On Tue, 2003-01-28 at 09:35, Solomon, Charlie wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > In either case, I can't believe that with > this much at stake they're exposing their servers that are running > their DB's to the Internet with no intermediaries. I don't mean to > crack open the MS-is-insecure can of worms, but I thought that > exposing any DB server directly to the Internet was a dangerous > proposition that orgs like this would avoid. If you're going to > serve data from your DB to the web, wouldn't you put the DB on a > different server than the web server? Or is this just a sign of the > belt-tightening-times? (No, I don't believe that.) This is a problem I have as well, but differently. Companies, nay people, will do any stupid thing possible, but in doing penetration testing and vulnerability scanning, MS SQL is one of the least common externally visible ports. I see Postgresql and Mysql far more often, but even that gets filtered. Of course since 1433 is above 1024, dumb firewalling will not block it. Now some factors that might help the worm: * It runs on UDP, not as many people think to scan/check UDP 1433. * If it hits the DB server, the DB server almost always has privileged access to the inside of the company. * The packets are so small, and the code so belligerently promiscuous, it will catch a lot of obscure machines. and once inside will catch most. * There are wrappered windows services that ran SQL on the inside. I would like to know from people what was the initial vector that let the worm in. -- Zot O'Connor http://www.ZotConsulting.com http://www.WhiteKnightHackers.com
This archive was generated by hypermail 2b30 : Fri Jan 31 2003 - 17:13:40 PST