is the sapphire worm for further reference see the bugtraq list (you can see it online via mail2web systems) the code of the worm is disasembled here http://www.boredom.org/~cstone/worm-annotated.txt and here http://www.digitaloffense.net/worms/mssql_udp_worm/ simply firewall this PROTO=UDP SPT=1518 DPT=1434 PROTO=UDP SPT=1032 DPT=1434 PROTO=UDP SPT=1077 DPT=1434 PROTO=UDP SPT=4319 DPT=1434 or apply the last service pack+hostfixes to microsoft sql server 2000 http://thor.stech.psi.br/ms-update/Q323875_SQL2000_SP2_en.EXE this is the security fix download original from http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp but someone is said that there are problems because all people are getting the patch now and the server is full there are some people reporting network failures over switches because the worm made so much icmp packets to broadcast in a intend to amplify th ddos. the backbone internet routers were collapsed, we are in one of the most wirespread ddos in all the internet's history have a nice day > Strange behaviour and no clue here why. > A server floods random (??) IP-addresses with udp-packets from iad1 to > 1434 (msql), overflowing the external router,yadayadayada. DoS, in > short. > Anyone seen this before ?? > > Uwe > > __________________________________________________ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > http://mailplus.yahoo.com > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jan 26 2003 - 20:16:13 PST