[unisog] worm that looks for 139, 1433 and 2967

H. Morrow Long morrow.long at yale.edu
Mon Feb 19 05:56:54 GMT 2007

On Feb 18, 2007, at 5:41 PM, power less wrote:
> But what should we be scanning for for 1433?

Probably one of the most important things to scan for with regard to  
MS SQL server
is to verify that the default system administrator account ( "sa" )  
doesn't have an empty
password or an "easy" password ( e.g. "sa").  There should be a  
Nessus plug-in for this.

After that probably the most important test would be to check for the  
two vulnerabilities
in Secunia advisories SA7200 and  SA7945 which have been exploited by  
'worms' since
2002 and 2003 and continue to be problems today whenever older  
versions of SQLserver
and MSDE are installed (particularly as part of an OEM software  
package install).

 From www.secunia.com :

Highly critical
SA7200  MS02-056 CAN-2002-1123,1137,1138	  2002-10-03 Updated:  
SA7945	 CVE-2002-0649	 2003-01-25 Updated: 	2004-04-01

MS02-061	CVE-2002-1145			(this really belongs with SA7945)

Moderate Critical
SA9336  CVE-2003-0230,0231,0232	  2003-07-23 Updated: 2003-07-24

Less Critical
SA9229 	 	CVE-2003-0496	2003-07-11
SA12680  	CVE-2004-1560	  2004-09-30	Updated 2005-02-22

- H. Morrow Long, CISSP, CISM, CEH
   University Information Security Officer
   Director -- Information Security Office
   Yale University, ITS

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20070219/1b10d14d/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5330 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/unisog/attachments/20070219/1b10d14d/attachment.bin 

More information about the unisog mailing list