Bugtraq mailing list archives
Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
From: Dave Aitel <dave () immunitysec com>
Date: Sat, 25 Jan 2003 18:27:25 -0500
Yes, the 150DaySQLwurm (my new name for it, since we all get to make up names today) does affect MSDE. And there's no SP3 for MSDE, but I've installed the latest wrap-up patch and the resolver patch and either one seemed to do it. You have to be careful that you: 1. Make sure SQL Server is not running while you copy over the files that install the patch 2. Copy of the files onto all the instances of SQL server you have installed 3. Reboot before restarting SQL Server You should be careful (on both MSDE and SQL Server 2000) not to install just the patch for the resolver overflow, since you will then still be vulnerable to the Hello bug. Of course, if you're still vulnerable to either, you are most definately already owned, and likely should reinstall Windows to unload whatever kernel trojans are fighting over your internal data. If anyone writes a worm for the Hello bug, I hereby pre-name it the "Yo G! What's up! SQL!" worm. Dave Aitel Immunity, Inc. On Sat, 25 Jan 2003 13:56:36 -0500 "trent dilkie" <trent () dilkie com> wrote:
Can anybody confirm that this worm is spreading on the Desktop Engine too?(MSDE) Thanks, Trent. -----Original Message----- From: H D Moore [mailto:sflist () digitaloffense net] Sent: Saturday, January 25, 2003 6:49 AM To: bugtraq () securityfocus com Subject: Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! A worm which exploits a (new?) vulnerability in SQL Server is bringing the core routers to a grinding halt. The speed of the propagation can be attributed to the attack method and simplicity of the code. The worm sends a 376-byte UDP packet to port 1434 of each random target, each vulnerable system will immediately start propagating itself. Since UDP is connection-less, the worm is able to spread much more quickly than those using your standard TCP-based attack vectors (no connect timeouts). Some random screen shots, a copy of the worm as a perl script, and a disassembly (sorry, no comments) can be found online at: http://www.digitaloffense.net/worms/mssql_udp_worm/ -HD On Saturday 25 January 2003 01:11, Michael Bacarella wrote:I'm getting massive packet loss to various points on the globe. I am seeing a lot of these in my tcpdump output on each host. 02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376 02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0 It looks like there's a worm affecting MS SQL Server which is pingflooding addresses at some random sequence. All admins with access to routers should block port 1434 (ms-sql-m)! Everyone running MS SQL Server shut it the hell down or make sure it can't access the internet proper! I make no guarantees that this information is correct, test it out for yourself!-------------------------------------------------------
Current thread:
- MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Michael Bacarella (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Geoff Shively (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Tom Kyle (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! cstone (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Ed Blanchfield (Jan 27)
- <Possible follow-ups>
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Umit Tiric (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! George William Herbert (Jan 25)
- RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! trent dilkie (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Dave Aitel (Jan 25)
- Re[2]: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Stephane - BasicLink (Jan 25)
- RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Dick St.Peters (Jan 25)
- RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Jason Coombs (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Colm MacCárthaigh (Jan 25)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Charles Miller (Jan 25)
- RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Brian McGrogan (Jan 25)
- RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! trent dilkie (Jan 28)