>Hi All, >Has anyone seen a spybot variant using the target machines >IP address as the password for user SA? > >We don't have a name for this variant yet. I might be >reading my captures wrong but that's what this looks like >it's doing . > >I'll send captures to individuals if needed.
Some of our MSDE machines running the engine equivalent to SQL Server 7.0 were hit a few days ago, presumably by something logging in as sa with a blank password. They dropped off payloads named winlog.exe and soundblaster.exe. I found information for these files on the Internet, but neither one was detected by McAfee or Norton. Their fingerprints looked like an Agobot variant and a Rbot/SDBot variant, respectively, but as I said, neither was detected. I'm presuming the attack was automated, but I don't have any information on the attacking program. (The MSDE engine was installed on two machines for an application we use, and the engine is used only locally by the application. The thought never crossed my mind that the engine was misconfigured with a blank sa password, but on analysis it looks like that's how the application communicates with the database. There's no option to add a password in the application, so I blocked port 1433 to the outside world. Problem solved until we can talk to the vendor.) Matt _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
