Full Disclosure mailing list archives
Re: Spybot and SQL
From: "Matthew Farrenkopf" <farrenkm () ohsu edu>
Date: Thu, 10 Feb 2005 21:34:19 -0800
Hi All, Has anyone seen a spybot variant using the target machines IP address as the password for user SA? We don't have a name for this variant yet. I might be reading my captures wrong but that's what this looks like it's doing . I'll send captures to individuals if needed.
Some of our MSDE machines running the engine equivalent to SQL Server 7.0 were hit a few days ago, presumably by something logging in as sa with a blank password. They dropped off payloads named winlog.exe and soundblaster.exe. I found information for these files on the Internet, but neither one was detected by McAfee or Norton. Their fingerprints looked like an Agobot variant and a Rbot/SDBot variant, respectively, but as I said, neither was detected. I'm presuming the attack was automated, but I don't have any information on the attacking program. (The MSDE engine was installed on two machines for an application we use, and the engine is used only locally by the application. The thought never crossed my mind that the engine was misconfigured with a blank sa password, but on analysis it looks like that's how the application communicates with the database. There's no option to add a password in the application, so I blocked port 1433 to the outside world. Problem solved until we can talk to the vendor.) Matt _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Spybot and SQL mjcarter (Feb 10)
- Re: Spybot and SQL Geza Papp dr (Axelero) (Feb 11)
- <Possible follow-ups>
- Re: Spybot and SQL Matthew Farrenkopf (Feb 10)
- Re: [SPAM] Re: Spybot and SQL Jacek Barcikowski (Feb 11)
- Re[2]: Spybot and SQL Geza Papp dr (Axelero) (Feb 11)
- New wired from Panda alets - MyDoom-AK Geza Papp dr (Axelero) (Feb 11)