 RocksterPremium
join:2002-03-03
Brisbane AU | reply to Link Logger
Re: New Worm - UDP 1434 - SQL Server Monitor?? Got my first hit on that port over two hours ago and so far have had around 150!
That maxed out my alert window (500) and I've only been online 10 hours. |
|
 MarkPremium
join:2001-11-15
Phoenix, AZ
kudos:1 | reply to Link Logger
From what I'm hearing, it's a bigger, nastier code red/nimda that infects mySQL instead of IIS. |
|
|
|
| reply to an0n
adding a filter to deny on that port wouldn't be a back idea. I just checked my logs and noticed some attempts on my system on UDP 1434.
Nice quick info here ;~) thx |
|
 MarillaI Am My Own ArbiterPremium
join:2002-12-06
Belpre, OH | reply to Link Logger
Okay.. so.. question:
I have a server co-located somewhere with SQL Server on it. I'm not 100% sure, but I believe I am patched for this.. if anyone knows, was the patch(es) for this included in SQL2000 SP2?
At any rate, another thing: The default port to connect to SQL server is 1433, and then the monitor server port is 1434. If I'm not mistaken, it's possible to remove/disable the monitor service so that the server will NOT enumerate instances of SQL Server running? I recall such an option, and I recall doing it... is that what this is that runs on 1434?
Also, though, I have changed the port by which connections are made to that instance of SQL server itself to something other than 1433... if the Monitor service is not what I'm thinking... well.. err.. hehe.
Just a bit worried.. and since I can't connect to the thing at all to see... I dunno! |
|
| reply to Rockster
Glad to see Im not alone!! Ive been hit about 200 times since it started... |
|
 Craig3281$Premium
join:2001-05-01
North Palm Beach, FL | reply to Link Logger
My connection is down, my ISP in Miami is down, my host in Michigan is down and can barely connect on dial-up.
--
Halbert Associates - Looking for a Web Developer? |
|
| reply to Link Logger
Wow I sure am glad I'm running MySQL on Mac OS X.
I can't wait to hear the crap MS is going to get tomorrow... |
|
approval from:
Daniel 
| ...and yesterday I got a email from MS explaining what it was doing about about security. Great timing. |
|
| reply to Link Logger
heh damn you people are on this stuff fast, I just noticed about an hour ago I was getting hits on port 1434 and wasn't too sure whether I had a trojan or something because I was playing around with file sharing (NETBIOS) with no firewall earlier today. But it's good to know it's not me  |
|
| reply to l008com
Yea, hah! I hope someone on one of the main news sites puts an article up to explain to the people who don't know about computers what's going on. |
|
MarillaI Am My Own ArbiterPremium
join:2002-12-06
Belpre, OH | reply to l008com
If I'm not mistaken, this is yet another case of clueless admins not patching their servers, or following other best practices.
For one thing, I imagine 99% of the SQL Server installations out there have NO use for the Monitor service at all; it's only useful when you have multiple instances of SQL Server running and something making a connection might not know the ports to connect to them all.
I'm still trying to make 100% sure but in my case, for instance, I'm fairly sure the server I have will not be affected by this (although it seems that many others hosted by the same company ARE) because I'm fairly sure I turned the monitor service off because it served no purpose for me... PLUS, I from the default port SQL server uses to connect anyway. |
|
MarkPremium
join:2001-11-15
Phoenix, AZ
kudos:1 | reply to Link Logger
Only got 2 hits so far, both before I ran netcat  I want to see what this thing does. |
|
 Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3
 ·Shaw
| reply to l008com
I'm betting this is using the Heap Buffer Overflow attack which was announced on July 25, 2002 and a patch was released the same day, but then again who patches, even after Code Red and Nimda.
»www.kb.cert.org/vuls/id/399260
»www.microsoft.com/technet/treevi···-039.asp
This is only a guess at this time as I mentioned I'm at the end of a development cycle so all my systems are either developing or testing (good testing) so I can't honeypot this.
Blake |
|
| reply to Link Logger
I'm running at 1 every 20-30 seconds at the moment. |
|
 foxstevePremium
join:2001-12-28
Campbell, CA
| reply to Link Logger
Attack on my PC port 1434 is continued.
BTW, the attempts to penetrate through port 4662 are more seldom.
[text was edited by author 2003-01-25 03:13:35] |
|
 FutureMonKeep your Mitts off RMoneyPremium,ExMod 2002-05
join:2000-10-05
Seaside, CA | reply to Link Logger
Just a note:
This apparently affects ONLY SQL Server 2000, not SQL Server 6.5 or 7. At least the Article said that this UDP Functionality was introduced with SQL 2000 and made no mention upon a glance of the other versions being affected.
- FM
--
DCExec Member, Member of 'StarFire Seven' & Undisputed BBR Karaoke Champion! |
|
| reply to Link Logger
suxors, just suxors
[text was edited by author 2003-01-25 03:22:55] |
|
foxstevePremium
join:2001-12-28
Campbell, CA | reply to foxsteve
Who has attacks on two ports 1434 and 4662? |
|
MarkPremium
join:2001-11-15
Phoenix, AZ
kudos:1 | reply to Link Logger
nc.exe -l -u -p 1434 > C:\worm.txt
*waits* |
|
approval from:
Wildcatboy
| reply to Link Logger
At 10:00 pm our entire network at work lit up. We slowly took down each switch until we narrowed the acitvity down to one of our servers. On this system SQL2k was at 60% cpu usage.
We killed the nic on that system and after a couple seconds (15 or 20) SQL2k cpu usage dropped to 0% as was usual for that hour.
We've since cut our offices off from the internet and everything is disocnnected and alls ervers shut down. Tomorrow we will be making sure everything is up to date. I just wanted to verify that one of our sql servers saturated our lan and killed our internet connection.
Hope that helps. |
|
