?
Solved

How to prevent  'sa' password  corruption or changed by outside source?

Posted on 2003-10-23
7
Medium Priority
?
904 Views
Last Modified: 2010-04-11
Hello,
I am running SQL Server 2000, SP3.
My Web site is ASP/ADO based and running on the same machine with SQL Server.
Connection with user ID and password string are resigning in global.asa file.
Somehow password (sa) was changed.
I cannot figure out how it was done.
It happened 3 times in the last 2 month.
Please help to resolve this mystery!
Why it happened?
How to prevent it to happen again?

Yury.
0
Comment
Question by:yuryudis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 

Accepted Solution

by:
pheonix05 earned 500 total points
ID: 9609740
most likely you have not secured your server from being hacked, such that administrative priveledges were gained by the attacker. At which point they most likely have the ability to change the sa password.  Or if they are on the system they might be able to hack it (brute force).  Can people from the out side connect to your SQL server?  Make sure the server is up to date.  Make sure that services that you do not use are not running on the server.  Check MS "best practices" references.  Make sure you pick a sufficiently hard password to guess.  Make sure that your ASP code is not the culprit whereby a query can be passed to it to make the alterations.  
0
 
LVL 8

Assisted Solution

by:nader alkahtani
nader alkahtani earned 500 total points
ID: 9615486
Your server may has exploites , so ,
Download trial versions (Shadow Database Scanner) from http://www.safety-lab.com/en/products/6.htm

or Shadow Security Scanner from http://www.safety-lab.com/en/products/1.htm 

to degianostic and patch the exploites
0
 
LVL 2

Assisted Solution

by:fishtank
fishtank earned 500 total points
ID: 9619536
Suppose you have firewall protect your Web/SQL to prevent external attacks.

If the Microsoft RPCSS DCOM Interface Long Filename Heap Corruption Vulnerability KB824146 (THE NEW RPC PATCH!) patch have not apply, your system may break-in by someone who will have administrator privilege and may changed your MSSQL password to start a job with you ;) ?!

http://www.securityfocus.com/bid/8459
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0528

My wild guess is someone break-in thru RPC vulneability to change the MSSQL sa password. Recently MSSQL has no new vulnerability to allow remote break-in but NEW RPC.  So that I guess this issue may not caused by SQL but Windows.

Suppose you have firewall protected the system ports TCP 135,445,593 and UDP 135,137,138,445, there will be less chances for external break-in. Check any suspicious connection from internal! You should check the eventlog see what's happened during password changed period. Install a IDS to monitor the suspicious traffic and alert the network admin when any RPC attacks alert trigger.

In addition, your SQL may allow sa or native Windows login, any server with same administrtor password also can change your SQL sa password remotely.

Check and apply the latest patch to system always true, however disabling DCOM will limit exposure to this issue in future. However, this will limit remote access to the system.
0
 
LVL 18

Assisted Solution

by:chicagoan
chicagoan earned 500 total points
ID: 9806611
Depending on your patch level, there was a SQL Server 2000 problem that blanked out the sa password when you change Windows security. If you select the SQL Server and Windows Security Authentication option when you install SQL Server 2000, you have to enter a password for the sa account. However, if you select the Windows-only option for security authentication and later change the authentication to the SQL Server and Windows mode, the sa password is blank.

To work around this error, set up a password for the sa account before changing the security mode from Windows-only to SQL Server and Windows. SQL Server will then keep the password setup for the sa account. You can use the sp_password stored procedure to set up a password for the sa account.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9893182
been  a while since we heard from you, did the above comments help you find a solution?
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Make the most of your online learning experience.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question