From: Ben Koshy (ben@W3MEDIA.NET)
Date: 01/25/03

  • Next message: Robert Boyle: "New MS SQL Exploit DOS Attack started tonight at 12:30AM EST (GMT -0500)"
    Date:         Sat, 25 Jan 2003 02:28:10 -0800
    From: Ben Koshy <ben@W3MEDIA.NET>

    About 9:30PM PST on January 25th, 2002, some SQL Server 2000
    installations were compromised by some sort of SQL Server Worm. The
    compromised boxes/worms generated more than 80Mbit of outgoing traffic
    (probably more if our connection could have handled it) trying to
    compromise other boxes it seems.

    Those SQL Servers running Service Pack 2 or Service Pack 3 (released Jan
    17 with little/no notice from MS!) were immune to the worm.

    A quick sampling of sites that I know to be running MSSQL server quickly
    showed the impact of this worm was huge. About 40% of the sampled sites
    were down. Installation of the SP3 after compromise seemed to resolve
    the issue. I'm not sure the nature of the worm, what it does to the
    system outside of SQL Server, and whether trojans have been installed.
    Another colleague noted a strange extended stored procedure running on
    his home development server which was indeed taking up all the resources
    of the box and busy scanning & connecting to other Ips.

    Any confirmation/information from other sites would be appreciated.

    Ben Koshy |Certified ColdFusion 5 Developer
    Technical Manager |MS Certified Professional 2000

    W3 International Media Ltd. | www.w3media.com Effective Web Now!
    T.604.871.9899 ext.388 | www.w3media.net Fast Reliable Hosting!
    1.866.4.WEB.NOW | www.w3registry.com Simply Web Domains!

    Delivery co-sponsored by TruSecure Corporation
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.


    Relevant Pages

    • Re: New Microsoft Security scare?
      ... >> Are you suggesting there is a worm that will compromise an unprotected ... >There are many security risks for Linux and the apps installed with most ... >number of windows installations currently exceeds anything directed at ... I must've missed the Linux worm. ...
    • CERT Advisory CA-2001-20
      ... in compromises of home user machines. ... to date with security patches and workarounds, ... worm after it has infected a victim system. ... used to initially compromise the machine may not be enough. ...
    • Code-Red: An analytic model of its spread
      ... Subject: Code-Red: An analytic model of its spread ... and then try to compromise that IP address using ... the worm analyzed by Eeye has what seems like a bug. ... compromised machine picks other machines to attack completely at random. ...
      ... And there's no SP3 for MSDE, ... Make sure SQL Server is not running while you copy over the files ... If anyone writes a worm for the Hello bug, I hereby pre-name it the "Yo ... > A worm which exploits a vulnerability in SQL Server is bringing ...
    • Re: URGENT: New SQL Worm?
      ... MS02-039 patches the vulnerability this new worm is attacking. ... Blocking inbound access to UDP1434, the SQL Server 2000 Resolution ... Service port. ... Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor ...