I think this is a low number actually. David Litchfield surveyed a million IP addresses and attempted to find open MS SQL Servers and open Oracle server ports. Litchfield found 157 SQL servers and 53 Oracle servers then did some math to extrapolate out the half million number.
Here is why I think this number is low. I would be willing to bet there are a lot more MySQL servers deployed than MS SQL or Oracle for internet based apps. I have no data to back that up, it is just a gut feeling on mine. I do think the MS SQL server numbers might be skewed a bit by people with MS SQL Server dev edition installed on there home machines. While this is still not good from a worm propagation standpoint, it is not likely these machines have treasure troves of data.
Who needs SQL injection vulnerabilities when you can still talk directly to the database server. Come on people wake up! You are making this far to easy on the bad guys!
If you enjoyed this post, make sure you subscribe to my RSS feed!
