[Dshield] RE: Dshield digest, Vol 1 #593 - 3 msgs

Louis Hablas Louis.Hablas at rzim.org
Tue May 7 13:40:42 GMT 2002

Though very much a newbie in the arena of overall network security (right
now I'm in awe of 99.9% of the posts to this list), I do have a background
in MS SQL db development and admin and I want to underscore Shawn's note.

Any of you who have MS SQL boxes on your network should verify that 'sa' is
password protected.  Microsoft got a little smarter with SQL 2000 and
specifically makes it a point (during the install process) that 'sa' SHOULD
be given a password, but it's still too easy to check a box and proceed
forward without assigning one. (on the other hand, 'sa' does not have a
password by default after a SQL 7.0 install and the admin must remember to
go back and assign it).

If not protected, anybody who hacks a SQL box using the 'sa' account may
essentially be given the keys to the kingdom, because from there they'll
have access to all of the sql system tables and potentially hundreds of
network accounts (and passwords).  Obviously this information could then be
used to mount a much larger and harder to detect attack.


-----Original Message-----
From: Carpenter, Shawn [mailto:scarpe at sandia.gov]
Sent: Monday, May 06, 2002 2:17 PM
To: 'list at dshield.org'
Subject: [Dshield] RE: Dshield digest, Vol 1 #593 - 3 msgs

Hash: SHA1

Johannes -

We've seen these MS SQL scans since late November 2001.  There has
been a worm active since late November 2001 that attempts to
propagate itself to other machines with the same vulnerability
(http://www.kb.cert.org/vuls/id/635463).  Certain releases of
Microsoft SQL server have default installs that have a null system
administrator accout (SA).  It is trivial to gain entry to a system
in this configuration; attackers can execute code at the priviledge
level of the SA user account.  It doesn't take a whole lot of work to
elevate their priviledges once they're in anyways. 

It's a very real threat, and crackers/hackers are starting to really
take advantage of this.  If you observe sequential scans of subnets
at random intervals, it's probably the Kaiten worm (aka W32/CBlade,
W32/Voyager, and Voyager Alpha Force).

Shawn Carpenter
Computer Security Operations
Sandia National Laboratories
scarpe at sandia.gov


- -----Original Message-----
From: list-request at dshield.org [mailto:list-request at dshield.org]
Sent: Saturday, May 04, 2002 10:04 AM
To: list at dshield.org
Subject: Dshield digest, Vol 1 #593 - 3 msgs

Send Dshield mailing list submissions to
	list at dshield.org

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
	list-request at dshield.org

You can reach the person managing the list at
	list-admin at dshield.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dshield digest..."

Today's Topics:

   1. RE: Problem with outlook express inbox.dbx (Malcolm Joosse)
   2. Klez question (Paul Marsh)
   3. MSSQL scans (Johannes B. Ullrich)

- --__--__--

Message: 1
Subject: RE: [Dshield] Problem with outlook express inbox.dbx
Date: Fri, 3 May 2002 13:40:14 +1000
From: "Malcolm Joosse" <malcolm at hotlinesupport.com>
To: <list at dshield.org>
Reply-To: list at dshield.org

I just had a client call with the same problem

- -----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf
Sent: Thursday, May 02, 2002 7:17 PM
To: Dshield
Subject: [Dshield] Problem with outlook express inbox.dbx

Hi All,

I've a problem with my outlook express inbox.dbx, I cant see any
but it say the capacity is 1.91GB.
I've tried with the Inbox repair tool on Windows NT but still I can't
any of my mails, they are not visible at all........

Anybody have got any ideas?



Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

- --__--__--

Message: 2
From: Paul Marsh <pmarsh at nmefdn.org>
To: "'Dshield (E-mail)" <list at dshield.org>
Date: Fri, 3 May 2002 11:03:10 -0400 
Subject: [Dshield] Klez question
Reply-To: list at dshield.org

I finally got around to installing Scanmail and configed it to strip
.bat's, .pif's and .scr's.  Today I noticed a Klez attachment that
through because the files extension was appended with .txt so as far
Scanmail was concerned the attachment was OK for delivery.  Have I
just been
sleeping or is this a new gig for Mr. Klez?

TIA, Paul 

[[ Attachement of type text/html deleted]]

- --__--__--

Message: 3
Date: Fri, 3 May 2002 21:00:41 -0400 (EDT)
From: "Johannes B. Ullrich" <jullrich at sans.org>
To: list at dshield.org
Subject: [Dshield] MSSQL scans
Reply-To: list at dshield.org

  My (preliminary) conclusion on the big jump in mssql scans is
that we have a very small number of sources, who scan one IP
after another for mssql. So far, I don't have any data to
point to a particular exploit or such. All the packets I have
are just syn's (none of the people submitting packets for this
had something listening). It could be someone scanning for
unpatched SQL servers, or someone building a target list for
a new exploit they have up their sleve. But so far, there is
no 'worm indication' and there is no captured exploit code.

- -- 
- -------
jullrich at euclidian.com               Join http://www.DShield.org
                          Distributed Intrusion Detection System

- --__--__--

Dshield mailing list
Dshield at dshield.org

End of Dshield Digest

Version: PGP 7.1


Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list