Re: ANNOUNCEMENT: New SQL Server security tool - SQL Server 2000 Scan Tool

From: neo techopolis (ne0@collusion.org)
Date: 01/31/03

• Next message: Benn Wolff: "Re: I need Ideas on securing a remote Win2k machine"
• Previous message: Benn Wolff: "Re: Who's blocking these ports? Please help..."
• In reply to: Bill Sanderson: "Re: ANNOUNCEMENT: New SQL Server security tool - SQL Server 2000 Scan Tool"
• Next in thread: Jerry Bryant [MSFT]: "Re: ANNOUNCEMENT: New SQL Server security tool - SQL Server 2000 Scan Tool"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: ne0@collusion.org (neo techopolis)
Date: 30 Jan 2003 22:35:04 -0800

Yup, that's right. The CPU is stuck recycling 10 operations and
spewing out packets over UDP. Since UDP is connectionless there is
very little time between packets. UDP doesn't even have the timing
latency of connection construction and destruction. That's why it
could spread so quickly. In fact the design was so optimized that it
didn't even carry a destructive payload.
If a tool were constructed to work over tcp 1433/1434 it is possible
that the tool could connect but only provided the CPU isn't
overwhelmed. All the evidence I've seen shows processors at 99% while
the worm is infecting other machines.

"Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message news:<uepEkyKyCHA.2132@TK2MSFTNGP11>...
> Bear in mind that eEye's tool, while very useful, won't detect an already
> infected host. No network scanning tool looking at the SQL ports will, I
> believe.
>
> "neo techopolis" <ne0@collusion.org> wrote in message
> news:4db46b8d.0301301358.1bcf0b9c@posting.google.com...
> > It only scans the HOST? Are you kidding? You've had DAYS to work on
> > this and you produce this utility. There are tons of REAL tools out
> > there to help diagnose vulnerability posture. Try eEye's Sapphire
> > worm scanner. (http://www.eeye.com/html/Research/Tools/SapphireSQL.html)
> > The freeware version scans 256 IP's at a time. HFNetCheck has a
> > similar scanner but it only checks registry keys (eg you must have
> > administrative priv's). eEye's is the only one I know of that figured
> > out how to do this w/out admin priv's and it's a bit more accurate
> >
> > "Jerry Bryant [MSFT]" <jbryant@online.microsoft.com> wrote in message
> > news:<OgkKKfHyCHA.2916@TK2MSFTNGP09>...
> > > Please read below for information about this tool. For discussions on
> > > this
> > > tool, please go to:
> > >
> > > microsoft.public.sqlserver.securitytools
> > >
> > > --
> > > Regards,
> > >
> > > Jerry Bryant - MCSE, MCDBA
> > > Microsoft IT Communities
> > >
> > > Get Secure! www.microsoft.com/security
> > >
> > >
> > > This posting is provided "AS IS" with no warranties, and confers no
> > > rights.
> > > "Euan Garden[MS]" <euang@online.microsoft.com> wrote in message
> > > news:uKNPW2CyCHA.2196@TK2MSFTNGP10...
> > > > SQL Server 2000 SQL Scan Tool (SQL Scan)
> > > > This utility scans an individual computer, a Windows domain, or a
> > > > range of
> > > > IP addresses for instances of SQL Server 2000 and MSDE 2000, and
> identifies
> > > > instances that may be vulnerable to the Slammer worm. SQL Scan runs on
> > > > computers running Windows 2000 or higher and can identify instances
> running
> > > > on Windows NT 4.0, Windows 2000, or Windows XP.
> > > >
> > > > http://www.microsoft.com/sql/downloads/securitytools.asp
> > > >
> > > > Please direct any questions you have on this tool to
> > > > microsoft.public.sqlserver.securitytools or to Microsoft Product
> > > > Support
> > > > Services.
> > > >
> > > > --
> > > > -Euan
> > > >
> > > > Please reply only to the newsgroup so that others can benefit. When
> posting,
> > > > please state the version of SQL Server being used and the error
> number/exact
> > > > error message text received, if any.
> > > >
> > > > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > > >
> > > >
> > > >

• Next message: Benn Wolff: "Re: I need Ideas on securing a remote Win2k machine"
• Previous message: Benn Wolff: "Re: Who's blocking these ports? Please help..."
• In reply to: Bill Sanderson: "Re: ANNOUNCEMENT: New SQL Server security tool - SQL Server 2000 Scan Tool"
• Next in thread: Jerry Bryant [MSFT]: "Re: ANNOUNCEMENT: New SQL Server security tool - SQL Server 2000 Scan Tool"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: ANNOUNCEMENT: New SQL Server security tool - SQL Server 2000 Scan Tool ... Since UDP is connectionless there is ... very little time between packets. ... that the tool could connect but only provided the CPU isn't ... (microsoft.public.security) Re: ANNOUNCEMENT: New SQL Server security tool - SQL Server 2000 Scan Tool ... Since UDP is connectionless there is ... very little time between packets. ... that the tool could connect but only provided the CPU isn't ... (microsoft.public.windowsxp.security_admin) Re: Netgear RP614 leaking ... connectionless, and that there could not be a "returned packet", except by the remote host making a UDP transmission to a listening port at the destination. ... The router keeps track of outgoing UDP packets as if they created a connection, and allows incoming reply packets that match that "connection". ... (comp.os.linux.networking) Re: Asynch Sockets over UDP: How do you Know when a socket dissconnects ... UDP is unreliable and *connectionless*. ... but the packets may simply disappear into the ether. ... That is, at the low level of the BSD socket API, ... (microsoft.public.dotnet.languages.csharp) Re: UPD better than TCP in streaming video/audio ? ... > UDP gains speed over TCP because it carries no information that would ... it doesn't even know that packets were lost. ... which is perfect for UDP. ... > Finally, there's the possibility of multicast data - for instance, a live ... (microsoft.public.win32.programmer.networks)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint