Re: Why does sql 2000 scream to the world ... how do you shut this thing up?

From: Sue Hoegemeier (Sue_H_at_nomail.please)
Date: 10/13/03

  • Next message: Richard Waymire [MSFT]: "Re: I repeat ... Why does sql 2000 scream to the world ... how do you shut this thing up?" 
    Date: Mon, 13 Oct 2003 09:05:55 -0600

    It's based on the SQL Server Resolution Service running on
    UDP port 1434.

    -Sue

    On Tue, 14 Oct 2003 00:23:11 +1000, "Ron"
    <ron@physiologic.com.au> wrote:

    >good, yes, but how does the slammer 'world' know I've got 2000 'cos it only
    >attempts entry when 2000 is running ... turn it off no attacks
    >
    >whats letting it know to try to enter the system?
    >ron
    >
    >"Sue Hoegemeier" <Sue_H@nomail.please> wrote in message
    >news:6aalovs5dnpbdd0ku14erm02ncpqkkuqm9@4ax.com...
    >> SQL Server 7 is not affected by the slammer worm. Slammer
    >> tries to compromise a system through the SQL Server
    >> Resolution Service which is used by SQL Server 2000 to
    >> support multi-instances. SQL 7 doesn't have multi-instances
    >> so it doesn't use this service.
    >>
    >> -Sue
    >>
    >> On Mon, 13 Oct 2003 20:38:09 +1000, "Ron"
    >> <ron@physiologic.com.au> wrote:
    >>
    >> >Hi Neil,
    >> >no , just as I wrote "and every time I start
    >> >SQL2000 by the next morning I've had up to 15 slamnmer worm attempts!
    >Turn
    >> >it off for a few days (frustrated!) ... no slammer attempts." ...
    >> >
    >> > ... so why do I only get slammer attempts when SQL2000 is running? I've
    >> >just been away for 10 days, SQL7 ran all that time ... not a slammer
    >attempt
    >> >... turned it on last night and had 12 attempts by morning? This has
    >> >happened every time I've turned it on! The firewall reports SQL2000 has
    >> >outgoing info, yet the only enabled protocol is named pipes and connect
    >to
    >> >other computors is unchecked ...
    >> > ... so statistically it could be 'per chance'
    >> >but I think the title for this thread is accurate ... they haven't fixed
    >the
    >> >'bug'
    >> >
    >> >ron
    >> >
    >> >"Neil Pike" <neilpike@compuserve.com> wrote in message
    >> >news:VA.0000614b.0657c7ce@compuserve.com...
    >> >> Ron,
    >> >>
    >> >> You mean you've had 15 attempts (that your firewall blocks) for
    >Slammer
    >> >to get
    >> >> from the internet to your system?
    >> >>
    >> >> If so, that's just life on the internet I'm afraid. As long as the
    >> >firewall
    >> >> blocks them what's the problem? You're always going to have
    >> >hackers/viruses
    >> >> etc. TRYING to get into your systems. If you don't want that then
    >don't
    >> >> connect to the internet.
    >> >>
    >> >> > I have SQL7, have had for 3 years now, sitting behind a Sygate
    >firewall,
    >> >it
    >> >> > talks to a web server when asked to by the active server pages
    >running
    >> >on
    >> >> > the web server on the same machine ... a very simple setup. The
    >firewall
    >> >> > shows no incoming, no outgoing and no attacks registered.
    >> >> > About 2 months ago I added SQL2000 to start to get the feel of it
    >prior
    >> >to
    >> >> > migrating all databases over. I have it at SP3a (2000.080.0760.00),
    >have
    >> >> > ports 1434, 1433, and 2433 blocked in and out to the internet on
    >> >firewall,
    >> >> > have disabled TCP/IP, have clicked 'hide server' ... and every time I
    >> >start
    >> >> > SQL2000 by the next morning I've had up to 15 slamnmer worm attempts!
    >> >Turn
    >> >> > it off for a few days (frustrated!) ... no slammer attempts.
    >> >> > What do you do to tell this thing to shut up until I ask it to
    >provide
    >> >data
    >> >> > for a web page (no ... I've never connected to it via a web
    >site/page).
    >> >> >
    >> >> > Any help appreciated ...or soon it'll be 'who wants a free copy of
    >> >> > SQL2000Ent ... but I suggest you put it on a standalone so your data
    >> >stays
    >> >> > private!
    >> >> >
    >> >> > Ron in Oz
    >> >> >
    >> >>
    >> >> Neil Pike MVP/MCSE. Protech Computing Ltd
    >> >> Reply here - no email
    >> >> SQL FAQ (484 entries) see
    >> >> http://forumsb.compuserve.com/gvforums/UK/default.asp?SRV=MSDevApps
    >> >> (faqxxx.zip in lib 7)
    >> >> or www.ntfaq.com/Articles/Index.cfm?DepartmentID=800
    >> >> or www.sqlserverfaq.com
    >> >> or www.mssqlserver.com/faq
    >> >>
    >> >
    >>
    >

  • Next message: Richard Waymire [MSFT]: "Re: I repeat ... Why does sql 2000 scream to the world ... how do you shut this thing up?"

    Relevant Pages

    • Microsoft Security Bulletin MS02-039: Buffer Overruns in SQL Server 2000 Resolution Service Could En
      ... Buffer Overruns in SQL Server 2000 Resolution Service ... There are three security vulnerabilities here. ... The third vulnerability is a denial of service vulnerability. ...
      (Bugtraq)
    • Alert: Microsoft Security Bulletin - MS02-039
      ... Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution ... Impact of vulnerability: Three vulnerabilities, the most serious of which could enable an attacker to gain control over an affected SQL Server 2000 installation. ... Buffer Overruns in SQL Server Resolution Service: ...
      (NT-Bugtraq)
    • Re: Re SQL Resolution Service
      ... runs on UDP 1434 and what commands it takes. ... > SQL Resolution Service on UDP 1434 is only used to support ... > the SQL Server instance or directly by clients to connect to ...
      (microsoft.public.sqlserver.security)
    • Re: Data Source = problem
      ... Looks like name resolution service goes off spontaneously. ... quite safe to do what you already suggested - use IP address for Data ... Nothing seems to specifically trigger it. ... > connects to SQL Server worked, but none of the other ones would. ...
      (microsoft.public.inetserver.asp.general)
    • Re: Why does sql 2000 scream to the world ... how do you shut this thing up?
      ... SQL Server 7 is not affected by the slammer worm. ... Resolution Service which is used by SQL Server 2000 to ... that's just life on the internet I'm afraid. ...
      (microsoft.public.sqlserver.security)