Full Disclosure mailing list archives
Re: The worm author finally revealed!
From: Ron DuFresne <dufresne () winternet com>
Date: Fri, 31 Jan 2003 10:44:16 -0600 (CST)
On Fri, 31 Jan 2003, Mark Renouf wrote:
futureshoks () hushmail com said the following on 1/31/2003 7:53 AM: > So saying that there is no excuse to patch blah blah blah doesn't > hold true. We have to work within logistical boundaries and do > what we can. What do you do if patching isn't viable, the systems > have to stay up and development/test resources can't be commited > to fixes? In this instance you block port 1434 if you can and > hope to God that nothing bad happens. (Note: this is not directed personally at you, just an observation in general.) What I don't get, why the sudden urgency to block 1434 all of a sudden... what are your SQL boxes doing listening publicly on ANY FREAKIN PORT AT ALL? IMO not only should SQL boxes be not listenin to the internet, they should be firewalled even behind the DMZ, so you'd have to comprimise both the web servers and them to do anything nasty... This goes FAR beyond forgetting to install a simple patch, I think it shows just how many poeple out there have no port filtering in place and probably check off "full install" on their windows servers without a second thought. It also shows how many companies could give two shits about patching and firewalling important boxes internally. It only takes one. In our case we were infected by Corporate Central via the VPN tunnel. *sigh*
As mentioned in another list, all this trouble M$ folks have with patching, and indeed it seems a carzy mess in the windows world, whence various badly compiled patches will back you out of fixes from the privous patch, as well as the issues of what thrid party software might do the same as well as make you open to a potential vuln you weren't subject to prior, sheesh the list goes one, we need to pity these porr windows admins. Russ Cooper had a few posts in ntbugtraq outlining the complexity with just the windows base OS upgrades, let alone 3rd party stuff... But, as goes port 1434, it should have been blocked in the first SQL go round last summer when 1433 was the more active atack vector, but, there were hints about 1434. And outlines that even in this day, hardended dmz/exposed machines as well as a strongly defined and maintained perimiter are a must. Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: The worm author finally revealed!, (continued)
- RE: The worm author finally revealed! Paul Schmehl (Jan 30)
- RE: The worm author finally revealed! futureshoks (Jan 31)
- Re: The worm author finally revealed! HggdH (Jan 31)
- Re: The worm author finally revealed! Mark Renouf (Jan 31)
- Re: The worm author finally revealed! Paul Schmehl (Jan 31)
- Re: The worm author finally revealed! Ron DuFresne (Jan 31)
- Re: The worm author finally revealed! David Howe (Jan 31)
- Re: The worm author finally revealed! Paul Schmehl (Jan 31)
- Re: The worm author finally revealed! Ron DuFresne (Jan 31)
- Re: The worm author finally revealed! yossarian (Jan 31)
- Re: The worm author finally revealed! Ron DuFresne (Jan 31)
- Re: The worm author finally revealed! Paul Schmehl (Jan 31)
- Re: The worm author finally revealed! madsaxon (Jan 31)
- Re: The worm author finally revealed! Paul Schmehl (Jan 31)