Marilla9I Am My Own Arbiter Premium Member join:2002-12-06 Belpre, OH |
to l008com
Re: New Worm - UDP 1434 - SQL Server Monitor??If I'm not mistaken, this is yet another case of clueless admins not patching their servers, or following other best practices.
For one thing, I imagine 99% of the SQL Server installations out there have NO use for the Monitor service at all; it's only useful when you have multiple instances of SQL Server running and something making a connection might not know the ports to connect to them all.
I'm still trying to make 100% sure but in my case, for instance, I'm fairly sure the server I have will not be affected by this (although it seems that many others hosted by the same company ARE) because I'm fairly sure I turned the monitor service off because it served no purpose for me... PLUS, I from the default port SQL server uses to connect anyway. |
|
Mark75 Premium Member join:2001-11-15 Phoenix, AZ |
to Link Logger
Only got 2 hits so far, both before I ran netcat I want to see what this thing does. |
|
|
to l008com
I'm betting this is using the Heap Buffer Overflow attack which was announced on July 25, 2002 and a patch was released the same day, but then again who patches, even after Code Red and Nimda. » www.kb.cert.org/vuls/id/399260» www.microsoft.com/techne ··· -039.aspThis is only a guess at this time as I mentioned I'm at the end of a development cycle so all my systems are either developing or testing (good testing) so I can't honeypot this. Blake |
|
|
to Link Logger
I'm running at 1 every 20-30 seconds at the moment. |
|
foxsteve Premium Member join:2001-12-28 Campbell, CA
|
to Link Logger
Attack on my PC port 1434 is continued. BTW, the attempts to penetrate through port 4662 are more seldom. [text was edited by author 2003-01-25 03:13:35] |
|
FutureMonDude Whats mine say?
join:2000-10-05 Marina, CA |
to Link Logger
Just a note:
This apparently affects ONLY SQL Server 2000, not SQL Server 6.5 or 7. At least the Article said that this UDP Functionality was introduced with SQL 2000 and made no mention upon a glance of the other versions being affected.
- FM |
|
|
to Link Logger
suxors, just suxors [text was edited by author 2003-01-25 03:22:55] |
|
foxsteve Premium Member join:2001-12-28 Campbell, CA |
foxsteve
Premium Member
2003-Jan-25 3:22 am
Who has attacks on two ports 1434 and 4662? |
|
Mark75 Premium Member join:2001-11-15 Phoenix, AZ |
to Link Logger
nc.exe -l -u -p 1434 > C:\worm.txt
*waits* |
|
1 recommendation |
to Link Logger
At 10:00 pm our entire network at work lit up. We slowly took down each switch until we narrowed the acitvity down to one of our servers. On this system SQL2k was at 60% cpu usage.
We killed the nic on that system and after a couple seconds (15 or 20) SQL2k cpu usage dropped to 0% as was usual for that hour.
We've since cut our offices off from the internet and everything is disocnnected and alls ervers shut down. Tomorrow we will be making sure everything is up to date. I just wanted to verify that one of our sql servers saturated our lan and killed our internet connection.
Hope that helps. |
|
inTulsa Premium Member join:2002-02-24
|
to foxsteve
I'm getting many hits on it originating from all over the world, lots from Asia/Pacific. But last hour they seem to be quieting down. Pictured is a little 25K free honeypot if anyone wants to watch them as they arrive: » www.bttsoftware.co.uk/ipspy.html[text was edited by author 2003-01-25 03:44:45] |
|
woodwardXMission Internet join:2000-12-28 Salt Lake City, UT |
to Link Logger
I've been told that two of our backbone providers are now blocking this port. NANOG is getting some interesting reports.
Please spread the word about what this is. It's easy to stop on the host/ISP level with a simple filter of port 1434. |
|
Mark75 Premium Member join:2001-11-15 Phoenix, AZ |
to Link Logger
» average.matrix.net/Look at the reachability level's in the past hour or so. Blocking all outgoing/incoming 1434 udp would be a very good idea right now. We need to stop any further spread and minimize the damages current infected hosts can cause. |
|
AmeritecTechChange we can believe in, 1922 Premium Member join:2002-09-06 Houston, TX |
to Link Logger
|
|
|
to Link Logger
wow I think this actually is pretty serious, I stopped getting hits on port 1434 an hour ago, which I assume means my isp blocked it at their end, either that or maybe I'm just fluking out and haven't got any hits. My isp never blocked any ports when code red was going around.... but maybe that was because it was hitting port 80? (can't 100% remember what port code red hit) |
|
Marilla9I Am My Own Arbiter Premium Member join:2002-12-06 Belpre, OH |
to Link Logger
Well, seems my port 1434 udp is wide open on the server I referenced earlier... however, assuming the vulnerability is among the ones noted, I think I'm fine... as I believe fixes for those were included in SP2 for SQL Server. I'm hoping, anyway... |
|
|
Mark75 Premium Member join:2001-11-15 Phoenix, AZ
|
to Link Logger
My ISP (Verizon, or maybe my backbone, Genuity) must already be filtering it, I haven't got a single attempt since the first 2 I received 30 minutes or so ago.
