Automated worm attacks MS SQL Server
John McCormick
Published: 05 Jun 2002 14:09 BST
Details
The Incidentes.org (SANS Institute) report on this worm lists the following files as being enclosed in SQLSnake:drivers/services.exe -- Foundstone's fscan.exe (UPX packed)
clemail.exe
pwdump2.exe
run.js
samdump.dll
sqldir.js
sqlexec.js
sqlinstall.bat
sqlprocess.js
timer.dll
According to a CNET News Report, within two days of the worm's appearance, 2,450 SQL servers had been infected and 74,000 had been targeted for attack.
The following sources also have advisories or reports on the SQLSnake worm:
Final wordOnce again, IT pros will probably direct most of the blame for this attack at Microsoft for configuring poor defaults on earlier versions of SQL Server. But in this instance, the company's big mistake was relying on administrators to install its software with a minimum of common sense by altering the default installation password.
Even if only a small percentage of users have failed to properly secure their systems, this will still be a dangerous worm because Microsoft SQL database has a large market share, especially in small to midsize businesses.
To make matters worse, this isn't some newly discovered problem. Several previous warnings have been issued, including at least one directly from Microsoft, telling SQL Server admins that they need to set passwords on the sa account. For those who have missed or ignored earlier warnings, it's definitely time to get around to fixing this problem.
Have your say instantly in the Tech Update forum.
Find out what's where in the new Tech Update with our Guided Tour.
Let the editors know what you think in the Mailroom.
Previous
Did you find this article useful?
94 out of 189 people found this useful
- Share this article:
