Bugtraq mailing list archives
Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
From: Umit Tiric <umitt () softcom biz>
Date: 25 Jan 2003 11:17:29 -0000
In-Reply-To: <20030125021141.A23211 () romulus netgraft com> We can confirm it here in Toronto, Canada. Even though the effect was minimal to us, we saw many major networks dissappear on the Internet. The effect is like a LAN denial of service attack. The requests are distributed over port 1434 UDP to multicast addresses. If the multicast on the router is enabled, this can multiply the effect to WAN. You have to patch your MS-SQL Server to the highest service pack. But, here is the funny thing, we had a MS-Project Server 2002 installed on a test machine with MSDE running. There is no service pack 3 for MSDE 2000 yet, but there is a hotfix to solve the problem. That hotfix requires service pack 2. When we tried to install service pack 2 for MSDE, it gave an error. On the Microsoft web site, it says that SOME! of the MSDE installations require the service pack 2 to be installed only from an update CD but not from the Internet. I think it's going to be a while for all the networks to install these patches properly to stop these attack. Meanwhile I also recommend the sys admins to block the outgoing 1434TCP/UDP as well. Incoming blocking might protect some of your servers but if you are already effected, at least try to contain this in your LAN by blocking the outgoing ports. I hope someone will reverse engineer this worm and tell us exactly what it did. Umit
It looks like there's a worm affecting MS SQL Server which is pingflooding addresses at some random sequence. All admins with access to routers should block port 1434 (ms-sql-m)! Everyone running MS SQL Server shut it the hell down or make sure it can't access the internet proper! I make no guarantees that this information is correct, test it out for yourself!
Current thread:
- MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Michael Bacarella (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Geoff Shively (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Tom Kyle (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! cstone (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Ed Blanchfield (Jan 27)
- <Possible follow-ups>
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Umit Tiric (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! George William Herbert (Jan 25)
- RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! trent dilkie (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Dave Aitel (Jan 25)
- Re[2]: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Stephane - BasicLink (Jan 25)
- RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Dick St.Peters (Jan 25)
- RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Jason Coombs (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Colm MacCárthaigh (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Charles Miller (Jan 25)
- RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Brian McGrogan (Jan 25)
- RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! trent dilkie (Jan 28)