Article ID: 313418 - View products that this article applies to.
This article was previously published under Q313418
A worm, code-named "Voyager Alpha Force," that takes advantage of blank SQL Server system administrator (sa) passwords has been found on the Internet. The worm looks for a server that is running SQL Server by scanning for port 1433. Port 1433 is the SQL Server default port. If the worm finds a server, it tries to log in to the default instance of that SQL Server with a blank (NULL) sa password.
If the login is successful, it broadcasts the address of the unprotected SQL Server on an Internet Relay Chat (IRC) channel, and then tries to load and run an executable file from an FTP site in the Philippines. Logging in to SQL Server as sa gives the user administrative access to the computer, and depending on your particular environment, possibly access to other computers.
Each of the steps in this section will help to make your system more secure in general, and any one of them alone will prevent this particular worm from infecting your server that is running SQL Server. Note that these steps are part of the standard security "best practices" for any SQL Server installation.
"Steps for Recovering from a UNIX or NT System Compromise"Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
Important: There is no bug in SQL Server that permits this penetration; it is a vulnerability that is created by an unsecured system.
The following files indicate the presence of the worm:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TaskRegThe following registry keys are existing keys for SQL Server, and they are used by the worm to control access to the computer by using the TCP/IP network library:
SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\ProtocolOrderThe worm uses the xp_cmdshell extended stored procedure, which allows the worm to run any operating system command that the account running the SQL Server service has permission to run.
For more information about how to help secure a SQL Server server, visit the following Microsoft Web sites:
Article ID: 313418 - Last Review: October 17, 2012 - Revision: 8.0