[ale] TCP port 1433 attacks (MS SQL)

cfowler cfowler at outpostsentinel.com
Wed May 22 09:17:06 EDT 2002


To all DBA's:

If you are a DBA with no 'sa' password, please do your comapany a favor
and quit.  Give the job to a real DBA. 



On Wed, 2002-05-22 at 09:01, sangell at nan.net wrote:
> 
> This from ISS:
> Internet Security Systems Security Alert
> May 21, 2002
> 
> Microsoft SQL Spida Worm Propagation
> 
> Synopsis:
> 
> ISS X-Force has learned of a worm that is spreading via Microsoft SQL
> servers. The Spida worm is responsible for large amounts of Internet
> traffic as well as millions of TCP/IP probes at the time of this alert's
> publication. This worm attempts to locate and login to MS/SQL servers
> with the "sa" account and a blank password. Once a vulnerable computer
> is found, the worm will infect that target, send its configuration and
> password information to an external host, and begin scanning for new
> targets.
> 
> Impact:
> 
> Although the Spida worm is not destructive to the infected host, it may
> generate a damaging level of network traffic when it scans for
> additional targets. The scanner bundled with the worm is multi-threaded
> and is capable of scanning with 100 threads. A large amount of network
> traffic is created by the worm, which scans both internal and external
> IP addresses for vulnerable servers.
> 
> Description:
> 
> The Spida worm propagates via Microsoft SQL installations with
> administrator accounts that have no passwords defined. Although
> Microsoft recommends that the "sa" account be set upon installation,
> many servers are not properly secured. If the worm finds a vulnerable
> server, it will attempt to execute its startup script by running the
> "xp_cmdshell" function, which is the SQL call used to execute system
> commands within SQL queries.
> 
> The main function of the Spida worm is to export an infected server's
> SAM password database and forward information about its network and
> database configuration.
> 
> The worm installs all of its files into the \Windows\system32 directory
> except for services.exe, which is installed into the
> \Windows\system32\drivers directory. Each of these files has a distinct
> function which is outlined below:
> 
> sqlprocess.js - This is the worm's main payload. It holds IP address
> arrays which are later used in the services.exe scanner. It executes
> "ipconfig /all" and appends this information to send.txt. This script
> then runs sqldir.js and appends all of the server's database information
> to send.txt. It then executes pwdump2 and appends the password hashes to
> send.txt, then runs clemail.exe and mails send.txt to ixltd at postone.com.
> After the email is sent, send.txt is destroyed and services.exe is run
> to scan for other vulnerable servers. This information is appended to
> rdata.txt, which the worm uses to attempt to propagate with the username
> "sa" and a null password. The sqlprocess.js file sets the registry value
> dbmssocn to configure the SQL server to use the Winsock TCP/IP library
> instead of the default DBNETLIB library:
> (HKLM\\software\\microsoft\\mssqlserver\\client\\connectto\\dsquery).
> It also turns on the NetDDE service, allowing SQL to use the DDE
> protocol.
> 
> sqlexec.js - This is a script used by sqlprocess.js to execute
> xp_cmdshell. sqlinstall.bat is run within this instance of xp_cmdshell.
> 
> sqldir.js - Collects a list of databases on the infected system. Later,
> sqlprocess.js writes this information in send.txt to send to
> ixltd at postone.com.
> 
> run.js - This script passes time information to and from timer.dll.
> 
> sqlinstall.bat - Installs the worm then hides the files.
> 
> clemail.exe - Simple mail program used to email out the send.txt file.
> 
> services.exe - Scanner used by the worm to scan for other SQL servers on
> port 1433. This information is appended into the rdata.txt file. This
> file is multi-threaded and scans internal IP addresses before performing
> an external IP address sweep.
> 
> pwdump2.exe - Injects samdump.dll into lsass.exe (a Windows program that
> performs the authentication of log-on credentials) in order to grab raw
> NTpassword hashes.
> 
> samdump.dll - Uses the same API that msv1_0.dll uses to capture Windows
> password hashes.
> 
> timer.dll - A counter used for installation and other functionality of
> the worm.
> 
> Recommendations:
> 
> Microsoft SQL Server customers should refer to the following address for
> information and securing Microsoft SQL Server:
> http://www.microsoft.com/sql/techinfo/administration/2000/security.asp.
> 
> ISS Database Scanner product implemented a check for a blank
> administrator password in December of 1998. Database Scanner customers
> are encouraged to enable this check if they have not done so. For more
> information, refer to:
> http://www.iss.net/products_services/enterprise_protection/vulnerability
> _assessment/scanner_database.php
> 
> ISS RealSecure Network Sensor customers may use the following connection
> event to detect access attempts to the SQL Server port. Follow the
> instructions below to apply the connection event to your policy. This
> connection event will detect legitimate connection attempts to MS/SQL
> servers.
> 1. Choose a policy you want to use, and click Customize.
> 2. Select the Connection Events tab.
> 3. Click Add on the right hand side of the dialog box.
> 4. Create a Connection Event.
