Re: URGENT: New SQL Worm?

From: Russell Tammany (russell@XPONENTIA.NET)
Date: 01/25/03

  • Next message: Russ: "Re: URGENT: New SQL Worm?"
    Date:         Sat, 25 Jan 2003 03:03:14 -0800
    From: Russell Tammany <russell@XPONENTIA.NET>
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Here is an email I shot to my ISP support dept.

    The current worm going around infecting MS SQL 2000 servers, no SP
    level, and SP1 and SP2:

     

    Sends from port 4741 on the local system once infected, outbound to
    random other servers to port 1434.

     

    I setup a filter for UDP packets incoming for src = 4741, and dest=1434
    and verified that this did stop servers from being affected.

     

    Possibly this would work on your net pipes, not sure.

     

    This vulnerability was patched 7/17/2002 in Q323875 :

    http://download.microsoft.com/download/SQLSVR2000/Patch/Q323875/W98NT42K
    MeXP/EN-US/Q323875_SQL2000_SP2_en.EXE

     

    is the download link for this patch to be applied only to SP2 sql
    servers.

     

    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
    ity/bulletin/MS02-039.asp

     

    is the security bulletin that mentions this.

     

    SP3 for SQL 2000 came out just last week and includes this fix, but has
    not been extensively tested in action, so it would be normal not to
    install this immediately.

    I have no problems with it on my servers, and the info is here:

     

    http://www.microsoft.com/sql/downloads/2000/sp3.asp

     

    http://download.microsoft.com/download/e/9/4/e943e32d-1e1c-4700-abd9-4b3
    df9c9c495/sql2ksp3.exe

     

     

    It also affects MSDE 2000 as well. Apparently, Windows.NET server beta's
    UDDI services use MSDE 2000. They are also affected, as I know now. J
    Nice of ms to patch the msde included in a beta that is very recent, and
    one they have known about the bug for a while, but whatever, it's
    beta...

     

    Any SQL server behind a firewall that only lets 1433 sql data in and out
    and not the mentioned UDP traffic will not be affected. Only servers
    with no firewall or a open firewall should be affected, or servers in a
    DMZ. Like test servers...

     

    Anyways this is what I grabbed, also have packet cap data if anyone is
    interested, and it's amazing how much udp traffic was generated for
    outbound so fast.

    -Russell Tammany
    Xponentia Inc.

    -----Original Message-----
    From: Ben Koshy [mailto:ben@W3MEDIA.NET]
    Sent: Saturday, January 25, 2003 2:28 AM
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    Subject: URGENT: New SQL Worm?

    About 9:30PM PST on January 25th, 2002, some SQL Server 2000
    installations were compromised by some sort of SQL Server Worm. The
    compromised boxes/worms generated more than 80Mbit of outgoing traffic
    (probably more if our connection could have handled it) trying to
    compromise other boxes it seems.

    Those SQL Servers running Service Pack 2 or Service Pack 3 (released Jan
    17 with little/no notice from MS!) were immune to the worm.

    A quick sampling of sites that I know to be running MSSQL server quickly
    showed the impact of this worm was huge. About 40% of the sampled sites
    were down. Installation of the SP3 after compromise seemed to resolve
    the issue. I'm not sure the nature of the worm, what it does to the
    system outside of SQL Server, and whether trojans have been installed.
    Another colleague noted a strange extended stored procedure running on
    his home development server which was indeed taking up all the resources
    of the box and busy scanning & connecting to other Ips.

    Any confirmation/information from other sites would be appreciated.

    _____________________________________________________________________
    Ben Koshy |Certified ColdFusion 5 Developer
    Technical Manager |MS Certified Professional 2000

    W3 International Media Ltd. | www.w3media.com Effective Web Now!
    T.604.871.9899 ext.388 | www.w3media.net Fast Reliable Hosting!
    1.866.4.WEB.NOW | www.w3registry.com Simply Web Domains!

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    oooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    oooo
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before
    3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    oooo

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo



    Relevant Pages

    • [NT] Microsoft SQL Spida Worm Propagation
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ISS X-Force has learned of a worm that is spreading via Microsoft SQL ... This worm attempts to locate and login to MS/SQL servers with ...
      (Securiteam)
    • Re: sql 2005 active/passive cluster options
      ... that is storing data on a seperate SQL 2005 Standard box. ... SQL server had an hardware fault causing application downtime for ... their product is an active/passive sql cluster. ... terms of active/passive failover I need two identical servers (since ...
      (microsoft.public.sqlserver.clustering)
    • Re: Performance Monitor / Database Storage using ODBC
      ... This solution would be just working temporarily (a few servers), ... Andrew J. Kelly SQL MVP ...
      (microsoft.public.sqlserver.tools)
    • RE: permissions compatible with pre-Win2000 servers
      ... Based on your reply, the NT machine which running SQL 7 is not a PDC, BDC, ... With regards to the anonymouse connection to SQL, ... >Our concern is for our NT4 servers that are dedicated to running SQL7 ...
      (microsoft.public.windows.server.migration)
    • Re: Web App Security Model.
      ... SQL permissions are correctly restrictive (so worse case the allowed ... If these machines are standalone the threats posed by them are ... applications / implementation and whether their design has ... My company wants to have a few Windows Servers running web app's (ASPX ...
      (microsoft.public.security)