Exploitation of Vulnerabilities in Microsoft SQL ServerA complete revision history can be found at the end of this file. Image shows 2 processes only for this post's sake. It lasts between 65- 80 minutes. If you have it behind a firewall with no forwarding or allow rules for Internet traffic it is likely coming from an internal machine, if that is the case it is possible some machine(s) on your network are compromised and someone is using a LAN machine as a pivot point for the attack.Every now and then, a process (red arrow) executed by SA in our SQL Server 2012 instance blocks our system.
ThisActivity is accompanied by high volumes of scanning, and appears to beRelated to recently discovered self-propagating malicious code,Referred to by various sources as Spida, SQLsnake, and Digispid.Reports received by the CERT/CC indicate that the Spida worm scansFor systems listening on port 1433/tcp. Systems running Tumbleweed's Secure Mail (MMS) versions 4.3, 4.5,The CERT/CC has received reports of systems being compromisedThrough the automated exploitation of null or weak default saPasswords in Microsoft SQL Server and Microsoft Data Engine. Systems running Microsoft Data Engine 1.0 (MSDE 1.0) or MicrosoftSQL Server 2000 Desktop Engine (MSDE 2000) installed with mixed mode
Sql Server Sa Account Attacks Password To The
While site-specificConfigurations may vary, the SQL Server is typically run withSystem-level privileges. ImpactThe scanning activity of the Spida worm may cause denial-of-serviceConditions on compromised systems, and it has been reported to cause highTraffic volumes even on networks with no compromised hosts.Information about the victim system's configuration and accountsMay be compromised by the email the worm attempts to send.By leveraging a default null password, an attacker may executeArbitrary commands on the system in the security context in which theMicrosoft SQL Server services are running. It also attempts to sendA copy of the local password (SAM) database, network configurationInformation, and other SQL server configuration information to a fixedThe attack used by the Spida worm is similar to that used by theKaiten malicious code described in IN-2001-13.Additional information on null default sa passwords inMicrosoft SQL Server can be found in VU#635463. sets the sa password to the same password as the guest accountOnce the local copy is executing on the victim system, the wormBegins scanning for other systems to infect. assigns the guest user to the local Administrator and Domain Admins groups
There is typically limited needFor machines providing public services to initiate outboundConnections to the Internet. If a null password isEntered, a warning will be displayed, but the application will permit aInstructions to change the SQL Server password are located at modadmin/html/deconchangingsqlserveradministratorlogin.aspInstructions to change the MSDE password can be found at en-us Q322336Additional information on securing Microsoft SQL Server can be found at Limit access to the SQL Server portPacket filtering should be performed at network borders to prohibitExternally initiated inbound connections to non-authorized services.With regards to SQL Server, ingress filtering of port 1433/tcp couldPrevent attackers outside of your network from scanning or infectingVulnerable Microsoft SQL servers in the local network that are not explicitlyAuthorized to provide public SQL services.Filtering packets destined for other services that are notExplicitly required can also prevent intruders from connecting toEgress filtering manages the flow of traffic as it leaves a networkUnder your administrative control. Ensure that a password has beenAssigned to the sa account on Microsoft SQL Servers under yourNote that when installing Microsoft SQL 2000 Server, theApplication prompts for an sa password. ResponseIf you believe a system under your administrative controlMay have been compromised, please refer toFor Recovering from a UNIX or NT System Compromise Protection Set a password on the sa accountFollowing best practices, passwords should never be left with aNull or easily guessed value. %SystemRoot%\System32\drivers\services.exeThe presence of any of these files on the system indicates compromise.Scanning for other systems on port 1433/tcp or attempts to sendEmail to may also indicate a compromised system.
MS02-020 is available at treeview/default.asp?url=/technet/security/bulletin/MS02-020.asp ReportingThe CERT/CC is interested in receiving reports of this activity.If machines under your administrative control are compromised, pleaseSend mail to the following text included in the subject line:Author(s): Chad Dougherty and Allen HouseholderCopyright 2002 Carnegie Mellon University. While this patch does not address nullSa passwords, it does fix a number of serious security issues.We strongly encourage you to read this bulletin and take theAppropriate corrective measures. Additional protection Apply a patch from MicrosoftMicrosoft Corporation has released Microsoft Security BulletinMS02-020, which announces the availability of a cumulative patch toAddress a variety of problems. However, as with the egress filteringRecommendation above, this only blocks systems that are alreadyInfected, so it is not sufficient to block the email without takingOther precautionary steps as described above.
0 kommentar(er)
