Given the number of attacks reported on mssql, and the data I gathered over the last weeks, I decided to have a look on it.
The Tabular Data Stream protocol, which is used by MSSQL Server, provides fields to have the client telling the server his hostname, which application is accessing the database, using which driver. As dionaea can understand the protocol, I decided to log this data as well.
| host | hostname | application | driver |
|---|---|---|---|
| 122.228.157.82 | BESTTONE | .Net SqlClient Data Provider | .Net SqlClient Data Provider |
| 219.139.33.67 | BXP-4A082E5C0A3 | ODBC | |
| 222.133.189.12 | SVCTAG-8GKDF2X | .Net SqlClient Data Provider | .Net SqlClient Data Provider |
| 58.19.246.245 | DYSKW | ODBC | |
| 93.124.98.227 | CL4Q0HYV3TDVVX0 | ODBC | |
| 93.84.176.193 | SCORPIONS | ODBC |
fingerprints.sql
As you can see, I did not have that many hosts accessing my mssql service, 6 hosts, thats pretty much nothing.
As the authentication is more or less plaintext, it is easy to log usernames & passwords.
| no. logins | username |
|---|---|
| 2244 | sa |
| 347 | root |
usernames.sql
I was surprised to see there were only two different usernames, but sa seems to be a 'good default' to use.
I've had 1796 different passwords (passwordcount.sql) which were used to login. The popularity of passwords was not surprising at all:
| no. of logins | password |
|---|---|
| 21 | |
| 17 | 123 |
| 13 | sa |
| 13 | system |
| 11 | 1234 |
passwords.sql
I wanted to know which username received more love,
| no. logins | username | no. passwords |
|---|---|---|
| 2244 | sa | 1795 |
| 347 | root | 346 |
userlove.sql
User sa got the lead with more logins and more passwords.
The commands dionaea received were basically … a single command, for all logins.
| count | command |
|---|---|
| 2465 | exec sp_server_info 1 exec sp_server_info 2 exec sp_server_info 500 select 501,NULL,1 where 'a'='A' select 504,c.name,c.description,c.definition from master.dbo.syscharsets c,master.dbo.syscharsets c1,master.dbo.sysconfigures f where f.config=123 and f.value=c1.id and c1.csid=c.id set textsize 2147483647 set arithabort on |
sqlcommands.sql
I guess they stop exploitation, as dionaea is not able to parse the sql command and compile a proper reply … but as there is only this single query, maybe compile a default reply for this single query ….
I wanted to check if all hosts had similar number of passwords used:
| host | no. of passwords |
|---|---|
| 93.124.98.227 | 1777 |
| 93.84.176.193 | 191 |
| 219.139.33.67 | 59 |
| 58.19.246.245 | 38 |
| 122.228.157.82 | 4 |
| 222.133.189.12 | 4 |
hostslove.sql
There was one host, taking the lead, and some others doing something.
So, summarizing, it is a limited number of hosts running bruteforce attacks on a large number of hosts.
| date hour | attacker | attacks |
|---|---|---|
| 2010-08-26 15 | 218.30.64.254 | 8 |
| 2010-08-27 13 | 211.154.135.19 | 2 |
| 2010-08-27 23 | 93.97.222.84 | 327 |
| 2010-08-28 10 | 93.124.79.81 | 176 |
| 2010-08-29 12 | 219.139.33.67 | 33 |
| 2010-08-29 16 | 219.139.33.67 | 37 |
| 2010-08-29 18 | 58.19.246.245 | 76 |
| 2010-08-29 19 | 219.139.33.67 | 74 |
| 2010-08-29 22 | 219.139.33.67 | 75 |
| 2010-08-29 23 | 58.19.246.245 | 60 |
| 2010-08-30 02 | 219.139.33.67 | 99 |
| 2010-08-30 05 | 219.139.33.67 | 99 |
| 2010-08-30 05 | 222.133.189.12 | 4 |
| 2010-08-30 08 | 222.133.189.12 | 4 |
| 2010-08-31 13 | 93.124.98.227 | 65 |
| 2010-08-31 14 | 93.124.98.227 | 1016 |
| 2010-08-31 15 | 93.124.98.227 | 824 |
| 2010-08-31 16 | 93.124.98.227 | 343 |
| 2010-09-01 00 | 93.84.176.193 | 197 |
| 2010-09-01 04 | 122.228.157.82 | 4 |
| 2010-09-01 23 | 122.228.157.82 | 4 |
| 2010-09-02 19 | 122.228.157.82 | 4 |
| 2010-09-03 05 | 122.228.157.82 | 4 |
thatsit.sql
Thats it.
In case you want to check your own data, here are the queries I used. If you feel I'm wrong, post your results in the comments, you can use the dokuwiki syntax
SELECT remote_host, mssql_fingerprint_hostname, mssql_fingerprint_appname, mssql_fingerprint_cltintname FROM mssql_fingerprints NATURAL JOIN connections WHERE local_port = 1433 GROUP BY remote_host, mssql_fingerprint_hostname, mssql_fingerprint_appname, mssql_fingerprint_cltintname;
SELECT COUNT(*), login_username FROM logins GROUP BY login_username ORDER BY COUNT(*) DESC;
SELECT COUNT(DISTINCT login_password) FROM logins;
SELECT COUNT(*), login_password FROM logins GROUP BY login_password ORDER BY COUNT(*) DESC LIMIT 5;
SELECT COUNT(*), login_username, COUNT(DISTINCT login_password) FROM logins GROUP BY login_username ORDER BY COUNT(*) DESC;
SELECT COUNT(*), mssql_command_cmd FROM mssql_commands GROUP BY mssql_command_cmd;
SELECT remote_host, COUNT(DISTINCT login_password) FROM connections NATURAL JOIN logins WHERE local_port = 1433 GROUP BY remote_host ORDER BY COUNT(DISTINCT login_password) DESC;
SELECT strftime('%Y-%m-%d %H',connection_timestamp,'unixepoch','localtime') AS date, remote_host AS attacker, count(*) AS attacks FROM connections WHERE connection_protocol = 'mssqld' AND connection_type = 'accept' GROUP BY strftime('%Y-%m-%d %H',connection_timestamp,'unixepoch','localtime'), remote_host ORDER BY date ASC;
[…] 2010:09:11:mssql_attacks_examined [carnivore news] […]