dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
38283
share rss forum feed


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3


2 recommendations

New Worm - UDP 1434 - SQL Server Monitor??

I have just starting getting bombed with port scans to UDP port 1434 which is the SQL Server Monitor service. There are known vuls against this port so it looks like some is attacking on it and built a worm for it.

»www.kb.cert.org/vuls/id/370308
»www.kb.cert.org/vuls/id/399260
»www.kb.cert.org/vuls/id/484891

Anyone else seeing this traffic. It started here about 30 minutes ago.

Blake
»www.LinkLogger.com
»www.SonicLogger.com
[text was edited by author 2003-01-25 02:41:31]

No Name5
You Only Regret What You Have Not Done.

join:2000-01-26
Glendale, AZ

Yes I thought it was just me about 30 minutes ago got same thing. Rarely see much activity on Qwest vdsl. Every minute or so. Started around 10:33pm AZ time all remote IPs are different.

[text was edited by author 2003-01-25 01:18:32]


jmvolfan3

join:2000-07-22
Knoxville, TN
reply to Link Logger
From my Linksys logs I am also getting the same thing tonight. Over the last 10 minutes, the # of IP's has grown to 20.


sammysnake
Never Forget 911
Premium
join:2002-01-19
Salt Lake City, UT
reply to Link Logger
Ditto... I've been hit over 20 times in the past 15 minutes on the same port.

Sammy


RadRick5

join:2001-01-31
Pflugerville, TX
reply to Link Logger
yep me too, started right at 11:31pm central


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
I am at the tail end of a development cycle so I'm out of the game for anything other then noticing this. If anyone has a honeypot, tune it to UDP port 1434 and see what is happening. Seems to be spreading rather quickly. Seems to have an across the board random IP generator as I only see single hits from any one system (unlike Code Red which used a weighted IP generation algo).

Blake


fatal

join:2000-12-29
Brooklyn, NY
same here


sammysnake
Never Forget 911
Premium
join:2002-01-19
Salt Lake City, UT
reply to Link Logger
A lot of the offending IP's are from the .edu domain but spread all over the place according to what ZoneLog is telling me from the hits I've been getting.

Sammy


sammysnake
Never Forget 911
Premium
join:2002-01-19
Salt Lake City, UT
Reviews:
·Comcast Formerl..
reply to Link Logger
Click for full size
In a hour and 10 minuets I have been hit 62 times and it keeps on growing.


woodward
XMission Broadband
VIP
join:2000-12-28
Salt Lake City, UT
reply to Link Logger
All at once this one invaded our colocation facility and infected most every IIS ans MS SQL server in there. DoS'd us right off the internet with about 80 GB of data within minutes until we blocked the port at the border and yanked a few cords.

This one could be really nasty.


gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
kudos:1
reply to Link Logger
See my follow up to a post in Verizon at »How slow can my connection actualy get? ... carnage here was massive, reduced my typically 733+/133 connection to 688 and 78, on my worst speed test... I'm seeing mostly Asia and Europe, so far, myself, though everything's mixed in there... did some "brain surgery with a hatchet" and blackholed everything incoming, and I'm back to speed, now, but this is ridiculous... a virtual mini-DDoS...
--
"Anger makes dull men witty, but it keeps them poor."
Elizabeth I, in Francis Bacon, Apophthegms, 1625


woodward
XMission Broadband
VIP
join:2000-12-28
Salt Lake City, UT
quote:
... a virtual mini-DDoS
Nothing "mini" about it on our end.

I do not administer these servers (these are colocations). If this is an old exploit, hasn't M$ SQL's server been patched to cover it?

Or was that just a silly question....
Expand your moderator at work


an0n

@optonline.net

Re: New Worm - UDP 1434 - SQL Server Monitor??

Jeez I'm glad it's not just me, I was starting to get paranoid til I came here.

So, if you don't have sql server does this mean there is nothing to worry about.

if not, what's the best solution. Watch them all bounce off the router and firewall software, or should people be doing something more active.

abaez

join:2002-11-17
Whittier, CA
reply to Link Logger
If you don't have mysql you probably don't have to worry about getting infected. But the worm is wreaking havoc on everything. I ping 1000+ to almost every ip I try and my friends are the same.


Bchinch00
Brian
Premium
join:2001-01-13
U.S.A.
reply to Link Logger
Click for full size
Here is a log of about the last 2 minutes. Seems i am also getting hits on this port!


an0n

@optonline.net
reply to abaez
Just curious and a littel off topic, but I'm running the R1.95j router firmware. Am I right that doing a...

