Re: Increased connects to Port 1433

From: Tracey Losco (tal1@its.nyu.edu)
Date: 05/21/02 

Date: Tue, 21 May 2002 11:30:48 -0400
To: Darrin Powell <dpowell@lssi.net>, incidents@securityfocus.com
From: Tracey Losco <tal1@its.nyu.edu>

Yes, we're seeing it here at NYU too...the most recent info that I've
seen on this is:

Saturday, May 4th 2002
Large scale MSSQL scans.
 
================================================================
========================

For the last few days, we received a number of reports of widespread
scans of port 1433. The most common use of port 1433 is Microsoft's
SQL server.

Just this march, a vulnerability in SQL Server 7.0 and 2000 was shown
to allow access to the the security context of the server
(http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0154). Microsoft
released and advisory and a patch for this problem.
 
(http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-020.asp
)

It has also been known that many administrators do not change the
default password for the administrator account. SQL Server by default
ships with no password set for this account
( http://www.bhs.silesianet.pl/html/sql.htm ).

--------------------------------------------------------------------
Tracey Losco
Network Security Analyst security@nyu.edu
ITS - Network Services http://www.nyu.edu/its/security
New York University (212) 998 - 3433

PGP Fingerprint: 8FFB FE47 6156 7BF0 B19E 462B 9DFE 51F5

At 10:33 AM -0400 5/21/02, Darrin Powell wrote:
>Is anyone else seeing this?
>
>
>
>
>
>
>Thanks
>--
>Darrin Powell
>System Administrator
>LSSi, Corp.
>(919) 466-6803
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: Permission question - another one
    ... I would have thought that Administrator ... Are you asking why is it connecting to SQL Server? ... > and I gave BUILTIN/Administrator this database as its default database. ...
    (microsoft.public.sqlserver.programming)
  • Re: Windows Vista Enterprise and SQL Server 2005 Agent
    ... This has nothing to do with SQL Server and this is an expected behaviour of Windows Vista operating systems. ... Cause of those popups and normal-user-like acting is some new security system called User Account Control. ... It all seems to be related to security things, even though I am an administrator. ...
    (microsoft.public.sqlserver.security)
  • Re: Fresh installation and no access
    ... You're not getting access because you're not an administrator when you log ... In previous OS's you had administrator permissions on the database ... You must create a login (to allow connect to SQL Server) then a user to be ...
    (microsoft.public.sqlserver.security)
  • Re: Permission question - another one
    ... SQL Server looks at when you try to connect using Windows Authentication. ... >>> Does your Windows Login TRAVAC/tfs belong to the local Administrators ... >> Are you talking about on Raptor? ... > I am assuming local administrator is in local users and groups from ...
    (microsoft.public.sqlserver.programming)
  • Re: Service Accounts on SQL Server, Best Practices
    ... SQL Server and SQL Server Agent service accounts do not need to be a local administrator or domain administrator for Failover Clustering on Windows 2000 ... If the service account for SQL Server is not an administrator in a cluster, the administrative shares cannot be deleted on any nodes of the cluster. ...
    (microsoft.public.sqlserver.clustering)