BugTraq
Back to list
|
Post reply
Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
Jan 25 2003 10:43AM
Mike Tindor (mtindor 1st net)
In-Reply-To: <20030125021141.A23211 (at) romulus.netgraft (dot) com [email concealed]>
Michael,
I feel your pain. I've seen the same thing starting at 12:46 AM EST 01-25-
2003 at one of our colocation facilities.
I haven't had time to analyze things as of yet - I discovered three
machines, all with activity that started at this same time, all running
windows 2000 and SQL Server 2000.
It crippled internal connectivity - basically, any machine that actively
had this going on, if we would plug it into a port on an HP4000 switch it
would freeze the switch instantly and then anything on the local network
would suffer.
I'm working on isolating these machines to a local segment and then
putting them back online so that I may see what type of traffic is
generated or received at brief intervals.
I don't know what it is, but it's certainly detrimental to network
performance!
Mike Tindor
FIRST Internet
>Received: (qmail 1867 invoked from network); 25 Jan 2003 08:39:23 -0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
> by mail.securityfocus.com with SMTP; 25 Jan 2003 08:39:23 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id A5DACA30A5; Sat, 25 Jan 2003 00:59:36 -0700 (MST)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 28308 invoked from network); 25 Jan 2003 07:06:20 -0000
>Date: Sat, 25 Jan 2003 02:11:41 -0500
>From: Michael Bacarella <mbac (at) netgraft (dot) com [email concealed]>
>To: nylug-talk (at) nylug (dot) org [email concealed], wwwac (at) lists.wwwac (dot) org [email concealed],
> linux-elitists (at) zgp (dot) org [email concealed]
>Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
>Message-ID: <20030125021141.A23211 (at) romulus.netgraft (dot) com [email concealed]>
>Mime-Version: 1.0
>Content-Type: text/plain; charset=us-ascii
>Content-Disposition: inline
>User-Agent: Mutt/1.2.5i
>Resent-From: mbac (at) romulus.netgraft (dot) com [email concealed]
>Resent-Date: Sat, 25 Jan 2003 02:12:54 -0500
>Resent-To: bugtraq (at) securityfocus (dot) com [email concealed]
>Resent-Message-Id: <20030125071254.1B3F7681AD (at) romulus.netgraft (dot) com [email concealed]>
>
>I'm getting massive packet loss to various points on the globe.
>I am seeing a lot of these in my tcpdump output on each
>host.
>
>02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376
>02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp
port ms-sql-m unreachable [tos 0xc0
>
>It looks like there's a worm affecting MS SQL Server which is
>pingflooding addresses at some random sequence.
>
>All admins with access to routers should block port 1434 (ms-sql-m)!
>
>Everyone running MS SQL Server shut it the hell down or make
>sure it can't access the internet proper!
>
>I make no guarantees that this information is correct, test it
>out for yourself!
>
>--
>Michael Bacarella 24/7 phone: 646 641-8662
>Netgraft Corporation http://netgraft.com/
> "unique technologies to empower your business"
>
>Finger email address for public key. Key fingerprint:
> C40C CB1E D2F6 7628 6308 F554 7A68 A5CF 0BD8 C055
>
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Michael,
I feel your pain. I've seen the same thing starting at 12:46 AM EST 01-25-
2003 at one of our colocation facilities.
I haven't had time to analyze things as of yet - I discovered three
machines, all with activity that started at this same time, all running
windows 2000 and SQL Server 2000.
It crippled internal connectivity - basically, any machine that actively
had this going on, if we would plug it into a port on an HP4000 switch it
would freeze the switch instantly and then anything on the local network
would suffer.
I'm working on isolating these machines to a local segment and then
putting them back online so that I may see what type of traffic is
generated or received at brief intervals.
I don't know what it is, but it's certainly detrimental to network
performance!
Mike Tindor
FIRST Internet
>Received: (qmail 1867 invoked from network); 25 Jan 2003 08:39:23 -0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
> by mail.securityfocus.com with SMTP; 25 Jan 2003 08:39:23 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id A5DACA30A5; Sat, 25 Jan 2003 00:59:36 -0700 (MST)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 28308 invoked from network); 25 Jan 2003 07:06:20 -0000
>Date: Sat, 25 Jan 2003 02:11:41 -0500
>From: Michael Bacarella <mbac (at) netgraft (dot) com [email concealed]>
>To: nylug-talk (at) nylug (dot) org [email concealed], wwwac (at) lists.wwwac (dot) org [email concealed],
> linux-elitists (at) zgp (dot) org [email concealed]
>Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
>Message-ID: <20030125021141.A23211 (at) romulus.netgraft (dot) com [email concealed]>
>Mime-Version: 1.0
>Content-Type: text/plain; charset=us-ascii
>Content-Disposition: inline
>User-Agent: Mutt/1.2.5i
>Resent-From: mbac (at) romulus.netgraft (dot) com [email concealed]
>Resent-Date: Sat, 25 Jan 2003 02:12:54 -0500
>Resent-To: bugtraq (at) securityfocus (dot) com [email concealed]
>Resent-Message-Id: <20030125071254.1B3F7681AD (at) romulus.netgraft (dot) com [email concealed]>
>
>I'm getting massive packet loss to various points on the globe.
>I am seeing a lot of these in my tcpdump output on each
>host.
>
>02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376
>02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp
port ms-sql-m unreachable [tos 0xc0
>
>It looks like there's a worm affecting MS SQL Server which is
>pingflooding addresses at some random sequence.
>
>All admins with access to routers should block port 1434 (ms-sql-m)!
>
>Everyone running MS SQL Server shut it the hell down or make
>sure it can't access the internet proper!
>
>I make no guarantees that this information is correct, test it
>out for yourself!
>
>--
>Michael Bacarella 24/7 phone: 646 641-8662
>Netgraft Corporation http://netgraft.com/
> "unique technologies to empower your business"
>
>Finger email address for public key. Key fingerprint:
> C40C CB1E D2F6 7628 6308 F554 7A68 A5CF 0BD8 C055
>
[ reply ]