Data Management

Half a million enterprise database servers connected directly to the Net

There are nearly half a million enterprise database servers that are connected directly to the Internet, according to U.K.-based security researcher David Litchfield.

There are nearly half a million enterprise database servers that are connected directly to the Internet, according to U.K.-based security researcher David Litchfield.

Litchfield did a sampling of just over 1 million randomly generated IP addresses, checking if he could access them on the ports normally reserved for either Microsoft SQL Server or Oracle's database.

The results were astounding, according to Computer World UK:

He found 157 SQL servers and 53 Oracle servers. Litchfield then relied on known estimates of the number of systems on the Internet to arrive at his conclusion: "There are approximately 368,000 Microsoft SQl Servers... and about 124,000 Oracle database servers directly accessible on the Internet," he wrote in his report, due to be made public next week.

Even more disturbing, however:

Many of these unprotected databases are also unpatched. In fact, 4% of the SQL Server databases Litchfield found were still vulnerable to the flaw that was exploited by 2003's widespread SQL Slammer worm.

It is worth noting that Litchfiel wrote the original proof of concept code that was eventually used by the widespread Slammer worm. He observes that this many unsecured databases is enough to sustain another worm outbreak.

Are you one of those folks responsible for the enterprise databases left in the open (unpatched)?

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

9 comments
Jaqui
Jaqui

anyone that stupid shouldn't be allowed to live.

jalee1011
jalee1011

:) love the plain simple truth about your words jaqui!

Jaqui
Jaqui

usually when I say kill them all ]:) I have a low opinion of people about things this stupid, so I would literally kill them off. [ have to clean the gene pool ]

The Listed 'G MAN'
The Listed 'G MAN'

although the radar was not set to only stupidity in that case. I would just fire and ban them form using any technology.

paulmah
paulmah

What is your opinion of the above situation?

Tony Hopkinson
Tony Hopkinson

with all options loaded and then just plugged in? Can't say I'm mad keen on database servers being directly accessible myself. It would have been interesting to see port exposed vs unsecured though.

Michael Kassner
Michael Kassner

According to the article, the researcher only found 157 vulnerable SQL servers. I am not sure how the final number was resolved other than by estimation. Is that a valid recourse? I am not really understanding the methodology.

Tony Hopkinson
Tony Hopkinson

Generally Unbelievable Extrapolation of Sh*t Statistitics. Otherwise known as vendor sales claims.

Tig2
Tig2

Until then, all you have are "d@mn lies". I'm with Michael. I don't see the methodology and want to know how 157 was extrapolated to the final number. I CAN think of many reasons why a company would not apply a patch, however. And all of those reasons are valid. But not sitting behind a firewall? Not so much. What I DO see companies doing is establishing layered defenses that would (hopefully) insure against deep level penetration. They are more actively seeking solutions to keep their data private. They are thinking about how the infrastructure MUST be established in order to protect critical systems. Personally, I think that a whole lot of this is "disasterized" information. EVERYTHING looks bad when you want it to.

Editor's Picks