Solved

How to prevent  'sa' password  corruption or changed by outside source?

Posted on 2003-10-23
7
888 Views
Last Modified: 2010-04-11
Hello,
I am running SQL Server 2000, SP3.
My Web site is ASP/ADO based and running on the same machine with SQL Server.
Connection with user ID and password string are resigning in global.asa file.
Somehow password (sa) was changed.
I cannot figure out how it was done.
It happened 3 times in the last 2 month.
Please help to resolve this mystery!
Why it happened?
How to prevent it to happen again?

Yury.
0
Comment
Question by:yuryudis
7 Comments
 

Accepted Solution

by:
pheonix05 earned 125 total points
Comment Utility
most likely you have not secured your server from being hacked, such that administrative priveledges were gained by the attacker. At which point they most likely have the ability to change the sa password.  Or if they are on the system they might be able to hack it (brute force).  Can people from the out side connect to your SQL server?  Make sure the server is up to date.  Make sure that services that you do not use are not running on the server.  Check MS "best practices" references.  Make sure you pick a sufficiently hard password to guess.  Make sure that your ASP code is not the culprit whereby a query can be passed to it to make the alterations.  
0
 
LVL 8

Assisted Solution

by:nader alkahtani
nader alkahtani earned 125 total points
Comment Utility
Your server may has exploites , so ,
Download trial versions (Shadow Database Scanner) from http://www.safety-lab.com/en/products/6.htm

or Shadow Security Scanner from http://www.safety-lab.com/en/products/1.htm

to degianostic and patch the exploites
0
 
LVL 2

Assisted Solution

by:fishtank
fishtank earned 125 total points
Comment Utility
Suppose you have firewall protect your Web/SQL to prevent external attacks.

If the Microsoft RPCSS DCOM Interface Long Filename Heap Corruption Vulnerability KB824146 (THE NEW RPC PATCH!) patch have not apply, your system may break-in by someone who will have administrator privilege and may changed your MSSQL password to start a job with you ;) ?!

http://www.securityfocus.com/bid/8459
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0528

My wild guess is someone break-in thru RPC vulneability to change the MSSQL sa password. Recently MSSQL has no new vulnerability to allow remote break-in but NEW RPC.  So that I guess this issue may not caused by SQL but Windows.

Suppose you have firewall protected the system ports TCP 135,445,593 and UDP 135,137,138,445, there will be less chances for external break-in. Check any suspicious connection from internal! You should check the eventlog see what's happened during password changed period. Install a IDS to monitor the suspicious traffic and alert the network admin when any RPC attacks alert trigger.

In addition, your SQL may allow sa or native Windows login, any server with same administrtor password also can change your SQL sa password remotely.

Check and apply the latest patch to system always true, however disabling DCOM will limit exposure to this issue in future. However, this will limit remote access to the system.
0
 
LVL 18

Assisted Solution

by:chicagoan
chicagoan earned 125 total points
Comment Utility
Depending on your patch level, there was a SQL Server 2000 problem that blanked out the sa password when you change Windows security. If you select the SQL Server and Windows Security Authentication option when you install SQL Server 2000, you have to enter a password for the sa account. However, if you select the Windows-only option for security authentication and later change the authentication to the SQL Server and Windows mode, the sa password is blank.

To work around this error, set up a password for the sa account before changing the security mode from Windows-only to SQL Server and Windows. SQL Server will then keep the password setup for the sa account. You can use the sp_password stored procedure to set up a password for the sa account.
0
 
LVL 18

Expert Comment

by:chicagoan
Comment Utility
been  a while since we heard from you, did the above comments help you find a solution?
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now