Re: Increased activity on UDP/1434

From: Dejan (sneaker@freemail.org.mk)
Date: 01/25/03

  • Next message: Dave Aitel: "Re: Increased activity on UDP/1434" 
    From: "Dejan" <sneaker@freemail.org.mk>
To: <incidents@securityfocus.com>
Date: Sat, 25 Jan 2003 15:44:23 +0100

    It is an MsSql Worm spreading very fast.
    Blocking UDP/1434 and patching Sql2000 servers that have public IP's
    will solve the problem.
    Link for the microsofts fix:
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
    bulletin/MS02-039.asp

    deJan

    ----- Original Message -----
    From: "Dmitri Smirnov" <Dmitri.Smirnov@fusepoint.com>
    To: <incidents@securityfocus.com>
    Sent: Saturday, January 25, 2003 8:05 AM
    Subject: Increased activity on UDP/1434

    Having a big number of connections on UDP/1434 from a random IPs in
    Internet on
    a different networks. One hour ago (22:00 PST) one server in colo space
    started to initiate
    a hundreds of connection per second to diff. hosts on Internet to port
    UDP/1434 (isolated).
    New worms? DDoS? Is anyone experience the same?

    Dmitri Smirnov, SSCP
    Security Team
    Fusepoint Managed Services Inc.
    Suite 2323, Three Bentall Centre
    595 Burrard Street
    P.O. Box 49336
    Vancouver B.C. V7X 1L4
    Phone: (604) 687-7757
    Fax: (604) 687-7761
    Email: Dmitri.Smirnov@fusepoint.com

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    Relevant Pages

    • FW: Help with Nimda.E?
      ... I have 50+ NT/2k servers on the dmz LAN. ... domain require shares to function. ... For more information on this free incident handling, management ... and tracking system please see: http://aris.securityfocus.com ...
      (Incidents)
    • Re: New version of Code Red?
      ... web logs on our apache servers showed a single similar entry on ... each of those servers e.g.. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
      (Incidents)
    • Re: Help with Nimda.E?
      ... I have 50+ NT/2k servers on the dmz LAN. ... > domain require shares to function. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
      (Incidents)
    • RE: <victim>server formmail.pl exploit in the wild
      ... In the past 2 weeks I've had several of my web hosting servers hit with this ... For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ...
      (Incidents)
    • RE: Betr.: Re: MS Patches Management software: SUS vs 3rd party
      ... We are also currently looking at a solution for updating our clients and servers. ... The major drawback is that if a new unpatched client connects to it, it retrieves all patches at once. ... There is no management in SUS, ... >The Presidio integrates PGP data encryption and XML Web Services security to ...
      (Security-Basics)