Hi All,

On Windows 2003 Server, :frown: one of the most worrying issue is MSSQL SA attack via various IPs. Generally you find failure login events of SA under Event Manager.

The SQLSnake worm (sqlexec.js wrapper) is a form of Digispid.B.Worm , Spida worm as also SQLSpida which builds an ActiveX object containing commands which run via the xp_cmdshell and uses brute-force to crack the SA account of the MSSQL Server. Once logged in as SA, the worm works with admin privileges, giving the attacker the capacity to read, write and modify the data and also run executable codes.

In Microsoft SQL, the webserver uses stored procedures and DLL's to work with the external databases and always calls port 1433 because of which this port can't be disabled. However, Port 1433 can be secured with a firewall. Even though MSSQL listens to all incoming connections on this port by default, it can be configured to use a different port number. Any system which listens to MS-SQL on a different port is secure against any such attack.

TCP port 1433 is generally assigned to Microsoft SQL Database in order to allow queries. This threat may affect all SQL databases that are connected to the Internet. It would not be incorrect to label this as a software flaw, nor would it be incorrect to call it a vulnerability in the usual sense. On quite a few occasions, such attacks happen due to poorly configured basic settings and weak installation procedures which are followed by the administration tasks