dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
40411

Marilla9
I Am My Own Arbiter
Premium Member
join:2002-12-06
Belpre, OH

Marilla9 to l008com

Premium Member

to l008com

Re: New Worm - UDP 1434 - SQL Server Monitor??

If I'm not mistaken, this is yet another case of clueless admins not patching their servers, or following other best practices.

For one thing, I imagine 99% of the SQL Server installations out there have NO use for the Monitor service at all; it's only useful when you have multiple instances of SQL Server running and something making a connection might not know the ports to connect to them all.

I'm still trying to make 100% sure but in my case, for instance, I'm fairly sure the server I have will not be affected by this (although it seems that many others hosted by the same company ARE) because I'm fairly sure I turned the monitor service off because it served no purpose for me... PLUS, I from the default port SQL server uses to connect anyway.

Mark75
Premium Member
join:2001-11-15
Phoenix, AZ

Mark75 to Link Logger

Premium Member

to Link Logger
Only got 2 hits so far, both before I ran netcat I want to see what this thing does.

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger to l008com

MVM

to l008com
I'm betting this is using the Heap Buffer Overflow attack which was announced on July 25, 2002 and a patch was released the same day, but then again who patches, even after Code Red and Nimda.

»www.kb.cert.org/vuls/id/399260
»www.microsoft.com/techne ··· -039.asp

This is only a guess at this time as I mentioned I'm at the end of a development cycle so all my systems are either developing or testing (good testing) so I can't honeypot this.

Blake

an0n
@optonline.net

an0n to Link Logger

Anon

to Link Logger
I'm running at 1 every 20-30 seconds at the moment.

foxsteve
Premium Member
join:2001-12-28
Campbell, CA

foxsteve to Link Logger

Premium Member

to Link Logger
Attack on my PC port 1434 is continued.
BTW, the attempts to penetrate through port 4662 are more seldom.
[text was edited by author 2003-01-25 03:13:35]

FutureMon
Dude Whats mine say?

join:2000-10-05
Marina, CA

FutureMon to Link Logger

to Link Logger
Just a note:

This apparently affects ONLY SQL Server 2000, not SQL Server 6.5 or 7. At least the Article said that this UDP Functionality was introduced with SQL 2000 and made no mention upon a glance of the other versions being affected.

- FM
asn9
join:2002-08-23

asn9 to Link Logger

Member

to Link Logger
Click for full size
suxors, just suxors
[text was edited by author 2003-01-25 03:22:55]

foxsteve
Premium Member
join:2001-12-28
Campbell, CA

foxsteve

Premium Member

Who has attacks on two ports 1434 and 4662?

Mark75
Premium Member
join:2001-11-15
Phoenix, AZ

Mark75 to Link Logger

Premium Member

to Link Logger
nc.exe -l -u -p 1434 > C:\worm.txt

*waits*

SEWilson
@cox.net

1 recommendation

SEWilson to Link Logger

Anon

to Link Logger
At 10:00 pm our entire network at work lit up. We slowly took down each switch until we narrowed the acitvity down to one of our servers. On this system SQL2k was at 60% cpu usage.

We killed the nic on that system and after a couple seconds (15 or 20) SQL2k cpu usage dropped to 0% as was usual for that hour.

We've since cut our offices off from the internet and everything is disocnnected and alls ervers shut down. Tomorrow we will be making sure everything is up to date. I just wanted to verify that one of our sql servers saturated our lan and killed our internet connection.

Hope that helps.
inTulsa
Premium Member
join:2002-02-24

inTulsa to foxsteve

Premium Member

to foxsteve
I'm getting many hits on it originating from all over the world, lots from Asia/Pacific. But last hour they seem to be quieting down. Pictured is a little 25K free honeypot if anyone wants to watch them as they arrive: »www.bttsoftware.co.uk/ipspy.html
[text was edited by author 2003-01-25 03:44:45]

woodward
XMission Internet
join:2000-12-28
Salt Lake City, UT

woodward to Link Logger

Member

to Link Logger
I've been told that two of our backbone providers are now blocking this port. NANOG is getting some interesting reports.

