In-Reply-To: <20030125021141.A23211 (at) romulus.netgraft (dot) com [email concealed]>

We can confirm it here in Toronto, Canada. Even though the effect was

minimal to us, we saw many major networks dissappear on the Internet.

The effect is like a LAN denial of service attack. The requests are

distributed over port 1434 UDP to multicast addresses. If the multicast

on the router is enabled, this can multiply the effect to WAN.

You have to patch your MS-SQL Server to the highest service pack.

But, here is the funny thing, we had a MS-Project Server 2002 installed

on a test machine with MSDE running. There is no service pack 3 for MSDE

2000 yet, but there is a hotfix to solve the problem.

That hotfix requires service pack 2. When we tried to install service

pack 2 for MSDE, it gave an error. On the Microsoft web site, it says

that SOME! of the MSDE installations require the service pack 2 to be

installed only from an update CD but not from the Internet.

I think it's going to be a while for all the networks to install these

patches properly to stop these attack.

Meanwhile I also recommend the sys admins to block the outgoing

1434TCP/UDP as well. Incoming blocking might protect some of your servers

but if you are already effected, at least try to contain this in your LAN

by blocking the outgoing ports.

I hope someone will reverse engineer this worm and tell us exactly what

it did.

Umit

>It looks like there's a worm affecting MS SQL Server which is

>pingflooding addresses at some random sequence.

>

>All admins with access to routers should block port 1434 (ms-sql-m)!

>

>Everyone running MS SQL Server shut it the hell down or make

>sure it can't access the internet proper!

>

>I make no guarantees that this information is correct, test it

>out for yourself!

[ reply ]