Re: SQL Worm

From: Sue Hoegemeier (Sue_H@nomail.please)
Date: 05/21/02


From: Sue Hoegemeier <Sue_H@nomail.please>
Date: Tue, 21 May 2002 09:53:36 -0600


Apparently so. You can find some receint info on this at:
http://www.incidents.org/diary/diary.php?id=156

-Sue

On 21 May 2002 01:59:13 -0700, timb@maxit.com.au (Tim
Blizard) wrote:

>Is anyone aware of a resurrected version of the SQL Server worm that
>appeared in November last year?
>
>I can see from a network trace and NETSTAT -A command that one of my
>servers is regularly scanning whole subnets looking for any host that
>will allow a connection to port 1433. Unfortunately I can't identify
>the culprit process. I'm guessing that the worm has been modified and
>set loose again.
>
>When the original worm appeared, it used XP_CMDSHELL to download and
>execute a program called DNSSERVICE.EXE. This would then scan for
>other hosts on the net that had SQL Server on port 1433 with an empty
>password on the SA account. This program does not exist on our system
>and no process of this name exists however the behaviour continues at
>periodic intervals.
>
>Before anyone says that I should secure the SA account .... I know.
>Unfortunately we run an application that is hardcoded to use the SA
>account with no password. We have set firewall filters to prevent
>access to port 1433 for most internet hosts except for certain subnets
>owned by clients. Unfortunately this worm appears to have infected one
>of those clients first and then been able to get to us because they
>have access, through the firewall, to port 1433. Should have removed
>XP_CMDSHELL!!
>
>Any ideas?



Relevant Pages

  • Management Point not available
    ... The http task within Lotus Domino Server is using port 80. ... Manually restart the SMS Agent Host service on the MP. ... MP encountered an error when connecting to SQL Server. ... If using a standard SQL security account, ...
    (microsoft.public.sms.admin)
  • Re: URGENT: New SQL Worm?
    ... MS02-039 patches the vulnerability this new worm is attacking. ... Blocking inbound access to UDP1434, the SQL Server 2000 Resolution ... Service port. ... Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor ...
    (NT-Bugtraq)
  • Re: Massive SQL Server attack
    ... MS02-039 patches the vulnerability this new worm is attacking. ... Blocking inbound access to UDP1434, the SQL Server 2000 Resolution ... Service port. ...
    (microsoft.public.win2000.security)
  • Re: SQL Worm
    ... >will allow a connection to port 1433. ... I'm guessing that the worm has been modified and ... >password on the SA account. ... >access to port 1433 for most internet hosts except for certain subnets ...
    (microsoft.public.sqlserver.security)
  • Re: MSQL Server and Slammer
    ... will try to connect to Port 1434 UDP to transfer the worm to you again. ... > I updated "Sql server Windows NT" running on a computer with XP Pro with ... > In my case the SQL-server has nothing to do on the internet. ...
    (microsoft.public.sqlserver.security)