Bugtraq mailing list archives

Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

From: "Geoff Shively" <gshively () pivx com>
Date: Sat, 25 Jan 2003 01:17:51 -0800

Just to affirm this data, several of our servers are trapping the same
packet(s). This worm has gained much power in a small amount of time and
once again, has hit overnight and on a weekend. It is important that we
raise immediate awareness relating to this worm that we have internally
dubbed 'SQ_Hell'. Seemingly stems from this advisory by NGSSoftware Insight
Security:  http://www.nextgenss.com/advisories/mssql-udp.txt

"Microsoft's database server SQL Server 2000 exhibits two buffer overrun
vulnerabilities that can be exploited by a remote attacker without ever
having to authenticate to the server."


Additional Data:
Qh.dllhel32hkernQhounthickChGeTf.llQh32.dhws2_f.etsockf.to.Qhsend


Cheers,
Geoff Shively, CHO
PivX Solutions

http://www.pivx.com




----- Original Message -----
From: "Michael Bacarella" <mbac () netgraft com>
To: <nylug-talk () nylug org>; <wwwac () lists wwwac org>;
<linux-elitists () zgp org>
Sent: Friday, January 24, 2003 11:11 PM
Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

I'm getting massive packet loss to various points on the globe.
I am seeing a lot of these in my tcpdump output on each
host.

02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m:  udp 376
02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp

port ms-sql-m unreachable [tos 0xc0


It looks like there's a worm affecting MS SQL Server which is
pingflooding addresses at some random sequence.

All admins with access to routers should block port 1434 (ms-sql-m)!

Everyone running MS SQL Server shut it the hell down or make
sure it can't access the internet proper!

I make no guarantees that this information is correct, test it
out for yourself!

--
Michael Bacarella                  24/7 phone: 646 641-8662
Netgraft Corporation                   http://netgraft.com/
      "unique technologies to empower your business"

Finger email address for public key.  Key fingerprint:
  C40C CB1E D2F6 7628 6308  F554 7A68 A5CF 0BD8 C055

Current thread:

MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Michael Bacarella (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Geoff Shively (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Tom Kyle (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! cstone (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Ed Blanchfield (Jan 27)
- <Possible follow-ups>
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Umit Tiric (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! George William Herbert (Jan 25)
- RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! trent dilkie (Jan 25)
  - Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Dave Aitel (Jan 25)
  - Re[2]: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Stephane - BasicLink (Jan 25)
  - RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Dick St.Peters (Jan 25)
- RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Jason Coombs (Jan 25)

(Thread continues...)