Brute force scanning against MS SQL server accounts; Are you paranoid enough?

Published: 2004-12-30
Last Updated: 2004-12-31 03:08:29 UTC
by Kyle Haugsness (Version: 1)
0 comment(s)

Brute force scanning against MS SQL server accounts

This isn't necessarily new, but the Bad Guys (tm) are still trying to
break into Microsoft SQL servers using brute force techniques. We
received a packet capture from one site that had 96 password attempts
in 4 seconds. We believe that the tool being used is called SQLck.exe.
When running on a compromised server, it will likely consume 100% CPU.
If you have a compromised server with this binary, please send it to

Maybe now would be a good time to validate the following security
practices with regard to ALL database platforms:

1. Do you really need to have the SQL server ports open to the outside
world? You should have a firewall in front of your database filtering
the inbound traffic. If you need the ports open to the Internet,
consider restricting the source IP addresses that can connect.

2. Are you sure that you have a strong password for the SQL admin
accounts? The Bad Guys (tm) are using very large dictionary lists
(60,000+ words) to break into your server.

3. Do you have your IDS system alerting on failed login attempts?
The Snort signature ID is 688: MS-SQL sa login failed.

Are you paranoid enough?

Warning!! Do not go any further if you read your e-mail with a tin-foil
hat or if a secret government agency has broken into your computer!

So there has been some interesting events unfold recently on the various
security mailing lists. The first is an alleged backdoor in two
security products (which has yet to be confirmed). The second is a bug
in the NASM compiler that could give an attacker your privileges if you
compile his code with NASM.

These things got me thinking about compilers, source code, and trust.
When it comes to computers, can you trust any program that you didn't
write yourself? Ken Thompson wrote a very nice article in August 1984
on this very topic called "Reflections on Trusting Trust."

Reprint here:

ISC Reader's Diary

We are planning a diary for the first week of the New Year that is exclusively a "Reader's Diary". This will be a diary of inputs from you, our readers, to the rest of the world. We are looking for inputs that pertain to ISC, the Internet, New Year Predictions, suggestions, 'thank you' notes, almost anything (within reason). We will try to get all of the inputs posted, and they will be available for reading on January 2nd/3rd. Please include your name and valid email address. Names will be posted, however email addresses will be kept private.

Please submit entries to by Jan. 2nd 1200hrs GMT to be added to the diary.

0 comment(s)


Diary Archives