THE SQL Server Blog Spot on the Web

Welcome to - The SQL Server blog spot on the web Sign in | |
in Search

Denis Gobo

Hacker finds 492,000 unprotected Oracle, SQL Server database servers

Litchfield, co-founder of Next Generation Security Software, ran port scans against 1,160,000 random IP addresses — TCP port 1433 (SQL Server) and 1521 (Oracle) — and found about 368,000 Microsoft SQL Servers directly accessible on the Internet and around 124,000 unprotected Oracle database servers.

Of the SQL Servers found, more than 80% were running SQL Server 2000 and of those, only 46% were running Service Pack 4, the most recent, and the remainder were running Service Pack 3a or less

Wow, that is just terrible, people are asking to be punished.


Read the complete article here:



Published Thursday, November 15, 2007 12:38 PM by Denis Gobo
Filed under:



Peter W. DeBetta said:

I was going to write about this :-P

November 15, 2007 1:22 PM

Denis Gobo said:

Sorry  ;-(

November 15, 2007 1:24 PM

Peter W. DeBetta said:

No worries. I'm happy to see other people are also security minded!

November 15, 2007 1:38 PM

Denis Gobo said:

Well our DBs are behind 2 firewalls and only a certain 10.240.... range can get to them from within the DMZ  :-)

I guess this open access happens when the database and the web server are on the same box, in that case people should change at least the default port number on the sql instance

November 15, 2007 1:42 PM

Vikash said:

How can we ensure that our servers are safe and un hackble...

November 17, 2007 6:14 AM

John Saunders said:

Apparently, the ZDNet article is incomplete and misleading. The full article is here:


Litchfield pinged over 1 million randomly generated IP addresses, checking see if he could access them on the IP ports reserved for Microsoft SQL Server or Oracle's database, according to the report.

He found 157 SQL servers and 53 Oracle servers. Litchfield then relied on known estimates of the number of systems on the Internet to arrive at his conclusion: "There are approximately 368,000 Microsoft SQl Servers... and about 124,000 Oracle database servers directly accessible on the Internet," he says in the study.

November 17, 2007 9:42 PM
New Comments to this post are disabled

About Denis Gobo

I was born in Croatia in 1970, when I was one I moved to Amsterdam (and yes Ajax is THE team in Holland) and finally in 1993 I came to the US. I have lived in New York City for a bunch of years and currently live in Princeton, New Jersey with my wife and 3 kids. I work for Dow Jones as a Database architect in the indexes department, one drawback: since our data goes back all the way to May 1896 I cannot use smalldates ;-( I have been working with SQL server since version 6.5 and compared to all the other bloggers here I am a n00b. Some of you might know me from or even from some of the newsgroups where I go by the name Denis the SQL Menace If you are a Tek-Tips user then you might know me by the name SQLDenis, I am one of the guys answering SQL Questions in the SQL Programming forum.

This Blog


Privacy Statement