Hacker finds 492,000 unprotected Oracle, SQL database servers

Hacker finds 492,000 unprotected Oracle, SQL database servers

Summary: A survey by renowned database hacker David Litchfield has found a whopping 492,000 Microsoft SQL and Oracle database servers directly accessible to the Internet without firewall protection.

SHARE:

A survey by renowned database hacker David Litchfield has found a whopping 492,000 Microsoft SQL and Oracle database servers directly accessible to the Internet without firewall protection.David Litchfield — database server exposure survey

Litchfield (right), co-founder of Next Generation Security Software, ran port scans against 1,160,000 random IP addresses -- TCP port 1433 (SQL Server) and 1521 (Oracle) -- and found about 368,000 Microsoft SQL Servers directly accessible on the Internet and around 124,000 unprotected Oracle database servers.

"Between the two vendors, there are 492,000 database servers out there on the Internet not protected by a firewall. Whilst the number of Oracle servers has very slightly dropped since 2005 when it was estimated there were 140,000, the number of SQL Servers has risen dramatically from 210,000 in 2005," Litchfield warned.

Of the SQL Servers found, more than 80% were running SQL Server 2000 and of those, only 46% were running Service Pack 4, the most recent, and the remainder were running Service Pack 3a or less. "Indeed, 4% were found to be completely unpatched and are vulnerable to the flaw exploited by the Slammer worm as well as an authentication flaw known as the 'Hello bug'," Litchfield added.

Hacker finds 492,000 unprotected database serversOf the unprotected Oracle servers, Litchfield found 13 were running de-supported versions of Oracle that no longer receive patches and are known to be vulnerable to critical vulnerabilities.

"In other words those that can be exploited by an attacker without a username and password and gain full control of the target. Given that it’s not possible to tell whether an Oracle server has been patched or not by looking at its version number it's difficult to draw accurate conclusions about the state of vulnerability with regards to the other servers," he added.

"These findings represent a significant risk: whilst it’s not possible to say how many of these systems are engaged in a commercial function, with just under half a million servers accessible there is clearly potential for external hackers and criminals to gain access to these systems and to sensitive information," he warned.

Topics: Hardware, Data Centers, Data Management, Enterprise Software, Oracle, Security, Servers, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

46 comments
Log in or register to join the discussion
  • *shakes head*

    Your article says there is the potential. Mate, it's far more than a potential, it's a very common vehicle for drive bys. What's more, as these are servers, well...
    ego.sum.stig
  • You can't protect fools from themselves.

    I don't care what server software you run, it has to be set up to be secure. Anything else is just dumb.
    No_Ax_to_Grind
    • And yet...

      People shake together databases (and other stuff) all the time because [i]"it is so easy to do, and the wizards are so helpful."[/i] Welcome to the world of [i]"it's so easy an American can do it."[/i]

      Now I will run for cover :P
      ego.sum.stig
      • Unfortunately...

        you've hit the nail squarely on the head here. The one single issue I believe Microsoft has contributed directly to more than any other is they've made it APPEAR that people actually know what they are doing. The reason for doing this is pretty clear...the current level of IT talent is woefully inadequate when compared to the demand for that talent. In the mid-90s, Microsoft flooded the amrket with paper MCSEs and we're still seeing the fallout more than a decade later. I would disagree with the assertion that "American" has anything to do with this equation. Microsoft's take on IT seems to be making it so easy an idiot can do it. What we're seeing in the real world is that these things really aren't so easy an idiot can do them.
        jasonp@...
        • I disagree

          I think you put it a little but too simply. I am working as a Chief Security Advisor for Microsoft since years. I am working closely together with our custoemrs on all different levels. If you are lookign at the Security Professionals, I coudl not agree more! They have to know - if they put a server out there that is unprotected and unpatched they shoudl lose their CISSP, CISA, CISM or whatever.
          On the other hand we a millions of mid-sized companies. And they have just a few ITPros - and you all compare them with us being security professionals? Big mistake. Instead of insulting them being stupid and dumb we have to help them to solve the problem.
          Let me add one final statement: There is a comment talking about running XP not as an Admin. This might work for a geek but never for my mom and dad. The reason: The crappy applications that still write in the Program Files folder or HKLM! We added User Accoutn Control to address exact this issue - and what happend? Have you looked at the blog sphere? They want crazzy because of the pop-ups and what ever. This is one of the best features in this area we ever implemented!
          Roger
          http://blogs.technet.com/rhalbheer
          roger.halbheer@...
          • Jason is right. . . kind of.

