BugTraq
Back to list
|
Post reply
Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
Jan 25 2003 10:44AM
Byron Morton (byron port1500 org)
In-Reply-To: <20030125021141.A23211 (at) romulus.netgraft (dot) com [email concealed]>
This is indeed happening widely tonight. Some of the
client machines here have been hit as their boxes were
not patched up properly. We have firewalled access and
have brought our core switches online again after a
brief interruption where the traffic here got up to a
little over 110Mbits/s. The switches simply went into
failover. The good news is that it is not autonomous,
so you can control access through port filtering until
the patches are applied.
The UDP D.O.S. attack: (Random snippets from logs)
PROTO=UDP SPT=1518 DPT=1434
PROTO=UDP SPT=1032 DPT=1434
PROTO=UDP SPT=1077 DPT=1434
PROTO=UDP SPT=4319 DPT=1434
/b
>Received: (qmail 1867 invoked from network); 25 Jan
2003 08:39:23 -0000
>Received: from outgoing3.securityfocus.com
(205.206.231.27)
> by mail.securityfocus.com with SMTP; 25 Jan 2003
08:39:23 -0000
>Received: from lists.securityfocus.com
(lists.securityfocus.com [205.206.231.19])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id A5DACA30A5; Sat, 25 Jan 2003 00:59:36 -0700 (MST)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed];
run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe:
<mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe:
<mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 28308 invoked from network); 25 Jan
2003 07:06:20 -0000
>Date: Sat, 25 Jan 2003 02:11:41 -0500
>From: Michael Bacarella <mbac (at) netgraft (dot) com [email concealed]>
>To: nylug-talk (at) nylug (dot) org [email concealed], wwwac (at) lists.wwwac (dot) org [email concealed],
> linux-elitists (at) zgp (dot) org [email concealed]
>Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT
1434!
>Message-ID: <20030125021141.A23211 (at) romulus.netgraft (dot) com [email concealed]>
>Mime-Version: 1.0
>Content-Type: text/plain; charset=us-ascii
>Content-Disposition: inline
>User-Agent: Mutt/1.2.5i
>Resent-From: mbac (at) romulus.netgraft (dot) com [email concealed]
>Resent-Date: Sat, 25 Jan 2003 02:12:54 -0500
>Resent-To: bugtraq (at) securityfocus (dot) com [email concealed]
>Resent-Message-Id:
<20030125071254.1B3F7681AD (at) romulus.netgraft (dot) com [email concealed]>
>
>I'm getting massive packet loss to various points on
the globe.
>I am seeing a lot of these in my tcpdump output on each
>host.
>
>02:06:31.017088 150.140.142.17.3047 >
24.193.37.212.ms-sql-m: udp 376
>02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp:
24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0
>
>It looks like there's a worm affecting MS SQL Server
which is
>pingflooding addresses at some random sequence.
>
>All admins with access to routers should block port
1434 (ms-sql-m)!
>
>Everyone running MS SQL Server shut it the hell down
or make
>sure it can't access the internet proper!
>
>I make no guarantees that this information is correct,
test it
>out for yourself!
>
>--
>Michael Bacarella 24/7 phone: 646
641-8662
>Netgraft Corporation
http://netgraft.com/
> "unique technologies to empower your business"
>
>Finger email address for public key. Key fingerprint:
> C40C CB1E D2F6 7628 6308 F554 7A68 A5CF 0BD8 C055
>
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
This is indeed happening widely tonight. Some of the
client machines here have been hit as their boxes were
not patched up properly. We have firewalled access and
have brought our core switches online again after a
brief interruption where the traffic here got up to a
little over 110Mbits/s. The switches simply went into
failover. The good news is that it is not autonomous,
so you can control access through port filtering until
the patches are applied.
The UDP D.O.S. attack: (Random snippets from logs)
PROTO=UDP SPT=1518 DPT=1434
PROTO=UDP SPT=1032 DPT=1434
PROTO=UDP SPT=1077 DPT=1434
PROTO=UDP SPT=4319 DPT=1434
/b
>Received: (qmail 1867 invoked from network); 25 Jan
2003 08:39:23 -0000
>Received: from outgoing3.securityfocus.com
(205.206.231.27)
> by mail.securityfocus.com with SMTP; 25 Jan 2003
08:39:23 -0000
>Received: from lists.securityfocus.com
(lists.securityfocus.com [205.206.231.19])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id A5DACA30A5; Sat, 25 Jan 2003 00:59:36 -0700 (MST)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed];
run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe:
<mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe:
<mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 28308 invoked from network); 25 Jan
2003 07:06:20 -0000
>Date: Sat, 25 Jan 2003 02:11:41 -0500
>From: Michael Bacarella <mbac (at) netgraft (dot) com [email concealed]>
>To: nylug-talk (at) nylug (dot) org [email concealed], wwwac (at) lists.wwwac (dot) org [email concealed],
> linux-elitists (at) zgp (dot) org [email concealed]
>Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT
1434!
>Message-ID: <20030125021141.A23211 (at) romulus.netgraft (dot) com [email concealed]>
>Mime-Version: 1.0
>Content-Type: text/plain; charset=us-ascii
>Content-Disposition: inline
>User-Agent: Mutt/1.2.5i
>Resent-From: mbac (at) romulus.netgraft (dot) com [email concealed]
>Resent-Date: Sat, 25 Jan 2003 02:12:54 -0500
>Resent-To: bugtraq (at) securityfocus (dot) com [email concealed]
>Resent-Message-Id:
<20030125071254.1B3F7681AD (at) romulus.netgraft (dot) com [email concealed]>
>
>I'm getting massive packet loss to various points on
the globe.
>I am seeing a lot of these in my tcpdump output on each
>host.
>
>02:06:31.017088 150.140.142.17.3047 >
24.193.37.212.ms-sql-m: udp 376
>02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp:
24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0
>
>It looks like there's a worm affecting MS SQL Server
which is
>pingflooding addresses at some random sequence.
>
>All admins with access to routers should block port
1434 (ms-sql-m)!
>
>Everyone running MS SQL Server shut it the hell down
or make
>sure it can't access the internet proper!
>
>I make no guarantees that this information is correct,
test it
>out for yourself!
>
>--
>Michael Bacarella 24/7 phone: 646
641-8662
>Netgraft Corporation
http://netgraft.com/
> "unique technologies to empower your business"
>
>Finger email address for public key. Key fingerprint:
> C40C CB1E D2F6 7628 6308 F554 7A68 A5CF 0BD8 C055
>
[ reply ]