SQL flaw uncovered: servers sniffed out by worm

Servers housing Microsoft SQL are being actively manipulated by a new worm to launch distributed denial-of-service attacks against IRC servers and various other sites according to a posting on the Incidents.org Web site.

During the Microsoft SQL installation process, a default system administration account "sa" is created. The process allows administrators to complete the installation with a blank password for this account. Consequently, if administrators leave the password box blank the machine can be left open to compromise.

"While the number of computers infected with this worm still appears to be rather small, the ones that are infected are being actively manipulated to launch packet flood attacks against IRC servers and probably other targets," reads a comment on the Incidents site.

According to Incidents.org there has been an increase in traffic on port 1433 of SQL server indicating irregular and concerning behaviour. It is believed the worm has gone under various guises including "kiten", "knight" and "voyageralphaforce".

Microsoft product manager for Windows, Calum Russell said there was "nothing" Microsoft could do to alleviate the issue other than enforce common sense. "There is no patch," he said. "You just have to type in a password. Anyone installing a database should know that." Russell said people who do not supply a password "were opening themselves up to problems".

During the Microsoft SQL 2000 installation users are warned they should provide a password when the password box is left empty. However, users can still continue even if the password is blank. In Microsoft SQL versions prior to SQL 2000, customers could install the software and not be prompted to supply a password if the password box was left blank.

Grant Slender, principal consultant for Internet Security Systems Australia, which has been following the worm's port scanning behaviour, said all the vulnerable servers had been tracked down. He said the servers that were distributing the worm in order for it to propagate have been "shutdown" and did not expect it to lead to a major outbreak.

Microsoft SQL server administrators should check to ensure that Microsoft SQL installations have passwords set for the 'sa' account.

Join the newsletter!

Error: Please check your email address.

More about Internet Security SystemsMicrosoftSecurity Systems

Show Comments

Market Place