Edit: NM, got another one. [text was edited by author 2003-01-25 03:56:35] |
|
Marilla9I Am My Own Arbiter Premium Member join:2002-12-06 Belpre, OH |
to InGd
said by InGd: My isp never blocked any ports when code red was going around.... but maybe that was because it was hitting port 80? (can't 100% remember what port code red hit)
Code Red hit port 80, yes. |
|
Mark75 Premium Member join:2001-11-15 Phoenix, AZ
|
to Link Logger
Yea, Code Red/Nimda used hit port 80 (httpd)
Fortunately, not many customers will care if udp port 1434 is blocked outgoing and incoming temporarily. I think it would be prudent of all isp's to do so, at least until this dies down. [text was edited by author 2003-01-25 03:47:24] |
|
SxTX join:2001-02-26 Battle Ground, WA |
to Mark75
I love this !!! Microsoft sucks so bad Every OS and server application has multiple vulnerabilities. Microsofts weak security took me out of business due to DDOS attacks. I hope this one teaches them a lesson. |
|
foxsteve Premium Member join:2001-12-28 Campbell, CA
|
to Mark75
Who has attacks on two ports 1434/udp and 4662/tcp? I have. Attempt on port 4662 every 3 -10 s [text was edited by author 2003-01-25 03:55:27] |
|
|
Agrajag to woodward
Anon
2003-Jan-25 3:52 am
to woodward
Do you have a url to the nanog reports? I'd very much like to see them. |
|
1 recommendation |
to SxTX
said by SxTX: I love this !!! Microsoft sucks so bad Every OS and server application has multiple vulnerabilities. Microsofts weak security took me out of business due to DDOS attacks. I hope this one teaches them a lesson.
Microsoft patched this vulnerability last July. It is not their fault lazy sysadmins failed to patch their servers. |
|
Mark75 Premium Member join:2001-11-15 Phoenix, AZ |
to Link Logger
Also, I do not believe this is a worm, there is no payload, no binary. It just uses a flaw in mySQL server to propagate, which also causes the denial of service effect. quote:
In addition to providing referrals, the SSRS is capable of replying to "ping" messages from other SQL servers to confirm its presence on a network. When the service receives such a message, it replies to the transmitting host with an identical reply message. In normal operation, the SSRS service is responsible for replying to ping messages sent by an SQL Server and does not initiate them. However, an attacker can create a forged ping message to one instance of the SSRS (Victim A, port 1434) that appears to originate from another instance (Victim B, port 1434), causing Victim A and Victim B to continuously exchange messages. This cycle will continue to consume server and network resources until one of the servers stops sending packets for one of several reasons, including a restart of the SQL Server, a reboot of the server host, or a network failure.
I think whats happened is that someone created a program that sends these 'triggers' to a range of hosts, which in turn makes them do the same until they are rebooted/crash, and are 're taken over' by this flaw. |
|
Marilla9I Am My Own Arbiter Premium Member join:2002-12-06 Belpre, OH |
to pin87a
said by pin87a: Microsoft patched this vulnerability last July. It is not their fault lazy sysadmins failed to patch their servers.
Couple questions: 1) Do we KNOW that it is related to the vulnerability noted at the start of this thread, or is that simply assumed because that is information currently available concerning a vulnerability that targets port 1434 on servers running SQL Server? 2) Wouldn't SP2 (which came out end of November or maybe October, I think?) have included this fix? I sure hope I've not been wrong in assuming that service packs contain all previous hotfixes like that, because when I install new, I simply install the latest SP, and any hotfixes since then I can find.. |
|
|
to Link Logger
why doesn't MS include these type of patches in with critical updates so updating automatically you will grab them and install right when the patch is released... just a thought. ;~) |
|
|
to foxsteve
I have not seen any traffic on TCP 4662 here yet. Oddly enough I am seeing an increase for inbound TCP port 80 traffic (when compared to the last couple of days). Opps limited tools on the server running the logging stuff, sorry. Blake [text was edited by author 2003-01-25 04:01:18][text was edited by author 2003-01-25 04:02:19] |
|
|
to Marilla9
said by Marilla9:
Couple questions:
1) Do we KNOW that it is related to the vulnerability noted at the start of this thread, or is that simply assumed because that is information currently available concerning a vulnerability that targets port 1434 on servers running SQL Server?
2) Wouldn't SP2 (which came out end of November or maybe October, I think?) have included this fix? I sure hope I've not been wrong in assuming that service packs contain all previous hotfixes like that, because when I install new, I simply install the latest SP, and any hotfixes since then I can find..
We don't know for sure that this is that exact vulnerability, but it is looking like it most likely is. (so we are assuming) According to Microsoft the fix for this vulnerability will be included included in SQL Server 2000 Service Pack 3.(it isn't in Service Pack 2) [text was edited by author 2003-01-25 04:07:14] |
|
Marilla9I Am My Own Arbiter Premium Member join:2002-12-06 Belpre, OH |
Marilla9
Premium Member
2003-Jan-25 4:10 am
said by pin87a: According to Microsoft the fix for this vulnerability will be included included in SQL Server 2000 Service Pack 3.(it isn't in Service Pack 2)
Ugh. SP3 came out last week, and I'd not even heard of it until today. Sucks to be me. |
|
robre join:2002-08-01 Lebanon, TN |
to Link Logger
I'm guessing it's set up to DDOS something, probably UUNET judging by » www.internetpulse.net/ and UUNET.com is down. |
|