SQL Server worm exploits blank sa password

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Douglas Brown discovered a new worm that targets Microsoft SQL Server installations where the SQL Administrator password is blank (note that this is the default configuration for SQL Server v7.0 and earlier). The worm logs in using the Administrator account, then calls a command shell to FTP and install a Trojan. The Trojan communicates with the attacker via IRC, where the attacker is able to utilize the infected systems to launch Distributed Denial of Service (DDoS) attacks.

The original SecurityFocus Report: MS-SQL Worm?

SQL Server's default behavior of blank admin password is a disaster. If you want your network to be secure, automate a scan for port 1433, used by sql server, and check for sa admin accounts with blank passwords. By using SQL's command shell, a hacker (if you are unlucky) or penetration tester (if you are lucky) can take over the server. The extent of the exposure depends on what account sql service is running under. Some sites run the service using a domain admin account. Wonderful! If you can break the sa password, or if its blank, you can use the command shell to create a new account and add it to the domain administrator's group. A blank sa password can expose the entire enterprise.

Related Tips:

Featured Links