Re: strange attacks - flood udp packets from 1030 to msql

From: Víctor (ixnayat_private)
Date: Sat Jan 25 2003 - 12:11:22 PST

Next message: Eric Nelson: "Re: strange attacks - flood udp packets from 1030 to msql"

Previous message: Mark J. Lastdrager: "graphical stats of new SQL worm"
In reply to: Uwe Dippel: "strange attacks - flood udp packets from 1030 to msql"
Next in thread: Eric Nelson: "Re: strange attacks - flood udp packets from 1030 to msql"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

is the sapphire worm 
for further reference see the bugtraq list (you can see it online via mail2web systems)

the code of the worm is disasembled here
http://www.boredom.org/~cstone/worm-annotated.txt and here
http://www.digitaloffense.net/worms/mssql_udp_worm/

simply firewall this
PROTO=UDP SPT=1518 DPT=1434
PROTO=UDP SPT=1032 DPT=1434 
PROTO=UDP SPT=1077 DPT=1434
PROTO=UDP SPT=4319 DPT=1434

or apply the last service pack+hostfixes to microsoft sql server 2000
http://thor.stech.psi.br/ms-update/Q323875_SQL2000_SP2_en.EXE
this is the security fix
download original from 
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp but someone is said that there are problems because all people are getting the patch now and the server is full

there are some people reporting network failures over switches because the worm made so much icmp packets to broadcast in a intend to amplify th ddos.

the backbone internet routers were collapsed, we are in one of the most wirespread ddos in all the internet's history

have a nice day

> Strange behaviour and no clue here why.
> A server floods random (??) IP-addresses with udp-packets from iad1 to
> 1434 (msql), overflowing the external router,yadayadayada. DoS, in
> short.
> Anyone seen this before ??
> 
> Uwe
> 
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Eric Nelson: "Re: strange attacks - flood udp packets from 1030 to msql"
Previous message: Mark J. Lastdrager: "graphical stats of new SQL worm"
In reply to: Uwe Dippel: "strange attacks - flood udp packets from 1030 to msql"
Next in thread: Eric Nelson: "Re: strange attacks - flood udp packets from 1030 to msql"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jan 26 2003 - 20:16:13 PST