URGENT: New SQL Worm?
From: Ben Koshy (ben@W3MEDIA.NET)
Date: 01/25/03
- Previous message: Russ: "Alert: Microsoft Security Bulletin - MS03-003"
- In reply to: Russ: "Alert: Microsoft Security Bulletin - MS03-003"
- Next in thread: Russell Tammany: "Re: URGENT: New SQL Worm?"
- Maybe reply: Russell Tammany: "Re: URGENT: New SQL Worm?"
- Maybe reply: Russ: "Re: URGENT: New SQL Worm?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 25 Jan 2003 02:28:10 -0800 From: Ben Koshy <ben@W3MEDIA.NET> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
About 9:30PM PST on January 25th, 2002, some SQL Server 2000
installations were compromised by some sort of SQL Server Worm. The
compromised boxes/worms generated more than 80Mbit of outgoing traffic
(probably more if our connection could have handled it) trying to
compromise other boxes it seems.
Those SQL Servers running Service Pack 2 or Service Pack 3 (released Jan
17 with little/no notice from MS!) were immune to the worm.
A quick sampling of sites that I know to be running MSSQL server quickly
showed the impact of this worm was huge. About 40% of the sampled sites
were down. Installation of the SP3 after compromise seemed to resolve
the issue. I'm not sure the nature of the worm, what it does to the
system outside of SQL Server, and whether trojans have been installed.
Another colleague noted a strange extended stored procedure running on
his home development server which was indeed taking up all the resources
of the box and busy scanning & connecting to other Ips.
Any confirmation/information from other sites would be appreciated.
_____________________________________________________________________
Ben Koshy |Certified ColdFusion 5 Developer
Technical Manager |MS Certified Professional 2000
W3 International Media Ltd. | www.w3media.com Effective Web Now!
T.604.871.9899 ext.388 | www.w3media.net Fast Reliable Hosting!
1.866.4.WEB.NOW | www.w3registry.com Simply Web Domains!
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time
Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Next message: Robert Boyle: "New MS SQL Exploit DOS Attack started tonight at 12:30AM EST (GMT -0500)"
- Previous message: Russ: "Alert: Microsoft Security Bulletin - MS03-003"
- In reply to: Russ: "Alert: Microsoft Security Bulletin - MS03-003"
- Next in thread: Russell Tammany: "Re: URGENT: New SQL Worm?"
- Maybe reply: Russell Tammany: "Re: URGENT: New SQL Worm?"
- Maybe reply: Russ: "Re: URGENT: New SQL Worm?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
