Re: Strange scan on 1433
From: George Bakos (gbakos@ists.dartmouth.edu)Date: 05/21/02
- Previous message: Larry.Leibrock@bus.utexas.edu: "Comprise Attack Microsoft SQL servers - new Internet worm"
- In reply to: Blake Frantz: "RE: Strange scan on 1433"
- Next in thread: Blake Frantz: "Worms and CScript/WScript"
- Next in thread: Ken Pfeil: "RE: Strange scan on 1433"
- Reply: Blake Frantz: "Worms and CScript/WScript"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 21 May 2002 17:45:29 -0400 From: George Bakos <gbakos@ists.dartmouth.edu> To: "Blake Frantz" <blake@mc.net>
My apologies for the initial misinterpretation. The random password()
function is only invoked when assigning a temporary password to the Guest
account, as well as for setting one on the previously null sa. There is
no attempt to hammer out passwords for entry. The incidents.org diary
entries have been amended, and a more in-depth analysis submitted.
Again, My apologies for the premature announcement, although good passwords
are always a fine idea.
On Tue, 21 May 2002 11:46:49 -0500
"Blake Frantz" <blake@mc.net> wrote:
> >-----Original Message-----
> >From: David LaPorte [mailto:david_laporte@harvard.edu]
> >Sent: Tuesday, May 21, 2002 10:23 AM
> >To: Pavel Lozhkin; incidents@securityfocus.com
> >Subject: RE: Strange scan on 1433
> >
> >They're looking for MS-SQL servers with blank/default sa passwords that
> are missing the MS02-020
> >
> >
>
> It's not limited to *blank* sa passwords:
>
> From: http://www.incidents.org/diary/diary.php?id=156
>
> <snip>
> IMPORTANT ADDITION (thanks to George Bakos, ISTS for pointing this out):
> The worm includes code to brute force the SA password. Using a password
> larger than 8 characters, or a password containing non alphanumeric
> characters (punktuation) will defend against this brute forcing.
> </snip>
>
> Additionally, roelof@sensepost.com / haroon@sensepost.com from sensepost
> wrote a .pl for finding blank sa passwords. Some may find it useful.
> http://www.sensepost.com/misc/SQLinsertion.htm
>
> -Blake
>
>
> -----------------------------------------------------------------------
> ----- This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
-- George Bakos Institute for Security Technology Studies Dartmouth College gbakos@ists.dartmouth.edu voice 603-646-0665 fax 603-646-0666---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Larry.Leibrock@bus.utexas.edu: "Comprise Attack Microsoft SQL servers - new Internet worm"
- In reply to: Blake Frantz: "RE: Strange scan on 1433"
- Next in thread: Blake Frantz: "Worms and CScript/WScript"
- Next in thread: Ken Pfeil: "RE: Strange scan on 1433"
- Reply: Blake Frantz: "Worms and CScript/WScript"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
