SQL Worm - Are we lazy
-
I will at some point, probably also compare it to HFNetChkLt. However, until I get into the nooks and crannies I can't comment much on it other than what we've used it for (identifying security patch needs and some minor pushes) it works great. It's being bundled with Retina Scanner from eEye (http://www.eeye.com) as well now.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley -
Well I'll take the lazy hit, but we really have just begun installing SQL2k.
I had verified that 1434 was blocked, but we think that it back doored through a VPN, RAS or ???
The interesting thing though was the number of systems we found out about.
I am the DBA in charge of the Application DBs, there are just about as many in the infrastructure area. MOMs, McAffee, Real Secure and a large number or 3rd party apps running MSDE under the covers. Even if I would have patched my machines, I SHOULD HAVE and HAVE BEAT MYSELF SILLY SEVERAL TIMES FOR NOT DOING IT, we still would have had a mess due to these unknown systems.
KlK, MCSE
KlK -
I feel for you, KIK:
TruSecure pointed out the obvious vectors other than direct attached to the Internet:
Hibernated laptop
VPN
RAS
They provided easy access to the soft-underbelly of internal LANs that had solid perimeters. If this isn't a warning to secure all systems, even those which will never be exposed to the Internet, I don't know what is.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley -
Thanks, but I really did it to myself. What bugs the H outa me is we are a big DB2/UDB shop. And we have just made a couple of BIG steps proving SQL Server can hold it's own, and is so much easier to use than UDB. I have to support SQL Server, UDB on NT and AIX, and I used to do a lot of MF IMS so I know. And then this **** thing hits, haven't gotten a feel for how tarnished our image is.
But yea, don't assume the firewall, and VScanners will protect you. Inside or out you gotta keep your eyes open.
Thanks.
KlK, MCSE
KlK -
I liked the article on MS getting slapped too. Just goes to show no matter what there will be those openings for attack. The only thing thou is not keeping up with the news on these things and not keeping yourself covered as best as possible then it is shame on you. Of course everyone loves to claim the vendors are to blame but remember you have coders who want to make stuff and coders who will go out of their way to break stuff so as long as you are worth hitting (mostly big companies) then someone will.
-
My first reaction is yes, you are lazy if you got hit. This patch has been out for some time, and there isn't a good excuse for not patching your systems. At least the majority of them.
On second thought, it is tough and being in a large company, it does take time to get things approved.
That being said, part of your job is patching systems. Not sure how many you guys manage, but I have a couple dozen servers and have scanned about 1700 in our company. Most of these are Personal/MSDE, but they're still out there and need to be patched.
We were fine at until Monday night. Somehow a VPN or laptop user got infected and hit the internal network. We lack internal firewalls on the main LAN, though our DMZ was ok. It was surely an eye opening experience that will change some things around here.
Most of my servers were ok. A few that we've been holding off because of SP2 issues conflicting with software were hit. Was a long couple days for me.
Steve Jones
-
quote:
Well I'll take the lazy hit, but we really have just begun installing SQL2k.I had verified that 1434 was blocked, but we think that it back doored through a VPN, RAS or ???
The interesting thing though was the number of systems we found out about.
I am the DBA in charge of the Application DBs, there are just about as many in the infrastructure area. MOMs, McAffee, Real Secure and a large number or 3rd party apps running MSDE under the covers. Even if I would have patched my machines, I SHOULD HAVE and HAVE BEAT MYSELF SILLY SEVERAL TIMES FOR NOT DOING IT, we still would have had a mess due to these unknown systems.
KlK, MCSE
Hehehehehehe, glad you mentioned MOM. My manager setup MOM on a machine near him and I did not have details on it yet. When I read this I just called and asked. He forgot to patch it so I have my morning set to do so. Hopefully no worry with the wait.
-
Sorry for the daft question buy what is a hibernating lap-top?
To summarise the key points that have arisen due to Slammer.
Patches/Service Packs are not applied because:-
- Applying a patch to SQL may invalidate support for 3rd Party apps. Some apps are too complex to live without support.
- Administrative burden of applying patches to a large number of machines.
