Looks like my paranoia was right! Just pulled from SANS/Incidents.org http://www.incidents.org/diary/diary.php?id=156 MSSQL Worm (sqlsnake) on the rise ================================================================ (Preliminary) Starting yesterday, the Internet Storm Center detected a sudden increase in hosts scanning for port 1433, which is commonly used by Microsoft's SQL Server. A number of exploits are known for this service. It is also known that many administrators do not set a password for the 'SA' account. This administrator account can be used to log on to the SQL server, execute arbitrary SQL commands. Using these commands, the user can read and write files, as well as execute code. While we are still collecting all the pieces, some exploit code has been captured indicating that this is a self propagating worm. Aside from a number of other functions, the worm will email a password list to ixltd@private As of this morning, the quota of this account is exceeded. Current graph of port 1433 activity: http://isc.incidents.org/port_details.html?port=1433&tarax=1 (important line is the red one. It shows the number of sources) Basic Protection ================ (1) block traffic to port 1433 tcp at your perimeter. (2) ensure all Microsoft SQL servers are patched and a password is setup for the SA account. (3) block all email to ixltd@private It has been reported that some software packages include a version of SQL server (Visio Enterprise Edition?). A portscan for machines listening on port 1433 may help. Detection ========= multiple outbound connection attempts to port 1433 should give away infected machines. We are working on more detailed signatures. Some Functionality ================== A quick rundown of functions this worm may perform This is VERY PRELIMINARY - add guest user - email password list - self propagation (search for other vulnerable hosts) - ... more to come... Relevant Links ============== Microsoft KB regarding SA password http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q313418
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:43:17 PDT