SQL Server Worm on the Loose
A worm code-named “Voyager Alpha Force” that targets Microsoft Corp. SQL Server databases is roaming the Internet, trying to turn insecure database servers into launching pads for applications running out of FTP sites in the Philippines.
Voyager Alpha Force exploits blank SQL Server sa (system administrator) passwords, according to a security notice from Microsoft. The worm searches for servers running SQL Server by scanning for port 1433, which is the SQL Server default port. If the worm finds a server, it logs on with a blank (NULL) sa password.
If successful, the worm broadcasts the address of the unprotected SQL Server database on an IRC (Internet Relay Chat) channel. It then tries to load and run an executable file from an FTP site in the Philippines. The sa log-on gives the worm administrative access to the computer. Depending on a given system setup, the worm could also get access to other computers.
Best practices for standard security will keep the worm out. Those practices include using a non-NULL password if authentication mode is Mixed Mode. Blocking port 1433 at Internet gateways and assigning SQL Server to listen on an alternate port will also work. If port 1433 has to be available on Internet gateways, enable egress/ingress filtering to prevent port misuse. Network administrators or firewall vendors are good sources for information on how to set up ingress/egress filtering.
Learn Microsoft’s plans for automatic SQL Server patches.
Another best practice is to enable auditing for successful and failed log-ins, then stopping and restarting the MSSQLServer service. Also, run the SQLServer service and SQL Server Agent under an ordinary Microsoft Windows NT account, not a local administrative account.
Click here for more detailed instructions on dealing with the worm and to find a list of files that indicate the presence of the worm.
Copyright © 2004 Ziff Davis Media Inc. All Rights Reserved. Originally appearing in eWEEK.