>> Packet Filter
>> Inbound
>> Deny Everything

...should help, or do I really have no idea what I'm talking about ? How do you just say, all 1434 ignore ? Or doe the fact that the log says unrecognised mean it's already ignoring them ?

Many thanks from a panic station.


Strump

@optonline.net
reply to Bchinch00
Saturday, January 25, 2003 2:27:32 AM Unrecognized access from 203.99.141.28:3061 to UDP port 1434
Saturday, January 25, 2003 2:28:12 AM Unrecognized access from 209.242.56.66:3334 to UDP port 1434
Saturday, January 25, 2003 2:28:29 AM Unrecognized access from 210.166.4.163:3377 to UDP port 1434
Saturday, January 25, 2003 2:29:57 AM Unrecognized access from 217.7.129.10:3259 to UDP port 1434
Saturday, January 25, 2003 2:34:09 AM Unrecognized access from 130.88.96.33:3367 to UDP port 1434
Saturday, January 25, 2003 2:35:01 AM Unrecognized access from 153.91.41.24:1039 to UDP port 1434
Saturday, January 25, 2003 2:35:05 AM Unrecognized access from 216.120.45.155:2020 to UDP port 1434
Saturday, January 25, 2003 2:35:51 AM Unrecognized access from 213.160.64.52:1168 to UDP port 1434
Saturday, January 25, 2003 2:37:59 AM Unrecognized access from 198.64.129.159:3976 to UDP port 1434


Mark
Premium
join:2001-11-15
Phoenix, AZ
kudos:1
reply to Link Logger
Set up a honeypot, will get back with hexdumps, I've only got 2 so far


PDXracer
Premium
join:2002-08-13
Grants Pass, OR
reply to Link Logger
I cannot connect to ANY sites east of Chicago (I am in portland oregon)

Everything trying to route through texas, then timing out.

Can only get west coast based sites, and those are very slow loading right now.

Something big is happening


Rockster
Premium
join:2002-03-03
Brisbane AU
reply to Link Logger
Got my first hit on that port over two hours ago and so far have had around 150!

That maxed out my alert window (500) and I've only been online 10 hours.


Mark
Premium
join:2001-11-15
Phoenix, AZ
kudos:1
reply to Link Logger
From what I'm hearing, it's a bigger, nastier code red/nimda that infects mySQL instead of IIS.


oceanMan

@attbi.com
reply to an0n
adding a filter to deny on that port wouldn't be a back idea. I just checked my logs and noticed some attempts on my system on UDP 1434.

Nice quick info here ;~) thx


Marilla9
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
reply to Link Logger
Okay.. so.. question:

I have a server co-located somewhere with SQL Server on it. I'm not 100% sure, but I believe I am patched for this.. if anyone knows, was the patch(es) for this included in SQL2000 SP2?

At any rate, another thing: The default port to connect to SQL server is 1433, and then the monitor server port is 1434. If I'm not mistaken, it's possible to remove/disable the monitor service so that the server will NOT enumerate instances of SQL Server running? I recall such an option, and I recall doing it... is that what this is that runs on 1434?

Also, though, I have changed the port by which connections are made to that instance of SQL server itself to something other than 1433... if the Monitor service is not what I'm thinking... well.. err.. hehe.

Just a bit worried.. and since I can't connect to the thing at all to see... I dunno!


chpalmer

join:2002-11-18
Belfair, WA
reply to Rockster
Glad to see Im not alone!! Ive been hit about 200 times since it started...


Craig3281$
Premium
join:2001-05-01
North Palm Beach, FL
reply to Link Logger
My connection is down, my ISP in Miami is down, my host in Michigan is down and can barely connect on dial-up.
--
Halbert Associates - Looking for a Web Developer?


l008com

@attbi.com
reply to Link Logger
Wow I sure am glad I'm running MySQL on Mac OS X.
I can't wait to hear the crap MS is going to get tomorrow...


An0n

@optonline.net

1 recommendation

...and yesterday I got a email from MS explaining what it was doing about about security. Great timing.

InGd

join:2002-05-24
reply to Link Logger
heh damn you people are on this stuff fast, I just noticed about an hour ago I was getting hits on port 1434 and wasn't too sure whether I had a trojan or something because I was playing around with file sharing (NETBIOS) with no firewall earlier today. But it's good to know it's not me


Misbad

@attbi.com
reply to l008com
Yea, hah! I hope someone on one of the main news sites puts an article up to explain to the people who don't know about computers what's going on.