[unisog] new virus?

Jordan Wiens numatrix at ufl.edu
Thu Feb 24 15:47:06 GMT 2005


On Wed, 23 Feb 2005, BACHAND, Dave (Info. Tech. Services) wrote:

> We've recently had a minor outbreak (if there is such a thing) of a
> virus that I'm having a hard to putting my finger on.
>
> McAfee shows it as being an SDBOT variant.  But, it only attacks SQL
> servers.  it seems to be doing some sort of a login attempt/attack.  My
> SQL sysadmin swears that the SA password wasn't blank, and there were no
> SQL patches missing.

Most of the *bots (sdbot,gaobot,agobot,whatever) are controlled via irc 
(as mentioned by another poster), and are manually controlled and told to 
spread.  It's quite likely the bots could attack in other ways it just so 
happens that that particular botnet controller is using mssql for now.

Just for reference, I had an admin who had an mssql server that he swore 
did not have a blank SA password.  Nessus kept saying he did.  I finally 
connected remotely via the mssql manager without a password.  Then he 
believed me; though it took him three tries to successfully get a password 
on the account.

That may not have been the cause in your situation, but it's much more 
likely than an mssql 0-day.

-- 
Jordan Wiens, CISSP
UF Network Security Engineer
(352)392-2061



More information about the unisog mailing list