It had quite an impact last night:
Folks really should know better than to leave *any* ports open
publically facing, particularly SQL. *Everything* has been exploited at
some point or another: Microsoft's poor track record non-withstanding.
- Ian
On Sat, Jan 25, 2003 at 08:41:32AM -0500, Robert Foxworth wrote:
> Forwarded FYI. This is an internet-vulnerability advisory, not a 'microsoft
> posting'
> as some of you might be affected by this. There are other postings but this
> will do
>
> -------------------
> ----- Original Message -----
> From: "Mike Tindor" <mtindor@1st.net>
> To: <bugtraq@securityfocus.com>
> Sent: Saturday, January 25, 2003 05:43
> Subject: Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
>
>
> > In-Reply-To: <20030125021141.A23211@romulus.netgraft.com>
> >
> > Michael,
> >
> > I feel your pain. I've seen the same thing starting at 12:46 AM EST
> 01-25-
> > 2003 at one of our colocation facilities.
> >
> > I haven't had time to analyze things as of yet - I discovered three
> > machines, all with activity that started at this same time, all running
> > windows 2000 and SQL Server 2000.
> >
> > It crippled internal connectivity - basically, any machine that actively
> > had this going on, if we would plug it into a port on an HP4000 switch it
> > would freeze the switch instantly and then anything on the local network
> > would suffer.
> >
> > I'm working on isolating these machines to a local segment and then
> > putting them back online so that I may see what type of traffic is
> > generated or received at brief intervals.
> >
> > I don't know what it is, but it's certainly detrimental to network
> > performance!
> >
> > Mike Tindor
> > FIRST Internet
>
> > > >Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
> > >
> > >I'm getting massive packet loss to various points on the globe.
> > >I am seeing a lot of these in my tcpdump output on each
> > >host.
> > >
> > >02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376
> > >02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp
> > port ms-sql-m unreachable [tos 0xc0
> > >
> > >It looks like there's a worm affecting MS SQL Server which is
> > >pingflooding addresses at some random sequence.
> > >
> > >All admins with access to routers should block port 1434 (ms-sql-m)!
> > >
> > >Everyone running MS SQL Server shut it the hell down or make
> > >sure it can't access the internet proper!
> > >
> > >I make no guarantees that this information is correct, test it
> > >out for yourself!
> > >
> > >--
> > >Michael Bacarella 24/7 phone: 646 641-8662
> > >Netgraft Corporation http://netgraft.com/
>
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 13:47:32 EDT