October 22, 2003 at 12:34 pm
Hello,
I am running SQL Server 2000, SP3.
My Web site is ASP/ADO based.
Connection with user ID and password string are resigning in global.asa file.
Somehow password (sa) was changed.
I cannot figure out how it was done.
It happened 3 times in the last 2 month.
Please help to resolve this mystery!
Yury.
October 22, 2003 at 12:43 pm
Was the user id in global.asa sa or an account with membership in the sysadmin server role? If so, does your application protect against SQL Injection?
Is the SQL Server on the same system?
Who else has administrative access to the SQL Server and/or the system itself?
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
K. Brian Kelley
@kbriankelley
October 22, 2003 at 12:57 pm
quote:
Was the user id in global.asa sa or an account with membership in the sysadmin server role? If so, does your application protect against SQL Injection?Is the SQL Server on the same system?
Who else has administrative access to the SQL Server and/or the system itself?
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
October 22, 2003 at 1:02 pm
No, I have not have a protection against SQL injection.
Yes, Sql server is on the same system.
Yury.
quote:
Was the user id in global.asa sa or an account with membership in the sysadmin server role? If so, does your application protect against SQL Injection?Is the SQL Server on the same system?
Who else has administrative access to the SQL Server and/or the system itself?
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
October 22, 2003 at 2:56 pm
Okay, based on what you've said, there are a number of ways in that are worrisome. Here are 3 that come to mind.
1) Since SQL Server and IIS are on the same system, someone potentially gaining control of the system through an IIS vulnerability basically can do whatever they want to on SQL Server. This depends on what steps you've taken to harden your web server.
2) If you're application isn't protected from SQL Injection and you've not coded defensively, then someone might have the ability to run sp_password using an injection attack. This depends on what permissions the user account you use for your web application has.
3) You didn't specify whether or not someone could get directly to the SQL Server from the outside. If they could, then it's entirely possible someone ran either a brute force attack or a dictionary attack to crack the sa password. Since SQL Server 2000 doesn't do anything special for failed logins by default (you can turn such auditing on) and since it doesn't lock out accounts after a number of failed login attempts, an attacker could just run a program to crack the password, taking whatever time it needs.
At this point, assume the system is compromised. If no one else has the ability to reset the sa password other than you, than this really is the only logical explanation. If someone else does, try and find out if they did.
In either case, since the system is probably compromised, here's what you typically want to do (don't know if it's feasible... but cleaning up a "rooted" system is never sure-fire):
1) Make a backup of your user databases.
2) Make a backup of the files you use in your web application.
3) Wipe the box and start over.
4) Before putting the system on-line read on the Microsoft site the best practices for hardening a web server.
5) Before putting the system back on-line, determine the maximum permissions the account needs.
6) Before putting the system back on-line, understand how SQL Injection works and determine what changes you can make to eliminate it.
7) Reinstall the system, putting into place the security practices you've just learned about.
8) Install Nessus or a similar vulnerability scanner and let it scan your system. If you don't have a linux system hopefully you have a friend who does and what would be even better is if that friend understands how to do scans. Nessus is open source, BTW.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
K. Brian Kelley
@kbriankelley
Viewing 5 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply