Agent 1433: remote attack on Microsoft SQL Server

[harlan4096]

All over the world companies large and small use Microsoft SQL Server for database management. Highly popular yet insufficiently protected, this DBMS is a target of choice for hacking. One of the most common attack on Microsoft SQL Server — the remote attack based on malicious jobs — has been around for a long time, but it is still used to get access to workstations through less-than-strong administrator password.

According to our statistics, the majority of such attacks fall on Vietnam (>16%), Russia (~12%), India (~7%), China (~6%), Turkey and Brazil (5% each).

Attack description

Microsoft SQL Server attacks are normally massive in nature and have no particular target: the attackers scan sub-networks in search of a server with a weak password. The attack begins with a remote check of whether the system has MS SQL Server installed; next the intruders proceed to brute-force the account password to access the system. In addition to password brute-forcing, they may also resort to authorization via a user account token, authorized on a previously infected machine.

Continue Reading