Please spread the word about what this is. It's easy to stop on the host/ISP level with a simple filter of port 1434.

Mark75
Premium Member
join:2001-11-15
Phoenix, AZ

Mark75 to Link Logger

Premium Member

to Link Logger
»average.matrix.net/
Look at the reachability level's in the past hour or so.

Blocking all outgoing/incoming 1434 udp would be a very good idea right now. We need to stop any further spread and minimize the damages current infected hosts can cause.

AmeritecTech
Change we can believe in, 1922
Premium Member
join:2002-09-06
Houston, TX

AmeritecTech to Link Logger

Premium Member

to Link Logger
»www.kb.cert.org/vuls/id/370308
InGd
join:2002-05-24

InGd to Link Logger

Member

to Link Logger
wow I think this actually is pretty serious, I stopped getting hits on port 1434 an hour ago, which I assume means my isp blocked it at their end, either that or maybe I'm just fluking out and haven't got any hits. My isp never blocked any ports when code red was going around.... but maybe that was because it was hitting port 80? (can't 100% remember what port code red hit)

Marilla9
I Am My Own Arbiter
Premium Member
join:2002-12-06
Belpre, OH

Marilla9 to Link Logger

Premium Member

to Link Logger
Well, seems my port 1434 udp is wide open on the server I referenced earlier... however, assuming the vulnerability is among the ones noted, I think I'm fine... as I believe fixes for those were included in SP2 for SQL Server. I'm hoping, anyway...

Mark75
Premium Member
join:2001-11-15
Phoenix, AZ

Mark75 to Link Logger

Premium Member

to Link Logger
My ISP (Verizon, or maybe my backbone, Genuity) must already be filtering it, I haven't got a single attempt since the first 2 I received 30 minutes or so ago.

Edit: NM, got another one.
[text was edited by author 2003-01-25 03:56:35]

Marilla9
I Am My Own Arbiter
Premium Member
join:2002-12-06
Belpre, OH

Marilla9 to InGd

Premium Member

to InGd
said by InGd:
My isp never blocked any ports when code red was going around.... but maybe that was because it was hitting port 80? (can't 100% remember what port code red hit)
Code Red hit port 80, yes.

Mark75
Premium Member
join:2001-11-15
Phoenix, AZ

Mark75 to Link Logger

Premium Member

to Link Logger
Yea, Code Red/Nimda used hit port 80 (httpd)

Fortunately, not many customers will care if udp port 1434 is blocked outgoing and incoming temporarily. I think it would be prudent of all isp's to do so, at least until this dies down.
[text was edited by author 2003-01-25 03:47:24]
SxTX
join:2001-02-26
Battle Ground, WA

SxTX to Mark75

Member

to Mark75
I love this !!! Microsoft sucks so bad Every OS and server application has multiple vulnerabilities. Microsofts weak security took me out of business due to DDOS attacks. I hope this one teaches them a lesson.

foxsteve
Premium Member
join:2001-12-28
Campbell, CA

foxsteve to Mark75

Premium Member

to Mark75
Who has attacks on two ports 1434/udp and 4662/tcp? I have. Attempt on port 4662 every 3 -10 s
[text was edited by author 2003-01-25 03:55:27]

Agrajag
@attbi.com

Agrajag to woodward

Anon

to woodward
Do you have a url to the nanog reports? I'd very much like to see them.
pin87a
join:2002-01-03
00000

1 recommendation

pin87a to SxTX

Member

to SxTX
said by SxTX:
I love this !!! Microsoft sucks so bad Every OS and server application has multiple vulnerabilities. Microsofts weak security took me out of business due to DDOS attacks. I hope this one teaches them a lesson.
Microsoft patched this vulnerability last July. It is not their fault lazy sysadmins failed to patch their servers.

