BugTraq
Back to list
|
Post reply
Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
Jan 25 2003 11:23AM
Carlos Eduardo Vianna (cvianna stech net br)
In-Reply-To: <20030125021141.A23211 (at) romulus.netgraft (dot) com [email concealed]>
Michael,
You're correct. We started to get flooded at 03:00 AM
(now its 09:20 am down here), and found the solution
about 30 min after: shutting down all W2K SQLs. Now we
have all 1434 and 1433 blocked. 1433 seems to be
important too.
Please check this:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/bulletin/MS02-039.asp
We had troubble downloading the patch.. too busy. I got
it now, and made a mirror. Please feel free to get it
and patch your SQL 2k.
http://thor.stech.psi.br/ms-update/Q323875_SQL2000_SP2_en.EXE
Regards
Carlos Eduardo Vianna - cvianna (at) stech.net (dot) br [email concealed]
SouthTech Internet DataCenter
http://www.stech.net.br/
>Received: (qmail 1867 invoked from network); 25 Jan
2003 08:39:23 -0000
>Received: from outgoing3.securityfocus.com
(205.206.231.27)
> by mail.securityfocus.com with SMTP; 25 Jan 2003
08:39:23 -0000
>Received: from lists.securityfocus.com
(lists.securityfocus.com [205.206.231.19])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id A5DACA30A5; Sat, 25 Jan 2003 00:59:36 -0700 (MST)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed];
run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe:
<mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe:
<mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 28308 invoked from network); 25 Jan
2003 07:06:20 -0000
>Date: Sat, 25 Jan 2003 02:11:41 -0500
>From: Michael Bacarella <mbac (at) netgraft (dot) com [email concealed]>
>To: nylug-talk (at) nylug (dot) org [email concealed], wwwac (at) lists.wwwac (dot) org [email concealed],
> linux-elitists (at) zgp (dot) org [email concealed]
>Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT
1434!
>Message-ID: <20030125021141.A23211 (at) romulus.netgraft (dot) com [email concealed]>
>Mime-Version: 1.0
>Content-Type: text/plain; charset=us-ascii
>Content-Disposition: inline
>User-Agent: Mutt/1.2.5i
>Resent-From: mbac (at) romulus.netgraft (dot) com [email concealed]
>Resent-Date: Sat, 25 Jan 2003 02:12:54 -0500
>Resent-To: bugtraq (at) securityfocus (dot) com [email concealed]
>Resent-Message-Id:
<20030125071254.1B3F7681AD (at) romulus.netgraft (dot) com [email concealed]>
>
>I'm getting massive packet loss to various points on
the globe.
>I am seeing a lot of these in my tcpdump output on each
>host.
>
>02:06:31.017088 150.140.142.17.3047 >
24.193.37.212.ms-sql-m: udp 376
>02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp:
24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0
>
>It looks like there's a worm affecting MS SQL Server
which is
>pingflooding addresses at some random sequence.
>
>All admins with access to routers should block port
1434 (ms-sql-m)!
>
>Everyone running MS SQL Server shut it the hell down
or make
>sure it can't access the internet proper!
>
>I make no guarantees that this information is correct,
test it
>out for yourself!
>
>--
>Michael Bacarella 24/7 phone: 646
641-8662
>Netgraft Corporation
http://netgraft.com/
> "unique technologies to empower your business"
>
>Finger email address for public key. Key fingerprint:
> C40C CB1E D2F6 7628 6308 F554 7A68 A5CF 0BD8 C055
>
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Michael,
You're correct. We started to get flooded at 03:00 AM
(now its 09:20 am down here), and found the solution
about 30 min after: shutting down all W2K SQLs. Now we
have all 1434 and 1433 blocked. 1433 seems to be
important too.
Please check this:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/bulletin/MS02-039.asp
We had troubble downloading the patch.. too busy. I got
it now, and made a mirror. Please feel free to get it
and patch your SQL 2k.
http://thor.stech.psi.br/ms-update/Q323875_SQL2000_SP2_en.EXE
Regards
Carlos Eduardo Vianna - cvianna (at) stech.net (dot) br [email concealed]
SouthTech Internet DataCenter
http://www.stech.net.br/
>Received: (qmail 1867 invoked from network); 25 Jan
2003 08:39:23 -0000
>Received: from outgoing3.securityfocus.com
(205.206.231.27)
> by mail.securityfocus.com with SMTP; 25 Jan 2003
08:39:23 -0000
>Received: from lists.securityfocus.com
(lists.securityfocus.com [205.206.231.19])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id A5DACA30A5; Sat, 25 Jan 2003 00:59:36 -0700 (MST)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed];
run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe:
<mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe:
<mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 28308 invoked from network); 25 Jan
2003 07:06:20 -0000
>Date: Sat, 25 Jan 2003 02:11:41 -0500
>From: Michael Bacarella <mbac (at) netgraft (dot) com [email concealed]>
>To: nylug-talk (at) nylug (dot) org [email concealed], wwwac (at) lists.wwwac (dot) org [email concealed],
> linux-elitists (at) zgp (dot) org [email concealed]
>Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT
1434!
>Message-ID: <20030125021141.A23211 (at) romulus.netgraft (dot) com [email concealed]>
>Mime-Version: 1.0
>Content-Type: text/plain; charset=us-ascii
>Content-Disposition: inline
>User-Agent: Mutt/1.2.5i
>Resent-From: mbac (at) romulus.netgraft (dot) com [email concealed]
>Resent-Date: Sat, 25 Jan 2003 02:12:54 -0500
>Resent-To: bugtraq (at) securityfocus (dot) com [email concealed]
>Resent-Message-Id:
<20030125071254.1B3F7681AD (at) romulus.netgraft (dot) com [email concealed]>
>
>I'm getting massive packet loss to various points on
the globe.
>I am seeing a lot of these in my tcpdump output on each
>host.
>
>02:06:31.017088 150.140.142.17.3047 >
24.193.37.212.ms-sql-m: udp 376
>02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp:
24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0
>
>It looks like there's a worm affecting MS SQL Server
which is
>pingflooding addresses at some random sequence.
>
>All admins with access to routers should block port
1434 (ms-sql-m)!
>
>Everyone running MS SQL Server shut it the hell down
or make
>sure it can't access the internet proper!
>
>I make no guarantees that this information is correct,
test it
>out for yourself!
>
>--
>Michael Bacarella 24/7 phone: 646
641-8662
>Netgraft Corporation
http://netgraft.com/
> "unique technologies to empower your business"
>
>Finger email address for public key. Key fingerprint:
> C40C CB1E D2F6 7628 6308 F554 7A68 A5CF 0BD8 C055
>
[ reply ]