New MS SQL Exploit DOS Attack started tonight at 12:30AM EST (GMT -0500)
From: Robert Boyle (robert@TELLURIAN.COM)
Date: 01/25/03
- Previous message: Ben Koshy: "URGENT: New SQL Worm?"
- In reply to: Russ: "Alert: Microsoft Security Bulletin - MS03-003"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 25 Jan 2003 03:35:48 -0500 From: Robert Boyle <robert@TELLURIAN.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Everyone,
I don't know what is causing this, but we had several customer machines
(which we don't manage) affected tonight. The common thread is that all
were running an unpatched MS SQL Server. This new worm seems to create
MASSIVE network traffic which propagates outbound. Somehow it seems to be
amplified at each of our Cisco routers. In our colo facility, we had 3
"infected" servers on 10Base-T connections - after this traffic hit our
core router, the traffic increased from just under 30Mbits/sec inbound from
our colo switch to 80+Mbits/sec outbound over ALL transit and peering
connections. I know our routers aren't smurf amplifiers and I don't know
what caused the increased outbound traffic. Once this process is started,
the MSSQLServer service cannot be stopped (or killed with pview). If the
service is disabled and the server rebooted, it will not generate this
traffic. It is not a master-slave program which requires a connection from
outside to start the flow. Once the SQL server has been infected, no
Internet connection is needed to continue the traffic storm even after a
reboot. None of our managed customer machines were affected, but all of
them are patched with current patches and none of them have 1433 exposed to
the world either. I don't have any more detail at this time, but I plan to
look into this worm/virus/exploit further in the AM. This seems to affect
both MSSQL and MSDE. Does anyone else have more to add. I have seen several
networks drop off the earth tonight as a result of this exploit.
-Robert
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." -
Francis Jeffrey
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time
Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Next message: Russell Tammany: "Re: URGENT: New SQL Worm?"
- Previous message: Ben Koshy: "URGENT: New SQL Worm?"
- In reply to: Russ: "Alert: Microsoft Security Bulletin - MS03-003"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