> 5. Type in a name of the event, such as "MS/SQL Port Probe".
> 6. In the Response field for the event, select the responses you want to
> use.
> In the Protocol field, select TCP.
> In the Dest Port/Type field click the pull down box and create an entry
> for TCP port 1433:
> a. Click Add.
> b. Select TCP Protocol.
> c .Name the service "MS/SQL Port Probe".
> d. Use 1433 for the port number.
> e. Click OK.
> f. Select the entry just created.
> 7. Save changes and close the window.
> 8. Click Apply to Sensor or Apply to Engine depending on the version of
> RealSecure.
> 
> To create a user-defined event RealSecure Server Sensor:
> 1. Open the desired policy.
> 2. Expand the Connections tree on the Protect view.
> 3. Expand the User Defined Suspect Connections branch.
> 4. Click Add to add a new User Defined Suspect Connections event
> 5. Name the event, SQL_Connection.
> 6. Select the desired responses under the response column.
> 7. Enter "1433" under the port column.
> 8. Save the Policy and apply it to the sensor.
> 
> ISS BlackICE customers should monitor and/or enable the "SQL Port Probe"
> event. This event will detect probes by the Spida worm.
> 
> ISS X-Force will provide assessment support for this vulnerability in an
> upcoming X-Press Update for Internet Scanner.
> 
> ______
> 
> About Internet Security Systems (ISS)
> Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
> pioneer and world leader in software and services that protect critical
> online resources from an ever-changing spectrum of threats and misuse.
> Internet Security Systems is headquartered in Atlanta, GA, with
> additional operations throughout the Americas, Asia, Australia, Europe
> and the Middle East.
> 
> Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
> worldwide.
> 
> Permission is hereby granted for the electronic redistribution of this
> document. It is not to be edited or altered in any way without the
> express written consent of the Internet Security Systems X-Force. If you
> wish to reprint the whole or any part of this document in any other
> medium excluding electronic media, please email xforce at iss.net for
> permission.
> 
> Disclaimer: The information within this paper may change without notice.
> Use of this information constitutes acceptance for use in an AS IS
> condition. There are NO warranties, implied or otherwise, with regard to
> this information or its use. Any use of this information is at the
> user's risk. In no event shall the author/distributor (Internet Security
> Systems X-Force) be held liable for any damages whatsoever arising out
> of or in connection with the use or spread of this information.
> 
> X-Force PGP Key available on MIT's PGP key server and PGP.com's key
> server, as well as at http://www.iss.net/security_center/sensitive.php
> 
> Please send suggestions, updates, and comments to: X-Force
> xforce at iss.net of Internet Security Systems, Inc.
> \_\_\_\_\_\_\_\_\_\_\_/_/_/_/_/_/_/_/_/_/_/
> \_    Steve Angell,  MCSE, CCNA           _/
> \_    MIS Operations Manager               _/
> \_    TSYS Debt Management             _/
> \_    Norcross, GA                                   _/
> \_    Phone 770-409-5570                    _/
> \_    Fax      770-416-1752                   _/
> \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
> 
> 
>                                                                                                                    
>                     Transam                                                                                        
>                     <transam at cavu.       To:     ale at ale.org                                                       
>                     com>                 cc:                                                                       
>                                          Subject:     [ale] TCP port 1433 attacks (MS SQL)                         
>                     05/22/2002                                                                                     
>                     06:55 AM                                                                                       
>                                                                                                                    
>                                                                                                                    
> 
> 
> 
> 
> In the past 24 hours there has been a tremendous increase in attacks to
> TCP port 1433 (Microsoft's SQL server).  In at least some of these, the
> attacker is checking for an allowed login with the default account name
> of "sa" and an empty password.  Unless your Firewall is blocking this you
> are at risk.
> 
> There is more information at
> 
> http://Security.ITtoolbox.com/browse.asp?c=SecurityNews&r=/news/dispnews.asp?i=72558
> 
> 
> Best regards,
> 
> Bob Toxen
> book at cavu.com
> http://www.realworldlinuxsecurity.com/ [My 5* book: Real World Linux
> Security]
> http://www.verysecurelinux.com      [Linux/Unix & Network Security
> Consulting]
> 
> Fly-By-Day Consulting, Inc.      "Don't go with a fly-by-night outfit!"
> Quality Linux & UNIX security and software consulting since 1990.
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should
> be
> sent to listmaster at ale dot org.
> 
> 
> 
> 
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.
> 
> 
> 



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list