('binary' encoding is not supported, stored as-is) In-Reply-To: <20030125021141.A23211at_private> Michael, You're correct. We started to get flooded at 03:00 AM (now its 09:20 am down here), and found the solution about 30 min after: shutting down all W2K SQLs. Now we have all 1434 and 1433 blocked. 1433 seems to be important too. Please check this: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp We had troubble downloading the patch.. too busy. I got it now, and made a mirror. Please feel free to get it and patch your SQL 2k. http://thor.stech.psi.br/ms-update/Q323875_SQL2000_SP2_en.EXE Regards Carlos Eduardo Vianna - cviannaat_private SouthTech Internet DataCenter http://www.stech.net.br/ >Received: (qmail 1867 invoked from network); 25 Jan 2003 08:39:23 -0000 >Received: from outgoing3.securityfocus.com (205.206.231.27) > by mail.securityfocus.com with SMTP; 25 Jan 2003 08:39:23 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing3.securityfocus.com (Postfix) with QMQP > id A5DACA30A5; Sat, 25 Jan 2003 00:59:36 -0700 (MST) >Mailing-List: contact bugtraq-helpat_private; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraqat_private> >List-Help: <mailto:bugtraq-helpat_private> >List-Unsubscribe: <mailto:bugtraq-unsubscribeat_private> >List-Subscribe: <mailto:bugtraq-subscribeat_private> >Delivered-To: mailing list bugtraqat_private >Delivered-To: moderator for bugtraqat_private >Received: (qmail 28308 invoked from network); 25 Jan 2003 07:06:20 -0000 >Date: Sat, 25 Jan 2003 02:11:41 -0500 >From: Michael Bacarella <mbacat_private> >To: nylug-talkat_private, wwwacat_private, > linux-elitistsat_private >Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! >Message-ID: <20030125021141.A23211at_private> >Mime-Version: 1.0 >Content-Type: text/plain; charset=us-ascii >Content-Disposition: inline >User-Agent: Mutt/1.2.5i >Resent-From: mbacat_private >Resent-Date: Sat, 25 Jan 2003 02:12:54 -0500 >Resent-To: bugtraqat_private >Resent-Message-Id: <20030125071254.1B3F7681ADat_private> > >I'm getting massive packet loss to various points on the globe. >I am seeing a lot of these in my tcpdump output on each >host. > >02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376 >02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0 > >It looks like there's a worm affecting MS SQL Server which is >pingflooding addresses at some random sequence. > >All admins with access to routers should block port 1434 (ms-sql-m)! > >Everyone running MS SQL Server shut it the hell down or make >sure it can't access the internet proper! > >I make no guarantees that this information is correct, test it >out for yourself! > >-- >Michael Bacarella 24/7 phone: 646 641-8662 >Netgraft Corporation http://netgraft.com/ > "unique technologies to empower your business" > >Finger email address for public key. Key fingerprint: > C40C CB1E D2F6 7628 6308 F554 7A68 A5CF 0BD8 C055 >
This archive was generated by hypermail 2b30 : Sat Jan 25 2003 - 03:34:34 PST