Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

From: Carlos Eduardo Vianna (cvianna@stech.net.br)
Date: 01/25/03

  • Next message: Mike Tindor: "Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!" 
    Date: 25 Jan 2003 11:23:01 -0000
From: Carlos Eduardo Vianna <cvianna@stech.net.br>
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <20030125021141.A23211@romulus.netgraft.com>

    Michael,

    You're correct. We started to get flooded at 03:00 AM
    (now its 09:20 am down here), and found the solution
    about 30 min after: shutting down all W2K SQLs. Now we
    have all 1434 and 1433 blocked. 1433 seems to be
    important too.

    Please check this:

    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp

    We had troubble downloading the patch.. too busy. I got
    it now, and made a mirror. Please feel free to get it
    and patch your SQL 2k.

    http://thor.stech.psi.br/ms-update/Q323875_SQL2000_SP2_en.EXE

    Regards
    Carlos Eduardo Vianna - cvianna@stech.net.br
    SouthTech Internet DataCenter
    http://www.stech.net.br/

    >Received: (qmail 1867 invoked from network); 25 Jan
    2003 08:39:23 -0000
    >Received: from outgoing3.securityfocus.com
    (205.206.231.27)
    > by mail.securityfocus.com with SMTP; 25 Jan 2003
    08:39:23 -0000
    >Received: from lists.securityfocus.com
    (lists.securityfocus.com [205.206.231.19])
    > by outgoing3.securityfocus.com (Postfix) with QMQP
    > id A5DACA30A5; Sat, 25 Jan 2003 00:59:36 -0700 (MST)
    >Mailing-List: contact bugtraq-help@securityfocus.com;
    run by ezmlm
    >Precedence: bulk
    >List-Id: <bugtraq.list-id.securityfocus.com>
    >List-Post: <mailto:bugtraq@securityfocus.com>
    >List-Help: <mailto:bugtraq-help@securityfocus.com>
    >List-Unsubscribe:
    <mailto:bugtraq-unsubscribe@securityfocus.com>
    >List-Subscribe:
    <mailto:bugtraq-subscribe@securityfocus.com>
    >Delivered-To: mailing list bugtraq@securityfocus.com
    >Delivered-To: moderator for bugtraq@securityfocus.com
    >Received: (qmail 28308 invoked from network); 25 Jan
    2003 07:06:20 -0000
    >Date: Sat, 25 Jan 2003 02:11:41 -0500
    >From: Michael Bacarella <mbac@netgraft.com>
    >To: nylug-talk@nylug.org, wwwac@lists.wwwac.org,
    > linux-elitists@zgp.org
    >Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT
    1434!
    >Message-ID: <20030125021141.A23211@romulus.netgraft.com>
    >Mime-Version: 1.0
    >Content-Type: text/plain; charset=us-ascii
    >Content-Disposition: inline
    >User-Agent: Mutt/1.2.5i
    >Resent-From: mbac@romulus.netgraft.com
    >Resent-Date: Sat, 25 Jan 2003 02:12:54 -0500
    >Resent-To: bugtraq@securityfocus.com
    >Resent-Message-Id:
    <20030125071254.1B3F7681AD@romulus.netgraft.com>
    >
    >I'm getting massive packet loss to various points on
    the globe.
    >I am seeing a lot of these in my tcpdump output on each
    >host.
    >
    >02:06:31.017088 150.140.142.17.3047 >
    24.193.37.212.ms-sql-m: udp 376
    >02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp:
    24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0
    >
    >It looks like there's a worm affecting MS SQL Server
    which is
    >pingflooding addresses at some random sequence.
    >
    >All admins with access to routers should block port
    1434 (ms-sql-m)!
    >
    >Everyone running MS SQL Server shut it the hell down
    or make
    >sure it can't access the internet proper!
    >
    >I make no guarantees that this information is correct,
    test it
    >out for yourself!
    >
    >--
    >Michael Bacarella 24/7 phone: 646
    641-8662
    >Netgraft Corporation
    http://netgraft.com/
    > "unique technologies to empower your business"
    >
    >Finger email address for public key. Key fingerprint:
    > C40C CB1E D2F6 7628 6308 F554 7A68 A5CF 0BD8 C055
    >

    Relevant Pages

    • Re: Cost of ownership: MV vs. SQL Server
      ... been developed over 20 years can not be converted to SQL in three. ... > enforcement of of RI in a multi-value system is created at the ... >> I would think that at least a weekly application of security patches ... > "exposed" to the Internet. ...
      (comp.databases.pick)
    • Re: .NET/ODBC queries Via the Internet
      ... Are you worried about SQL injection attacks? ... the internet is not very safe. ... "Samuel" wrote: ... I need to add a web interface to my VB.NET application ...
      (microsoft.public.dotnet.languages.vb)
    • Re: Licensing
      ... employees will be accessing the sql backend, ... Licesing Mode dialog box when installing SQL 2000. ... the Internet or extranet), then the Per Processor license would be ideal. ...
      (microsoft.public.sqlserver.setup)
    • Re: Connecting to DB with Static IP over the internet
      ... I was getting mental over this because the settings on the sql server i did ... item on the connection string. ... stuff from the internet. ...
      (microsoft.public.sqlserver.setup)
    • Re: SQL to combine columns
      ... Let me pull some imaginary money out of my ... Internet, as wonderful as it is, has its limitations. ... Yes, CELKO is a Master at RDBMS, I have just started out and have done ... advanced, in regards to SQL and RDBMS, recent copyright date please? ...
      (comp.databases.ms-sqlserver)