- Lack of testing resources.
- Lack of faith in hot-fixes; may break existing apps.
- We're lazy (deliberately at the end of this list).
Other lessons
- More could be achieved with firewalls.
- Vulnerabilities exist because of legitemate access via VPN etc
- Early warning systems needed for sudden excessive increases in network traffic
-
quote:
Sorry for the daft question buy what is a hibernating lap-top?I have heard this term "hibernating computer" used in place of a "computer in sleep mode".
-SQLBill
-
I would have to say we are not lazy.
I would agree with everyone that has posted thus far that there are various hoops, hurdles, reviews, approvals etc... to get hotfixes, sp's etc.. installed not limited to and certainly not being restricted by internal policies.
I am working in a shop that is primarily a mainframe shop and are just now trying (for the last 2 years) NT and Windows2K and SQL Server. To get anything installed as far as fixes/sp's, etc.. is literally a 6 month - 1 year plan.
Luckily, due to the small scope of the SQL world here and the fact that we are so new we can get around those issues and apply after reasonable review and testing on development servers.
We were hit very hard by the Slammer however, through an unrelated issue I had upgraded our SQL servers to SP3 and were unaffected. This didn't stop the networking team from disabling my own workstation though.
I think the bottom line is no matter what we think we need to do we still need to do it the right way and have everything documented/approved before going forward.
Thanks for letting me ramble,
AJ
AJ Ahrens
SQL DBA
Custom Billing AT&T Labs
Good Hunting!AJ Ahrens
webmaster@kritter.net -
The company I work for has several databases on a SQL Server Cluster, each database belonging to a different contract. To get downtime to apply Service Packs, all of the contracts have to agree, this just does not happen, plus the fact that we only have the one cluster means we are unable to test first so have to put fixes straight into a live production environment. I would suggest that this might be the case with many medium to large businesses.
Pete
-
Knowing which hotfix(es) need to be installed to protect your servers takes resources that may not be available. Once information about the vulnerability is in the popular press, it's too late. A newsletter that I have found useful is The SANS (SysAdmin, Audit, Network, Security) Institute Critical Vulnerability Analysis (CVA). This weekly newsletter provides info about the most critical vulnerabilities and what steps "15 giant organizations took to protect themselves."
The newsletter is free. You can sign up at:
http://www.sans.org/newsletters/
This information can help escalate the priority of installing critical hotfixes.
Mike
-
Thanks for the URL.
I have just subscribed. It takes a lot of research and checking to see when these come out and hopefully this will help streamline and reduce the effort.
Thanks,
AJ
AJ Ahrens
SQL DBA
Custom Billing AT&T Labs
Good Hunting!AJ Ahrens
webmaster@kritter.net -
A few things.
First, the vulnerability was published July 2002. Microsoft provided a patch at that time. The security bulletin in MS02-039. So it's been known about for a while. NGSSoftware's Litchfield even provided proof of concept code... now it looks like a possibility such code was used to create the worm. Ugh.
Second, it appears that if you patched the memory leak issue identified in Q317748 but didn't apply MS02-061 or SP3, you made your machine vulnerable again, because the files included in Q317748 included an older version of the file that patched the MS02-039 vulnerability. The language from Microsoft's technical bulletin on MS02-061:
quote:
If you have applied the original security patch and decide to apply the patch from Knowledge Patch article Q317748 you must answer "no" when prompted to overwrite files to ensure that you do not overwrite files from the security patch.Oops.
Finally, if you aren't already subscribed to the Microsoft Security Notification Service, don't hesitate. The other services (to include NTBugTraq) are great, especially when a researcher practices open disclosure. However, if you want to know exactly when Microsoft is releasing a security patch, here's the method to do so:
http://www.microsoft.com/technet/security/bulletin/notify.asp
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley -
Did anybody try the new SQL Critical Update utility?
You can find it at
http://www.microsoft.com/sql/downloads/securitytools.asp
If it works we can be lazy.
Joachim.
Viewing 15 posts - 16 through 30 (of 42 total)
You must be logged in to reply to this topic. Login to reply