[Dshield] Patching SQL (OT?)

Kenneth Porter shiva at sewingwitch.com
Tue Jan 28 07:15:39 GMT 2003


--On Monday, January 27, 2003 12:56 PM -0700 Kenton Smith
<ksmith at chartwelltechnology.com> wrote:

> I have to jump in on the patching thing here as well.
> I'm sys admin for a company that has 6 servers running MS SQL, all of
> which were patched for this vulnerability.

Are these servers exposing a UDP port to the public Internet? Why would
someone expose a DB server to the Internet? If the objective was multi-site
connectivity, why isn't there a VPN in the path?

> However, if the tools that we
> have available, especially those from the manufacturer, can't tell us
> whether we've patched correctly, we're fighting an even bigger uphill
> battle than I thought.

My biggest fear in putting a closed-source box on the Internet is that I
simply don't *know* what's really inside and can't trust that. With my
open-source box, I can at least look inside the box and see what I have.



More information about the list mailing list