and analysis organization, also reported today that they have received "exploit code" that indicates the increase in port 1433 scans may be due to a self-propagating worm rather than to manual probes by would-be attackers. According to SANS incident handler Johannes Ullrich, a preliminary analysis shows the code, which has been dubbed "SQLsnake," attempts to log in to the SQL administrator's account on a remote server using a "brute force" password cracker. Once the worm, which is written in JavaScript, has gained SQL administrator access, its author has the ability to execute SQL commands, which include reading and writing files, as well as executing code, SANS said. The SQLsnake code also appears to e-mail a list of passwords captured from the victim server to a free e-mail account hosted in Singapore. As of this morning, more than 1,400 systems appear to have been compromised by the worm and are actively probing other servers, according to statistics compiled by SANS. Potentially infected hosts are spread geographically, with the majority located in Korea, the United States, Canada, France, Taiwan and China, SecurityFocus reported yesterday. According to SecurityFocus vice president of engineering Alfred Huger, intrusion detection reports suggest the potential worm is specifically targeting Microsoft SQL systems without proper password protection. Many Microsoft SQL administrators fail to set a strong password for the system account, which by default has a "null" or non-existent password, SecurityFocus warned yesterday in an alert to ARIS users. Last month, Microsoft issued a patch for a buffer-overflow flaw in its SQL Server version 7 and version 2000. According to Huger, there is no indication so far that the potential worm is targeting that vulnerability. Earlier this year, Microsoft advised customers that a worm, which was given the name "Voyager Alpha Force," was scanning the Internet for Microsoft SQL servers and attempting to log into administrator accounts that lacked passwords. To prevent the spread of SQLsnake, security experts advised system administrators to block traffic to port 1433 at the perimeter of their network, and to ensure that all Microsoft SQL servers are patched and properly password-protected. Microsoft SQL is the most popular Web database, with 68 percent market share, according to Microsoft. The SANS analysis of SQLsnake is at http://www.incidents.org/diary/diary.php?id_6 SecurityFocus is at http://www.securityfocus.com - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed May 22 2002 - 04:19:40 PDT