Re: SQL Worm

From: Sue Hoegemeier (Sue_H@nomail.please)
Date: 05/21/02


From: Sue Hoegemeier <Sue_H@nomail.please>
Date: Tue, 21 May 2002 09:53:36 -0600


Apparently so. You can find some receint info on this at:
http://www.incidents.org/diary/diary.php?id=156

-Sue

On 21 May 2002 01:59:13 -0700, timb@maxit.com.au (Tim
Blizard) wrote:

>Is anyone aware of a resurrected version of the SQL Server worm that
>appeared in November last year?
>
>I can see from a network trace and NETSTAT -A command that one of my
>servers is regularly scanning whole subnets looking for any host that
>will allow a connection to port 1433. Unfortunately I can't identify
>the culprit process. I'm guessing that the worm has been modified and
>set loose again.
>
>When the original worm appeared, it used XP_CMDSHELL to download and
>execute a program called DNSSERVICE.EXE. This would then scan for
>other hosts on the net that had SQL Server on port 1433 with an empty
>password on the SA account. This program does not exist on our system
>and no process of this name exists however the behaviour continues at
>periodic intervals.
>
>Before anyone says that I should secure the SA account .... I know.
>Unfortunately we run an application that is hardcoded to use the SA
>account with no password. We have set firewall filters to prevent
>access to port 1433 for most internet hosts except for certain subnets
>owned by clients. Unfortunately this worm appears to have infected one
>of those clients first and then been able to get to us because they
>have access, through the firewall, to port 1433. Should have removed
>XP_CMDSHELL!!
>
>Any ideas?