Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Spybot and SQL
From: "Matthew Farrenkopf" <farrenkm () ohsu edu>
Date: Thu, 10 Feb 2005 21:34:19 -0800

Hi All,
Has anyone seen a spybot variant using the target machines
IP address as the password for user SA?

We don't have a name for this variant yet. I might be
reading my captures wrong but that's what this looks like
it's doing .

I'll send captures to individuals if needed.

Some of our MSDE machines running the engine equivalent to SQL Server
7.0 were hit a few days ago, presumably by something logging in as sa
with a blank password.  They dropped off payloads named winlog.exe and
soundblaster.exe.  I found information for these files on the Internet,
but neither one was detected by McAfee or Norton.  Their fingerprints
looked like an Agobot variant and a Rbot/SDBot variant, respectively,
but as I said, neither was detected.

I'm presuming the attack was automated, but I don't have any information
on the attacking program.

(The MSDE engine was installed on two machines for an application we
use, and the engine is used only locally by the application.  The
thought never crossed my mind that the engine was misconfigured with a
blank sa password, but on analysis it looks like that's how the
application communicates with the database.  There's no option to add a
password in the application, so I blocked port 1433 to the outside
world.  Problem solved until we can talk to the vendor.)


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]