3543.txt

来自「This is the snapshot of Snot Latest Rule」· 文本 代码 · 共 66 行

Rule: 

--
Sid:
3543

-- 
Summary: 
This event is generated when an attempt is made to access a host running Microsoft SQL Server or utilizing MSDE via the default "sa" account.

-- 
Impact: 
Information disclosure. Unauthorized administrative access to the host.

--
Detailed Information:
This event is generated when an attempt is made to access a host via the "sa" account using brute force techniques to guess a password.

Microsoft SQL server and MSDE components use a default "sa" account with a default password as the administrative user for the database installation. This event indicates that numerous failed attempts have been made to access the target host using this account.

--
Affected Systems:
	Microsoft SQL Server 2000
	Microsoft SQL Server 7.0
	Systems using Microsoft MSDE components

--
Attack Scenarios:  
An attacker can use an automated script to gain access to a host and the database contents as an administrator by repeatly attempting to login using the "sa" account and different passwords.

Some worms also try to brute force entry using this methodology.

-- 
Ease of Attack: 
Simple,

-- 
False Positives: 
None Known

--
False Negatives: 
None Known

-- 
Corrective Action: 
Apply the appropriate vendor supplied patches

Change the default "sa" password

Disable the "sa" account.

--
Contributors: 
Sourcefire Vulnerability Research Team
Alex Kirk <alex.kirk@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

-- 
Additional References:

OSVDB:
http://www.osvdb.org/15757

--