 Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3
| New Worm - UDP 1434 - SQL Server Monitor?? I have just starting getting bombed with port scans to UDP port 1434 which is the SQL Server Monitor service. There are known vuls against this port so it looks like some is attacking on it and built a worm for it.
»www.kb.cert.org/vuls/id/370308
»www.kb.cert.org/vuls/id/399260
»www.kb.cert.org/vuls/id/484891
Anyone else seeing this traffic. It started here about 30 minutes ago.
Blake
»www.LinkLogger.com
»www.SonicLogger.com
[text was edited by author 2003-01-25 02:41:31] |
|
No Name5You Only Regret What You Have Not Done.
join:2000-01-26
Glendale, AZ
| Yes I thought it was just me about 30 minutes ago got same thing. Rarely see much activity on Qwest vdsl. Every minute or so. Started around 10:33pm AZ time all remote IPs are different.
[text was edited by author 2003-01-25 01:18:32] |
|
| reply to Link Logger
From my Linksys logs I am also getting the same thing tonight. Over the last 10 minutes, the # of IP's has grown to 20. |
|
|
|
 sammysnakeNever Forget 911Premium
join:2002-01-19
Salt Lake City, UT | reply to Link Logger
Ditto... I've been hit over 20 times in the past 15 minutes on the same port.
Sammy  |
|
| reply to Link Logger
yep me too, started right at 11:31pm central |
|
Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 | I am at the tail end of a development cycle so I'm out of the game for anything other then noticing this. If anyone has a honeypot, tune it to UDP port 1434 and see what is happening. Seems to be spreading rather quickly. Seems to have an across the board random IP generator as I only see single hits from any one system (unlike Code Red which used a weighted IP generation algo).
Blake |
|
 fatal
join:2000-12-29
Brooklyn, NY | same here |
|
sammysnakeNever Forget 911Premium
join:2002-01-19
Salt Lake City, UT | reply to Link Logger
A lot of the offending IP's are from the .edu domain but spread all over the place according to what ZoneLog is telling me from the hits I've been getting.
Sammy |
|
sammysnakeNever Forget 911Premium
join:2002-01-19
Salt Lake City, UT Reviews:
 ·Comcast Formerl..
| reply to Link Logger
In a hour and 10 minuets I have been hit 62 times and it keeps on growing. |
|
 woodwardXMission BroadbandVIP
join:2000-12-28
Salt Lake City, UT | reply to Link Logger
All at once this one invaded our colocation facility and infected most every IIS ans MS SQL server in there. DoS'd us right off the internet with about 80 GB of data within minutes until we blocked the port at the border and yanked a few cords.
This one could be really nasty. |
|
 gwionwild colonial boyPremium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
kudos:1 | reply to Link Logger
See my follow up to a post in Verizon at »How slow can my connection actualy get? ... carnage here was massive, reduced my typically 733+/133 connection to 688 and 78, on my worst speed test... I'm seeing mostly Asia and Europe, so far, myself, though everything's mixed in there... did some "brain surgery with a hatchet" and blackholed everything incoming, and I'm back to speed, now, but this is ridiculous... a virtual mini-DDoS...
--
"Anger makes dull men witty, but it keeps them poor."
Elizabeth I, in Francis Bacon, Apophthegms, 1625 |
|
woodwardXMission BroadbandVIP
join:2000-12-28
Salt Lake City, UT | quote:
... a virtual mini-DDoS
Nothing "mini" about it on our end. 
I do not administer these servers (these are colocations). If this is an old exploit, hasn't M$ SQL's server been patched to cover it?
Or was that just a silly question.... |
|
| Re: New Worm - UDP 1434 - SQL Server Monitor?? Jeez I'm glad it's not just me, I was starting to get paranoid til I came here.
So, if you don't have sql server does this mean there is nothing to worry about.
if not, what's the best solution. Watch them all bounce off the router and firewall software, or should people be doing something more active. |
|
abaez
join:2002-11-17
Whittier, CA | reply to Link Logger
If you don't have mysql you probably don't have to worry about getting infected. But the worm is wreaking havoc on everything. I ping 1000+ to almost every ip I try and my friends are the same. |
|
| reply to Link Logger
Here is a log of about the last 2 minutes. Seems i am also getting hits on this port! |
|
| reply to abaez
Just curious and a littel off topic, but I'm running the R1.95j router firmware. Am I right that doing a...
>> Packet Filter
>> Inbound
>> Deny Everything
...should help, or do I really have no idea what I'm talking about ?  How do you just say, all 1434 ignore ? Or doe the fact that the log says unrecognised mean it's already ignoring them ?
Many thanks from a panic station. |
|
| reply to Bchinch00
Saturday, January 25, 2003 2:27:32 AM Unrecognized access from 203.99.141.28:3061 to UDP port 1434
Saturday, January 25, 2003 2:28:12 AM Unrecognized access from 209.242.56.66:3334 to UDP port 1434
Saturday, January 25, 2003 2:28:29 AM Unrecognized access from 210.166.4.163:3377 to UDP port 1434
Saturday, January 25, 2003 2:29:57 AM Unrecognized access from 217.7.129.10:3259 to UDP port 1434
Saturday, January 25, 2003 2:34:09 AM Unrecognized access from 130.88.96.33:3367 to UDP port 1434
Saturday, January 25, 2003 2:35:01 AM Unrecognized access from 153.91.41.24:1039 to UDP port 1434
Saturday, January 25, 2003 2:35:05 AM Unrecognized access from 216.120.45.155:2020 to UDP port 1434
Saturday, January 25, 2003 2:35:51 AM Unrecognized access from 213.160.64.52:1168 to UDP port 1434
Saturday, January 25, 2003 2:37:59 AM Unrecognized access from 198.64.129.159:3976 to UDP port 1434 |
|
 MarkPremium
join:2001-11-15
Phoenix, AZ
kudos:1 | reply to Link Logger
Set up a honeypot, will get back with hexdumps, I've only got 2 so far |
|
 PDXracerPremium
join:2002-08-13
Grants Pass, OR | reply to Link Logger
I cannot connect to ANY sites east of Chicago (I am in portland oregon)
Everything trying to route through texas, then timing out.
Can only get west coast based sites, and those are very slow loading right now.
Something big is happening |
|
