[unisog] new virus?
numatrix at ufl.edu
Thu Feb 24 15:47:06 GMT 2005
On Wed, 23 Feb 2005, BACHAND, Dave (Info. Tech. Services) wrote:
> We've recently had a minor outbreak (if there is such a thing) of a
> virus that I'm having a hard to putting my finger on.
> McAfee shows it as being an SDBOT variant. But, it only attacks SQL
> servers. it seems to be doing some sort of a login attempt/attack. My
> SQL sysadmin swears that the SA password wasn't blank, and there were no
> SQL patches missing.
Most of the *bots (sdbot,gaobot,agobot,whatever) are controlled via irc
(as mentioned by another poster), and are manually controlled and told to
spread. It's quite likely the bots could attack in other ways it just so
happens that that particular botnet controller is using mssql for now.
Just for reference, I had an admin who had an mssql server that he swore
did not have a blank SA password. Nessus kept saying he did. I finally
connected remotely via the mssql manager without a password. Then he
believed me; though it took him three tries to successfully get a password
on the account.
That may not have been the cause in your situation, but it's much more
likely than an mssql 0-day.
Jordan Wiens, CISSP
UF Network Security Engineer
More information about the unisog