Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

Vendor NewsFeed

More Vendor NewsFeed »


 
NetNews
N E W S / A N A L Y S I S  


SQL Snake Is Your Problem

June 24, 2002
 By Mike Fratto


By now you've probably heard about the latest worm slithering across the Internet. SQL Snake scans for open Microsoft SQL 7 and 2000 servers -- which run on TCP Port 1433 by default -- and attempts to log into the system administrator (sa) account with no password. If successful, the worm downloads and hides some files and grabs system configuration and account names, which it e-mails to ixltd@postone.com. (For a detailed description, go to www.incidents.org/diary/diary.php?id=156).

SQL Snake has been successful for two reasons, both related to implementation: The SQL servers were publicly available on the Internet, and no passwords were assigned to them.



I'll go out on limb here and assume you don't need public access to your SQL Server. After all, it's a back-end application. Do yourself a favor and move your database to a protected network and restrict access to Port 1433 to only those servers that need it. You can apply a packet filter at your border router to block all TCP traffic to and from Port 1433, or you can buy a firewall for as little as $500. In either case, get it off the Internet.

Second, don't ever install software with default passwords or no passwords. Although it would be nice if all software vendors required users to enter complex passwords during installation, the reality is that default or blank passwords are the norm. This is no less the case with SQL Server.

But as always, there's a caveat. Several applications, including Microsoft's Visio Enterprise, Project Central and Visual Studio, use a stripped-down version of SQL Server—Microsoft SQL Desktop Engine (MSDE) -- that gets installed without users' knowledge and often without the sa account password. The password can be set only on the command line (see support.microsoft.com/default.aspx?scid=kb;en-us;Q322336 for details). Your best bet is to port scan your network for Port 1433 and change the passwords on the MSDE installations you find. Make sure the applications that need access to the MSDE can still connect.

--Mike Fratto, mfratto@nwc.com


Research and Reports

Hypervisor Derby
August 2011
Network Computing: August 2011

Video


WATCH: Box.net CEO Aaron Levie Takes On Microsoft

WATCH: HP Chairman Ray Lane: Focus On Innovation

WATCH: How OpenFlow Changes Networking


View All Videos
Previous Page First Page Second Page Third Page Next Page

Most Popular

Stories Blogs

More Stories »

Featured Whitepapers

Featured Reports

BlogRoll

TechWeb Careers