BugTraq
MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Jan 25 2003 07:11AM
Michael Bacarella (mbac netgraft com) (4 replies)
Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Jan 25 2003 12:07PM
cstone (cstone pobox com)
Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Jan 25 2003 10:04AM
Tom Kyle (tom eos umsl edu)
Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Jan 25 2003 10:01AM
Ed Blanchfield (Ed E-Things Org)
Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Jan 25 2003 09:17AM
Geoff Shively (gshively pivx com)
Just to affirm this data, several of our servers are trapping the same
packet(s). This worm has gained much power in a small amount of time and
once again, has hit overnight and on a weekend. It is important that we
raise immediate awareness relating to this worm that we have internally
dubbed 'SQ_Hell'. Seemingly stems from this advisory by NGSSoftware Insight
Security: http://www.nextgenss.com/advisories/mssql-udp.txt

"Microsoft's database server SQL Server 2000 exhibits two buffer overrun
vulnerabilities that can be exploited by a remote attacker without ever
having to authenticate to the server."

Additional Data:
Qh.dllhel32hkernQhounthickChGeTf.llQh32.dhws2_f.etsockf.to.Qhsend

Cheers,
Geoff Shively, CHO
PivX Solutions

http://www.pivx.com

----- Original Message -----
From: "Michael Bacarella" <mbac (at) netgraft (dot) com [email concealed]>
To: <nylug-talk (at) nylug (dot) org [email concealed]>; <wwwac (at) lists.wwwac (dot) org [email concealed]>;
<linux-elitists (at) zgp (dot) org [email concealed]>
Sent: Friday, January 24, 2003 11:11 PM
Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

> I'm getting massive packet loss to various points on the globe.
> I am seeing a lot of these in my tcpdump output on each
> host.
>
> 02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376
> 02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp
port ms-sql-m unreachable [tos 0xc0
>
> It looks like there's a worm affecting MS SQL Server which is
> pingflooding addresses at some random sequence.
>
> All admins with access to routers should block port 1434 (ms-sql-m)!
>
> Everyone running MS SQL Server shut it the hell down or make
> sure it can't access the internet proper!
>
> I make no guarantees that this information is correct, test it
> out for yourself!
>
> --
> Michael Bacarella 24/7 phone: 646 641-8662
> Netgraft Corporation http://netgraft.com/
> "unique technologies to empower your business"
>
> Finger email address for public key. Key fingerprint:
> C40C CB1E D2F6 7628 6308 F554 7A68 A5CF 0BD8 C055
>
>

[ reply ]
 

Privacy Statement
Copyright 2010, SecurityFocus