Re: Massive SQL Server attack

From: Bob A. Schelfhout Aubertijn MCSE (bobsklfk@NOSPAMquicknet.nl)
Date: 01/25/03 

From: "Bob A. Schelfhout Aubertijn MCSE" <bobsklfk@NOSPAMquicknet.nl>
Date: Sat, 25 Jan 2003 14:58:46 +0100

Here's what TruSecure has gathered so far;

1. SQL Server 2000 and Microsoft SQL Desktop Engine (MSDE) 2000 are
affected

2. MS02-039 patches the vulnerability this new worm is attacking. This
fix is also included in SQL Server SP3.

3. Anyone who took the appropriate actions to protect against SQL-Spida
is protected against this worm. Those actions included;

a) Blocking inbound access to UDP1434, the SQL Server 2000 Resolution
Service port. This port is similar to the RPC End Point Mapper port
(TCP135) which redirects client requests for a server service to a
dynamically allocated port.

b) Patching

4. The biggest effect so far appears to be the amount of traffic
generated. Some reports indicate as much as 500Mbps of traffic caused by
this worm. No reports of the compromised systems being damaged have been
sent (so far). Overall Internet Latency was seriously affected
overnight, but it appears to be recovering;

http://average.miq.net/

5. Microsoft, the White House, the FBI, and CERT have all been notified;

http://story.news.yahoo.com/news?tmpl=story&u=/ap/20030125/ap_wo_en_po/n
a_gen_internet_attack_2

6. I personally have received over 10,000 attacks between midnight
(eastern) and 6:00am.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor 

--
Bob A. Schelfhout Aubertijn
======================================================
Please reply to the newsgroup only so that others can learn from this issue.
This message is provided "as is", with absolutely no warranties.
If this post or another solves your problem in any way, or gives you new ideas,
please have the common decency to inform the newsgroup of your farings.
We don't charge extra for being polite.  ;-)
======================================================

Relevant Pages

  • Re: URGENT: New SQL Worm?
    ... MS02-039 patches the vulnerability this new worm is attacking. ... Blocking inbound access to UDP1434, the SQL Server 2000 Resolution ... Service port. ... Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor ...
    (NT-Bugtraq)
  • Re: MSQL Server and Slammer
    ... will try to connect to Port 1434 UDP to transfer the worm to you again. ... > I updated "Sql server Windows NT" running on a computer with XP Pro with ... > In my case the SQL-server has nothing to do on the internet. ...
    (microsoft.public.sqlserver.security)
  • RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
    ... > BLOCK PORT 1434! ... >>> Until you've walked a mile in the shoes of the admins having to deal ... > a normal port for SQL server *until* MSDE came out. ... mod_ssl worm that reminded everyone to patch ...
    (Full-Disclosure)
  • Re: SQL Worm
    ... >will allow a connection to port 1433. ... I'm guessing that the worm has been modified and ... >other hosts on the net that had SQL Server on port 1433 with an empty ... >password on the SA account. ...
    (microsoft.public.sqlserver.security)
  • RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
    ... Subject: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! ... Seems to be the most common opinion of those who have no apparent experience with large networks. ... held no responsibility here, ...
    (Full-Disclosure)