Very Computer

http://www.zdnet.com/zdnn/stories/news/0,4586,2826892,00.html?chkpt=z...

Yet another worm folks.

--

Charlie

At the Mokena town meeting, Charlie Ebert stood up and made this motion:

Quote:> http://www.zdnet.com/zdnn/stories/news/0,4586,2826892,00.html?chkpt=z...

> Yet another worm folks.

From the people who brought you the term "Microsoft Security".

Chris

--
Living large and loving Linux!

Correction.  That would be a SQL Server vulnerability, not iis.  It is
only a problem if the Admin forgets to set a password upon install.
(Like, duh!).

JP

http://www.zdnet.com/zdnn/stories/news/0,4586,2826892,00.html?chkpt=z...
02

Quote:

> Yet another worm folks.

Still having comprehension problems Charlie?  I think you'll find that's a
SQL worm.

Rather stupid to be directly opening 1433 to the Internet don't you think?
And then not setting a sa password?  You deserve to be hacked doing that.

http://www.zdnet.com/zdnn/stories/news/0,4586,2826892,00.html?chkpt=z...
02

Quote:

> > Yet another worm folks.

> Correction.  That would be a SQL Server vulnerability, not iis.  It is
> only a problem if the Admin forgets to set a password upon install.
> (Like, duh!).

> JP

Why even automatically run the service? If SQL is installed without a
password, then when the admin tries to get the service running it should
refuse to run until a password/account has been setup.

Mind you, we are talking about MSCE and MSCA's here ;)

Matthew Gardiner

http://www.zdnet.com/zdnn/stories/news/0,4586,2826892,00.html?chkpt=z...
02

Quote:

> > Yet another worm folks.

> Correction.  That would be a SQL Server vulnerability, not iis.  It is
> only a problem if the Admin forgets to set a password upon install.
> (Like, duh!).

> JP

Quoting from a news story about the worm:
-----
Mark Read, security analyst at MIS Corporate Defence Solutions, said, "When
you install SQL, at no point does it ask you for an administrator username
and password -- this is installed as standard, and once it is up and running
the password still remains blank." He added, "If the SQL server is
accessible from the Internet, people can log in using a blank password and
have full access to the database, as well as the underlying operating
system."
-----

Like, duh, Microsoft!

--
Joe User

http://www.zdnet.com/zdnn/stories/news/0,4586,2826892,00.html?chkpt=z...

Quote:> 02

> > Yet another worm folks.

> Still having comprehension problems Charlie?  I think you'll find that's a
> SQL worm.

> Rather stupid to be directly opening 1433 to the Internet don't you think?
> And then not setting a sa password?  You deserve to be hacked doing that.

-----
Mark Read, security analyst at MIS Corporate Defence Solutions, said, "When
you install SQL, at no point does it ask you for an administrator username
and password -- this is installed as standard, and once it is up and running
the password still remains blank." He added, "If the SQL server is
accessible from the Internet, people can log in using a blank password and
have full access to the database, as well as the underlying operating
system."
-----

Microsoft deserves to be hacked, yes, for designing such a brain-dead
installation routine.  Not that anyone is surprised.

--
Joe User

As does anyone running Cisco gear who leaves the default passwords on
their routers as cisco/cisco.  Default passwords are not solely a
Microsoft problem, and pretending that it is is just silly.

Perhaps you can point to someone who made such a claim? Or are you
simply building a strawman?

--
Jim Richardson
        Anarchist, pagan and proud of it
www.eskimo.com/~warlock
        Linux, because life's too short for a buggy OS.

http://www.zdnet.com/zdnn/stories/news/0,4586,2826892,00.html?chkpt=z...

Quote:> >> > 02

> >> > > Yet another worm folks.

> >> > Still having comprehension problems Charlie?  I think you'll find
that's a
> >> > SQL worm.

> >> > Rather stupid to be directly opening 1433 to the Internet don't you
think?
> >> > And then not setting a sa password?  You deserve to be hacked doing
that.

> >> -----
> >> Mark Read, security analyst at MIS Corporate Defence Solutions, said,
"When
> >> you install SQL, at no point does it ask you for an administrator
username
> >> and password -- this is installed as standard, and once it is up and
running
> >> the password still remains blank." He added, "If the SQL server is
> >> accessible from the Internet, people can log in using a blank password
and
> >> have full access to the database, as well as the underlying operating
> >> system."
> >> -----

> >> Microsoft deserves to be hacked, yes, for designing such a brain-dead
> >> installation routine.  Not that anyone is surprised.

> > As does anyone running Cisco gear who leaves the default passwords on
> > their routers as cisco/cisco.  Default passwords are not solely a
> > Microsoft problem, and pretending that it is is just silly.

> Perhaps you can point to someone who made such a claim? Or are you
> simply building a strawman?

"microsoft deserves to be hacked, yes, for designing such a brain-dead
installation routine".

Firstly, it has nothing to do with IIS. It requires that the admin of a SQL
db server doesn't set a superuser password, it must be controlled remotely
in order to launch a DDOS attack. It is isn't exactly the same as Code Red
or the Admin worm.

The fix doesn't require that SQL server be patched, just that a password be
set.

BTW, haven't we had a discussion of leaving database servers out in the open
on the Internet before? IIRC, Borland had a product which had a mysterious
back-door appear after being released as open source. I believe the Borland
engineers pointed out, and rightly so, that it was a bad idea to allow
anonymous access to the database server via the Internet.

----
Bones

The opinions  stated  here are
my own, and do not necessarily
reflect  those of my employer.

http://www.zdnet.com/zdnn/stories/news/0,4586,2826892,00.html?chkpt=z...
02

Quote:

> > Yet another worm folks.

> Firstly, it has nothing to do with IIS. It requires that the admin of a
SQL
> db server doesn't set a superuser password, it must be controlled remotely
> in order to launch a DDOS attack. It is isn't exactly the same as Code Red
> or the Admin worm.

> The fix doesn't require that SQL server be patched, just that a password
be
> set.

Actually, every install of SQL Server i've done has used Windows
authentication by default.  You can install it to use a username password,
but the assumption is that if you do, you would set one.  I think the last
time I installed SQL 2000 it asked for a username and password (though I
don't recall for sure).  SQL 7 didn't.

Quote:> BTW, haven't we had a discussion of leaving database servers out in the
open
> on the Internet before? IIRC, Borland had a product which had a mysterious
> back-door appear after being released as open source. I believe the
Borland
> engineers pointed out, and rightly so, that it was a bad idea to allow
> anonymous access to the database server via the Internet.

Yes, actually it was the pirahna exploit on Red Hat 6.2.

I was refering to your claim that someone was pretending that default
passwords were a micros~1 problem only. Can you provide a quote of
someone saying something like that?

--
Jim Richardson
        Anarchist, pagan and proud of it
www.eskimo.com/~warlock
        Linux, because life's too short for a buggy OS.

For clarification, it didn't "Appear" after it was open-sourced, it was
"discovered" after it was open-sourced, it had been there for years in
the in closed source version.

However, open access to a database does seem somewhat risky yes.

--
Jim Richardson
        Anarchist, pagan and proud of it
www.eskimo.com/~warlock
        Linux, because life's too short for a buggy OS.

Which is what all the arguing was about. Borland insisted that the back door
was not in the older, closed-source version. But, whatever, I'm just
nit-picking anyway.

----
Bones

The opinions  stated  here are
my own, and do not necessarily
reflect  those of my employer.