Re: Increased activity on UDP/1434

From: Otto Dandenell (bugtraq@fetaste.com)
Date: 01/25/03

Next message: Thierry Zoller: "Re: strange traffic"

Previous message: mistymountainhop@hushmail.com: "Paypal.com hosting IRC server, possible hack?"
In reply to: Dmitri Smirnov: "Increased activity on UDP/1434"
Next in thread: Justin Bloom: "Re: Increased activity on UDP/1434"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Otto Dandenell" <bugtraq@fetaste.com>
To: <incidents@securityfocus.com>
Date: Sat, 25 Jan 2003 15:36:29 +0100

Dmitri Smirnov wrote:

> Having a big number of connections on UDP/1434 from a random
> IPs in Internet on a different networks. One hour ago (22:00
> PST) one server in colo space started to initiate a hundreds
> of connection per second to diff. hosts on Internet to port
> UDP/1434 (isolated). New worms? DDoS? Is anyone experience the same?

New DDos Worm attacking MSSQL servers through well known buffer overflow
vulnerabilities.

Read the Bugtraq thread "MS SQL WORM IS DESTROYING INTERNET BLOCK PORT
1434!".

Make sure your MSSSQL 2000 server is patched with SQL Server Service
Pack 3.

Some links:
http://www.kb.cert.org/vuls/id/370308
http://www.kb.cert.org/vuls/id/399260
http://www.kb.cert.org/vuls/id/484891
Some news: http://news.zdnet.co.uk/story/0,,t269-s2099780,00.html
Advisory: http://www.nextgenss.com/advisories/mssql-udp.txt
Microsoft Fix:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/bulletin/MS02-039.asp

From one of the Bugtraq postings:

"Some random screen shots, a copy of the worm as a perl script, and a
disassembly (sorry, no comments) can be found online at:

http://www.digitaloffense.net/worms/mssql_udp_worm/ "

Regards

/ Otto Dandenell

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Next message: Thierry Zoller: "Re: strange traffic"
Previous message: mistymountainhop@hushmail.com: "Paypal.com hosting IRC server, possible hack?"
In reply to: Dmitri Smirnov: "Increased activity on UDP/1434"
Next in thread: Justin Bloom: "Re: Increased activity on UDP/1434"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Urgent! New router and big disaster
... The SBS DNS server, running on ... its IP it means that your problem is now DNS. ... forward ports to it reliably in the router. ... I should have been more clear about internet connection.. ...
(microsoft.public.windows.server.sbs)
Re: RWW Disconnecting
... I have been connected from a remote site for about 3 ... DHCP server and even a wireless access ... the key codes to for Internet access. ... Client Workstations} ...
(microsoft.public.windows.server.sbs)
Re: Urgent! New router and big disaster
... I checked the binding order and the Server Local area connection is at the top. ... I should have been more clear about internet connection.. ... I wonder if I may have missed a firewall setting on the router as well. ...
(microsoft.public.windows.server.sbs)
RE: remote access SBS 2003 Inop
... Since you know the problem is relate to RRAS (Routing and Remote Access ... On the SBS 2003 Server open the Server Management console. ... Click the "Connect to the Internet" link. ... Microsoft CSS Online Newsgroup Support ...
(microsoft.public.windows.server.sbs)
RE: Catchall not working, EXTERNALLY?
... When I open the connection (over internet) to my exchange account, ... the data is stored on the Exchange server side. ... Microsoft CSS Online Newsgroup Support ...
(microsoft.public.windows.server.sbs)