Mark75
Premium Member
join:2001-11-15
Phoenix, AZ

Mark75 to Link Logger

Premium Member

to Link Logger
Also, I do not believe this is a worm, there is no payload, no binary. It just uses a flaw in mySQL server to propagate, which also causes the denial of service effect.
quote:

In addition to providing referrals, the SSRS is capable of replying to "ping" messages from other SQL servers to confirm its presence on a network. When the service receives such a message, it replies to the transmitting host with an identical reply message. In normal operation, the SSRS service is responsible for replying to ping messages sent by an SQL Server and does not initiate them. However, an attacker can create a forged ping message to one instance of the SSRS (Victim A, port 1434) that appears to originate from another instance (Victim B, port 1434), causing Victim A and Victim B to continuously exchange messages. This cycle will continue to consume server and network resources until one of the servers stops sending packets for one of several reasons, including a restart of the SQL Server, a reboot of the server host, or a network failure.

I think whats happened is that someone created a program that sends these 'triggers' to a range of hosts, which in turn makes them do the same until they are rebooted/crash, and are 're taken over' by this flaw.

Marilla9
I Am My Own Arbiter
Premium Member
join:2002-12-06
Belpre, OH

Marilla9 to pin87a

Premium Member

to pin87a
said by pin87a:
Microsoft patched this vulnerability last July. It is not their fault lazy sysadmins failed to patch their servers.
Couple questions:

1) Do we KNOW that it is related to the vulnerability noted at the start of this thread, or is that simply assumed because that is information currently available concerning a vulnerability that targets port 1434 on servers running SQL Server?

2) Wouldn't SP2 (which came out end of November or maybe October, I think?) have included this fix? I sure hope I've not been wrong in assuming that service packs contain all previous hotfixes like that, because when I install new, I simply install the latest SP, and any hotfixes since then I can find..

oceanMan
@attbi.com

oceanMan to Link Logger

Anon

to Link Logger
why doesn't MS include these type of patches in with critical updates so updating automatically you will grab them and install right when the patch is released... just a thought. ;~)

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger to foxsteve

MVM

to foxsteve
Click for full size
I have not seen any traffic on TCP 4662 here yet. Oddly enough I am seeing an increase for inbound TCP port 80 traffic (when compared to the last couple of days).

Opps limited tools on the server running the logging stuff, sorry.

Blake
[text was edited by author 2003-01-25 04:01:18]

[text was edited by author 2003-01-25 04:02:19]
pin87a
join:2002-01-03
00000

pin87a to Marilla9

Member

to Marilla9
said by Marilla9:

Couple questions:

1) Do we KNOW that it is related to the vulnerability noted at the start of this thread, or is that simply assumed because that is information currently available concerning a vulnerability that targets port 1434 on servers running SQL Server?

2) Wouldn't SP2 (which came out end of November or maybe October, I think?) have included this fix? I sure hope I've not been wrong in assuming that service packs contain all previous hotfixes like that, because when I install new, I simply install the latest SP, and any hotfixes since then I can find..
We don't know for sure that this is that exact vulnerability, but it is looking like it most likely is.
(so we are assuming)

According to Microsoft the fix for this vulnerability will be included included in SQL Server 2000 Service Pack 3.(it isn't in Service Pack 2)
[text was edited by author 2003-01-25 04:07:14]

Marilla9
I Am My Own Arbiter
Premium Member
join:2002-12-06
Belpre, OH

Marilla9

Premium Member

said by pin87a:
According to Microsoft the fix for this vulnerability will be included included in SQL Server 2000 Service Pack 3.(it isn't in Service Pack 2)
Ugh. SP3 came out last week, and I'd not even heard of it until today.

Sucks to be me.
robre
join:2002-08-01
Lebanon, TN

robre to Link Logger

Member

to Link Logger
I'm guessing it's set up to DDOS something, probably UUNET judging by »www.internetpulse.net/ and UUNET.com is down.