Re: Spybot and SQL

["Matthew Farrenkopf" <farrenkm () ohsu edu>]

> Hi All,
> Has anyone seen a spybot variant using the target machines
> IP address as the password for user SA?
>
> We don't have a name for this variant yet. I might be
> reading my captures wrong but that's what this looks like
> it's doing .
>
> I'll send captures to individuals if needed.

Some of our MSDE machines running the engine equivalent to SQL Server
7.0 were hit a few days ago, presumably by something logging in as sa
with a blank password.  They dropped off payloads named winlog.exe and
soundblaster.exe.  I found information for these files on the Internet,
but neither one was detected by McAfee or Norton.  Their fingerprints
looked like an Agobot variant and a Rbot/SDBot variant, respectively,
but as I said, neither was detected.

I'm presuming the attack was automated, but I don't have any information
on the attacking program.

(The MSDE engine was installed on two machines for an application we
use, and the engine is used only locally by the application.  The
thought never crossed my mind that the engine was misconfigured with a
blank sa password, but on analysis it looks like that's how the
application communicates with the database.  There's no option to add a
password in the application, so I blocked port 1433 to the outside
world.  Problem solved until we can talk to the vendor.)

Matt

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html