Re: Strange scan on 1433

From: George Bakos (gbakosat_private)
Date: Tue May 21 2002 - 14:45:29 PDT

Next message: Blake Frantz: "Worms and CScript/WScript"

Previous message: Travis Pugh: "Re: Increased connects to Port 1433"
In reply to: Blake Frantz: "RE: Strange scan on 1433"
Next in thread: Blake Frantz: "Worms and CScript/WScript"
Next in thread: Ken Pfeil: "RE: Strange scan on 1433"
Reply: Blake Frantz: "Worms and CScript/WScript"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

My apologies for the initial misinterpretation.  The random password()
function is only invoked when assigning a temporary password to the Guest
account, as well as for setting one on the previously null sa.  There is
no attempt to hammer out passwords for entry.  The incidents.org diary
entries have been amended, and a more in-depth analysis submitted.

Again, My apologies for the premature announcement, although good passwords
are always a fine idea.

On Tue, 21 May 2002 11:46:49 -0500
"Blake Frantz" <blakeat_private> wrote:

> >-----Original Message-----
> >From: David LaPorte [mailto:david_laporteat_private] 
> >Sent: Tuesday, May 21, 2002 10:23 AM
> >To: Pavel Lozhkin; incidentsat_private
> >Subject: RE: Strange scan on 1433
> >
> >They're looking for MS-SQL servers with blank/default sa passwords that
> are missing the MS02-020 
> >
> >
> 
> It's not limited to *blank* sa passwords:
> 
> From: http://www.incidents.org/diary/diary.php?id=156
> 
> <snip>
> IMPORTANT ADDITION (thanks to George Bakos, ISTS for pointing this out):
> The worm includes code to brute force the SA password. Using a password
> larger than 8 characters, or a password containing non alphanumeric 
> characters (punktuation) will defend against this brute forcing.
> </snip>
> 
> Additionally, roelofat_private / haroonat_private from sensepost
> wrote a .pl for finding blank sa passwords.  Some may find it useful.
> http://www.sensepost.com/misc/SQLinsertion.htm
> 
> -Blake
> 
> 
> -----------------------------------------------------------------------
> ----- This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com


-- 
George Bakos
Institute for Security Technology Studies
Dartmouth College
gbakosat_private
voice 	603-646-0665
fax	603-646-0666

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Blake Frantz: "Worms and CScript/WScript"
Previous message: Travis Pugh: "Re: Increased connects to Port 1433"
In reply to: Blake Frantz: "RE: Strange scan on 1433"
Next in thread: Blake Frantz: "Worms and CScript/WScript"
Next in thread: Ken Pfeil: "RE: Strange scan on 1433"
Reply: Blake Frantz: "Worms and CScript/WScript"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 21 2002 - 13:59:27 PDT