• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 925
  • Last Modified:

How to prevent 'sa' password corruption or changed by outside source?

Hello,
I am running SQL Server 2000, SP3.
My Web site is ASP/ADO based and running on the same machine with SQL Server.
Connection with user ID and password string are resigning in global.asa file.
Somehow password (sa) was changed.
I cannot figure out how it was done.
It happened 3 times in the last 2 month.
Please help to resolve this mystery!
Why it happened?
How to prevent it to happen again?

Yury.
0
yuryudis
Asked:
yuryudis
4 Solutions
 
pheonix05Commented:
most likely you have not secured your server from being hacked, such that administrative priveledges were gained by the attacker. At which point they most likely have the ability to change the sa password.  Or if they are on the system they might be able to hack it (brute force).  Can people from the out side connect to your SQL server?  Make sure the server is up to date.  Make sure that services that you do not use are not running on the server.  Check MS "best practices" references.  Make sure you pick a sufficiently hard password to guess.  Make sure that your ASP code is not the culprit whereby a query can be passed to it to make the alterations.  
0
 
nader alkahtaniNetwork EngineerCommented:
Your server may has exploites , so ,
Download trial versions (Shadow Database Scanner) from http://www.safety-lab.com/en/products/6.htm

or Shadow Security Scanner from http://www.safety-lab.com/en/products/1.htm 

to degianostic and patch the exploites
0
 
fishtankCommented:
Suppose you have firewall protect your Web/SQL to prevent external attacks.

If the Microsoft RPCSS DCOM Interface Long Filename Heap Corruption Vulnerability KB824146 (THE NEW RPC PATCH!) patch have not apply, your system may break-in by someone who will have administrator privilege and may changed your MSSQL password to start a job with you ;) ?!

http://www.securityfocus.com/bid/8459
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0528

My wild guess is someone break-in thru RPC vulneability to change the MSSQL sa password. Recently MSSQL has no new vulnerability to allow remote break-in but NEW RPC.  So that I guess this issue may not caused by SQL but Windows.

Suppose you have firewall protected the system ports TCP 135,445,593 and UDP 135,137,138,445, there will be less chances for external break-in. Check any suspicious connection from internal! You should check the eventlog see what's happened during password changed period. Install a IDS to monitor the suspicious traffic and alert the network admin when any RPC attacks alert trigger.

In addition, your SQL may allow sa or native Windows login, any server with same administrtor password also can change your SQL sa password remotely.

Check and apply the latest patch to system always true, however disabling DCOM will limit exposure to this issue in future. However, this will limit remote access to the system.
0
 
chicagoanCommented:
Depending on your patch level, there was a SQL Server 2000 problem that blanked out the sa password when you change Windows security. If you select the SQL Server and Windows Security Authentication option when you install SQL Server 2000, you have to enter a password for the sa account. However, if you select the Windows-only option for security authentication and later change the authentication to the SQL Server and Windows mode, the sa password is blank.

To work around this error, set up a password for the sa account before changing the security mode from Windows-only to SQL Server and Windows. SQL Server will then keep the password setup for the sa account. You can use the sp_password stored procedure to set up a password for the sa account.
0
 
chicagoanCommented:
been  a while since we heard from you, did the above comments help you find a solution?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now