            Only it is not just Microsoft. Many vendors have touted the ease of administration of their products. Yeah most basic administration tasks are relatively easy. But there is more to administering a system than kepping a check on file space and managing users and access rights.

            Unfortunately, in their push to sell these vendors (mostly intentionally) lead management and end-users into believing that is all there is to IT. So why pay for a true IT person when Joe from the mail room can figure out how to get the thing running for $8/hr.

            Heck, plug the servers and workstations into switches, make sure the modem is plugged into the switch, turn on dhcp, use a public dns server, and away we go!

            What's a firewall? Access Control List? Yes I have a patch on my shirt. It has my name on it. Configuration? I guess it defaulted correctly, I just hit next in the wizard. Everything is working, so it must be right. Oh, yes we are running anti-virus, it installed one when Windows was installed. It keeps asking if I want to subscribe, to a mailing list I think, but I didn't see why besides it cost money.
            TheTinker
          • I disagree (Roger)

            Your message would be clearer and make more sense if you used your spell checker (and grammar checker,if you have one).
            stand3
        • More than on guilty party in this

          Microsoft may own a piece, but they dont own Oracle (yet anyway lol).

          Before any software vendor, we have companies that are simply unwilling to meet the costs of their own data management and IT needs. The "if it worked yesterday it'll work tomorrow, so why should we spend money?" mentality rears it's ugly head before any software product even enters the scene.

          And I've even heard this: "Well we lost a bunch of data.. but we've been running for 3 years without paying those upgrade fees, I think we broke even". Yeah.
          dkloke@...
          • Actually while both Microsoft and Oracle own part of this

            It really comes down to the fact that corporate management doesn't want to spend their budget dollars on IT people to make sure the job is done right. At my company I'm the first IT pro they ever hired. The VP of Marketing was writing the dbase code for a custom app that was years old and they had a guy from accounting writing dbase reports. It worked sort of but the software was inflexible when it came time to upgrade the hardware (that's how I got hired).

            The fact is mid size companies usually run on very tight budgets and are going to do without as long as they possibly can. When the situation gets too deep they finally break down and go out and hire a pro. Then it's back to promoting some guy off the sales floor because he's "good with computers".
            maldain
      • Change American ... to World

        While the World "thinks" they can deliver quality technical people for "cheap" and American corporations are buying into the used car sales pitch...it's just not true. We have foreigner contractor after contractor come in the door and are "paper" qualified - real world hits and they pee in their pants. It's real annoying knowing America is putting it's IT deptartments in their hands...very scary.
        ItsTheBottomLine
    • I think you're right

      Only so much a developer can do to secure his software.

      I think if I was working for Oracle or MS, though, I'd want a few servers directly on the Internet to see how/if they get hacked (doesn't have to be anything important in the DB). Can't think of a quicker way to find security holes.
      John L. Ries
    • Message has been deleted.

      Intellihence
    • There should be higher standards...

      for administrators of these systems. It isn't hard to get the education necessary to get qualified to run Oracle or MS-SQL systems in a secure manner. If any of these systems are dealing with financial or other sensitive information then there should be a legal requirement for them to be administered properly. there oughta be a law.
      burtoni
      • Who is going to create the law?

        These servers could be scattered all over the globe in numerous different countries. Each of those countries would have to enact a law requiring that information to be protected. Also, how many of those servers are honey pots?
        alaniane@...
  • MSDE

    I wonder how many of those are actually unpatched versions of MSDE/SQL Express or some other version of SQL Lite bundled with some application like ACT. Software bloat means this stuff pops up all over the place.
    sordito
    • I'd bet that number would be...

      very, very high. In the 80+% range. MSDE seems to show up in the oddest of places.
      jasonp@...
  • Stupid does what stupid is

    Or a better way of putting it would be "ignorance begets a fa?ade of stupidity."

