Bugtraq mailing list archives
RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
From: "trent dilkie" <trent () dilkie com>
Date: Sat, 25 Jan 2003 13:56:36 -0500
Can anybody confirm that this worm is spreading on the Desktop Engine too? (MSDE) Thanks, Trent. -----Original Message----- From: H D Moore [mailto:sflist () digitaloffense net] Sent: Saturday, January 25, 2003 6:49 AM To: bugtraq () securityfocus com Subject: Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! A worm which exploits a (new?) vulnerability in SQL Server is bringing the core routers to a grinding halt. The speed of the propagation can be attributed to the attack method and simplicity of the code. The worm sends a 376-byte UDP packet to port 1434 of each random target, each vulnerable system will immediately start propagating itself. Since UDP is connection-less, the worm is able to spread much more quickly than those using your standard TCP-based attack vectors (no connect timeouts). Some random screen shots, a copy of the worm as a perl script, and a disassembly (sorry, no comments) can be found online at: http://www.digitaloffense.net/worms/mssql_udp_worm/ -HD On Saturday 25 January 2003 01:11, Michael Bacarella wrote:
I'm getting massive packet loss to various points on the globe. I am seeing a lot of these in my tcpdump output on each host. 02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376 02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0 It looks like there's a worm affecting MS SQL Server which is pingflooding addresses at some random sequence. All admins with access to routers should block port 1434 (ms-sql-m)! Everyone running MS SQL Server shut it the hell down or make sure it can't access the internet proper! I make no guarantees that this information is correct, test it out for yourself!
-------------------------------------------------------
Current thread:
- MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Michael Bacarella (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Geoff Shively (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Tom Kyle (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! cstone (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Ed Blanchfield (Jan 27)
- <Possible follow-ups>
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Umit Tiric (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! George William Herbert (Jan 25)
- RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! trent dilkie (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Dave Aitel (Jan 25)
- Re[2]: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Stephane - BasicLink (Jan 25)
- RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Dick St.Peters (Jan 25)
- RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Jason Coombs (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Colm MacCárthaigh (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Charles Miller (Jan 25)
- RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Brian McGrogan (Jan 25)
- RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! trent dilkie (Jan 28)