[Dshield] RE: Dshield digest, Vol 1 #593 - 3 msgs

Stephane Grobety security at admin.fulgan.com
Tue May 7 14:12:06 GMT 2002

LH> Any of you who have MS SQL boxes on your network should verify that 'sa' is
LH> password protected.

They are all protected, yes.

LH> Microsoft got a little smarter with SQL 2000 and
LH> specifically makes it a point (during the install process) that 'sa' SHOULD
LH> be given a password, but it's still too easy to check a box and proceed
LH> forward without assigning one. (on the other hand, 'sa' does not have a
LH> password by default after a SQL 7.0 install and the admin must remember to
LH> go back and assign it).

While I agree that that checkbox shouldn't be there, it's really a
matter of user sanity. Anyone who is dumb enough to get out of his/her
way to check that box and ignore the various warnings shouldn't be
trusted with a SQL server, not even speaking of an admin account.

But again, I can't see ANY valid reason to have that checkbox
anyway (perhaps it's some elaborate computer Darwinism scheme).

LH> If not protected, anybody who hacks a SQL box using the 'sa' account may
LH> essentially be given the keys to the kingdom, because from there they'll
LH> have access to all of the sql system tables and potentially hundreds of
LH> network accounts (and passwords).

In serious design, you don't store the password in the DB: you store
the password's hashes. While this might not always be possible, it is
the only way to prevent internal leaks and to minimize the damage in
case you "misplace" these data.

LH> Obviously this information could then be
LH> used to mount a much larger and harder to detect attack.

It really depend on your patch level of the server box and of what
you've stored in there. IIRC, except if you've applied the latest
service packs, the sa account could plant a specially malformed stored
procedure that will trigger a buffer overflow (MS's all time favorite)
which will execute code in the context of the SQL service user account
(default is system).

Good luck,

LH> -----Original Message-----
LH> From: Carpenter, Shawn [mailto:scarpe at sandia.gov]
LH> Sent: Monday, May 06, 2002 2:17 PM
LH> To: 'list at dshield.org'
LH> Subject: [Dshield] RE: Dshield digest, Vol 1 #593 - 3 msgs

LH> Hash: SHA1

LH> Johannes -

LH> We've seen these MS SQL scans since late November 2001.  There has
LH> been a worm active since late November 2001 that attempts to
LH> propagate itself to other machines with the same vulnerability
LH> (http://www.kb.cert.org/vuls/id/635463).  Certain releases of
LH> Microsoft SQL server have default installs that have a null system
LH> administrator accout (SA).  It is trivial to gain entry to a system
LH> in this configuration; attackers can execute code at the priviledge
LH> level of the SA user account.  It doesn't take a whole lot of work to
LH> elevate their priviledges once they're in anyways. 

LH> It's a very real threat, and crackers/hackers are starting to really
LH> take advantage of this.  If you observe sequential scans of subnets
LH> at random intervals, it's probably the Kaiten worm (aka W32/CBlade,
LH> W32/Voyager, and Voyager Alpha Force).

LH> Shawn Carpenter
LH> Computer Security Operations
LH> Sandia National Laboratories
LH> scarpe at sandia.gov

LH> http://www.cert.org/incident_notes/IN-2001-13.html

LH> - -----Original Message-----
LH> From: list-request at dshield.org [mailto:list-request at dshield.org]
LH> Sent: Saturday, May 04, 2002 10:04 AM
LH> To: list at dshield.org
LH> Subject: Dshield digest, Vol 1 #593 - 3 msgs

LH> Send Dshield mailing list submissions to
LH>         list at dshield.org

LH> To subscribe or unsubscribe via the World Wide Web, visit
LH>         http://www.dshield.org/mailman/listinfo/list
LH> or, via email, send a message with subject or body 'help' to
LH>         list-request at dshield.org

LH> You can reach the person managing the list at
LH>         list-admin at dshield.org

LH> When replying, please edit your Subject line so it is more specific
LH> than "Re: Contents of Dshield digest..."

LH> Today's Topics:

LH>    1. RE: Problem with outlook express inbox.dbx (Malcolm Joosse)
LH>    2. Klez question (Paul Marsh)
LH>    3. MSSQL scans (Johannes B. Ullrich)

LH> - --__--__--

LH> Message: 1
LH> Subject: RE: [Dshield] Problem with outlook express inbox.dbx
LH> Date: Fri, 3 May 2002 13:40:14 +1000
LH> From: "Malcolm Joosse" <malcolm at hotlinesupport.com>
LH> To: <list at dshield.org>
LH> Reply-To: list at dshield.org

LH> I just had a client call with the same problem

LH> - -----Original Message-----
LH> From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf
LH> Of
LH> Divagaran
LH> Sent: Thursday, May 02, 2002 7:17 PM
LH> To: Dshield
LH> Subject: [Dshield] Problem with outlook express inbox.dbx

LH> Hi All,

LH> I've a problem with my outlook express inbox.dbx, I cant see any
LH> messages
LH> but it say the capacity is 1.91GB.
LH> I've tried with the Inbox repair tool on Windows NT but still I can't
LH> see
LH> any of my mails, they are not visible at all........

LH> Anybody have got any ideas?

LH> Thanks

LH> Divagaran

LH> _______________________________________________
LH> Dshield mailing list
LH> Dshield at dshield.org
LH> To change your subscription options (or unsubscribe), see:
LH> http://www.dshield.org/mailman/listinfo/list

LH> - --__--__--

LH> Message: 2
LH> From: Paul Marsh <pmarsh at nmefdn.org>
LH> To: "'Dshield (E-mail)" <list at dshield.org>
LH> Date: Fri, 3 May 2002 11:03:10 -0400 
LH> Subject: [Dshield] Klez question
LH> Reply-To: list at dshield.org

LH> I finally got around to installing Scanmail and configed it to strip
LH> .exe's,
LH> .bat's, .pif's and .scr's.  Today I noticed a Klez attachment that
LH> got
LH> through because the files extension was appended with .txt so as far
LH> as
LH> Scanmail was concerned the attachment was OK for delivery.  Have I
LH> just been
LH> sleeping or is this a new gig for Mr. Klez?

LH> TIA, Paul 

LH> [[ Attachement of type text/html deleted]]

LH> - --__--__--

LH> Message: 3
LH> Date: Fri, 3 May 2002 21:00:41 -0400 (EDT)
LH> From: "Johannes B. Ullrich" <jullrich at sans.org>
LH> To: list at dshield.org
LH> Subject: [Dshield] MSSQL scans
LH> Reply-To: list at dshield.org

LH>   My (preliminary) conclusion on the big jump in mssql scans is
LH> that we have a very small number of sources, who scan one IP
LH> after another for mssql. So far, I don't have any data to
LH> point to a particular exploit or such. All the packets I have
LH> are just syn's (none of the people submitting packets for this
LH> had something listening). It could be someone scanning for
LH> unpatched SQL servers, or someone building a target list for
LH> a new exploit they have up their sleve. But so far, there is
LH> no 'worm indication' and there is no captured exploit code.

Best regards,
 Stephane                            mailto:security at admin.fulgan.com

More information about the list mailing list