    There's tremendous ignorance and apathy when it comes to the topic of security... the irony is that many, many "security" problems can be solved by sticking to a few principles, the problem is few people do.

    Take this blog... I read about QuickTime, Mozilla, IE exploits all the time... yet I manage to laugh... why? Because I'm not *stupid enough* to run my desktop applications that connect to the Internet with administrative privileges (how?s this metaphor s3x with strangers all the time without a c0ndom).

    Yet, I find a surprising amount of apathy when I try to enlighten IT people to effectively run Mozilla or IE without administrative privileges... which prevents these applications from being a proxy to all types of malware.

    Better yet, any application launched by the browser would inherit these stunted credentials so many exploits Naraine writes about simply do not work on my desktop.

    If you even care to enlighten yourself:

    http://blogs.technet.com/markrussinovich/archive/2006/03/02/running-as-limited-user-the-easy-way.aspx

    Mark's tool doesn't do any magic. He relies on an API that has been present in Microsoft's Windows product since 2000... what amazes me is that Microsoft never has given people the ability to leverage this "out of the box" tool, e.g., when you create an application shortcut simply ask "Would you like me to remove administrative privileges when launching this application?"

    The biggest issue I have with Mark's tool is that it's a command line tool and "command line" is something that causes you to lose 95% of people.

    Having said that, there's nothing that would stop a Win32 developer from using the CreateRestrictedToken API call and creating a small wrapper application with no application window which does nothing but launch an application with stunted credentials.

    Which goes back to what I was saying, MS should have done this from the get go when Windows 2000 was released.

    Yes people don't come out of the womb knowing this stuff but iterating, it amazes me when even IT professionals I've tried to enlighten on this topic seem to express little interest in the message.

    The principle of "least privilege" is as old as 1960's mainframes. If you're an IT professional and don't read the URL I posted and absorb the principals, you are doing the people you serve a disservice since it falls upon *you* to protect them from their own ignorance.

    I should go write that windowless 10 line wrapper application... in fact... yeah... Naraine's column would become way less interesting... and actually given that Windows Vista by default removes administrative privileges altogether when you operate day to day, a great majority of what is written in Naraine's blog won't work. In particular the "code execution" exploits that modify system files creating all kinds of subterfuge, from keyboard logging to having one's machine usurped and becoming part of a bot net.

    What we will find is that as the Windows XP user base declines as migration to Vista and its derivatives occurs in the coming years code execution exploits will disappear - they will cease to be an effective attack vector.

    Yes there's still application security (cross-site scripting) and keeping patch levels on software that offer "network services" (think SQL databases) up to date but an overwhelmingly amount of malware targets the ignorant user wielding desktop applications with administrative privileges.

    Want to know why the Macintosh platform is largely malware free? I said "largely" not immune, spare me any articles or opinions I'm well versed. Because Apple out of the box doesn't give you a desktop with administrative privileges - what you see here is the principle of "least privilege" at work.

    -M
    betelgeuse68
    • Stupid does what stupid is?

      Beetlejuice, Beetlejuice, Beetlejuice
      aussieblnd@...
  • Why?

    I just have ask why would any one need direct access via the internet to a database? Having firewalls means nothing if you allow access to the database.
    voska
    • Because . . . .

      Our Internet server is outside our firewall. It communicates with our database server inside our firewall via the single standard port of 1433. Our sa account has been disabled and our new admin account has a string password. The account that the web server uses can't do much damage (it could flood us with fake orders but it can't delete data or retrieve data that it shouldn't be able to get).

      According to the story and the survey methodology, we count as unprotected?!? I don't think so!

      I also have to question someone who says that they queried less than 1.2 million RANDOM ip addresses and found almost half a million database servers. Seems more than a little odd to me.
      mwaser