Security Incidents mailing list archives
Re: Strange scan on 1433
From: George Bakos <gbakos () ists dartmouth edu>
Date: Tue, 21 May 2002 17:45:29 -0400
My apologies for the initial misinterpretation. The random password() function is only invoked when assigning a temporary password to the Guest account, as well as for setting one on the previously null sa. There is no attempt to hammer out passwords for entry. The incidents.org diary entries have been amended, and a more in-depth analysis submitted. Again, My apologies for the premature announcement, although good passwords are always a fine idea. On Tue, 21 May 2002 11:46:49 -0500 "Blake Frantz" <blake () mc net> wrote:
-----Original Message----- From: David LaPorte [mailto:david_laporte () harvard edu] Sent: Tuesday, May 21, 2002 10:23 AM To: Pavel Lozhkin; incidents () securityfocus com Subject: RE: Strange scan on 1433 They're looking for MS-SQL servers with blank/default sa passwords thatare missing the MS02-020It's not limited to *blank* sa passwords: From: http://www.incidents.org/diary/diary.php?id=156 <snip> IMPORTANT ADDITION (thanks to George Bakos, ISTS for pointing this out): The worm includes code to brute force the SA password. Using a password larger than 8 characters, or a password containing non alphanumeric characters (punktuation) will defend against this brute forcing. </snip> Additionally, roelof () sensepost com / haroon () sensepost com from sensepost wrote a .pl for finding blank sa passwords. Some may find it useful. http://www.sensepost.com/misc/SQLinsertion.htm -Blake ----------------------------------------------------------------------- ----- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-- George Bakos Institute for Security Technology Studies Dartmouth College gbakos () ists dartmouth edu voice 603-646-0665 fax 603-646-0666 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange scan on 1433 Pavel Lozhkin (May 21)
- Re: Strange scan on 1433 dr john halewood (May 21)
- Re: Strange scan on 1433 Jason Robertson (May 21)
- RE: Strange scan on 1433 David LaPorte (May 21)
- RE: Strange scan on 1433 Deus, Attonbitus (May 21)
- RE: Strange scan on 1433 Blake Frantz (May 21)
- Re: Strange scan on 1433 George Bakos (May 21)
- Worms and CScript/WScript Blake Frantz (May 21)
- Re: Worms and CScript/WScript Ryan Russell (May 21)
- RE: Worms and CScript/WScript Michael Wright (May 21)
- RE: Worms and CScript/WScript Nick FitzGerald (May 22)
- RE: Worms and CScript/WScript Richard H. Cotterell (May 26)
- RE: Worms and CScript/WScript Nick FitzGerald (May 27)
- RE: Worms and CScript/WScript Richard H. Cotterell (May 28)
- Re: Strange scan on 1433 dr john halewood (May 21)
- Re: Strange scan on 1433 Johannes Ullrich (May 21)