Security Incidents mailing list archives
Re: strange attacks - flood udp packets from 1030 to msql
From: Víctor <ixnay () infonegocio com>
Date: Sat, 25 Jan 2003 21:11:22 +0100
is the sapphire worm for further reference see the bugtraq list (you can see it online via mail2web systems) the code of the worm is disasembled here http://www.boredom.org/~cstone/worm-annotated.txt and here http://www.digitaloffense.net/worms/mssql_udp_worm/ simply firewall this PROTO=UDP SPT=1518 DPT=1434 PROTO=UDP SPT=1032 DPT=1434 PROTO=UDP SPT=1077 DPT=1434 PROTO=UDP SPT=4319 DPT=1434 or apply the last service pack+hostfixes to microsoft sql server 2000 http://thor.stech.psi.br/ms-update/Q323875_SQL2000_SP2_en.EXE this is the security fix download original from http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp but someone is said that there are problems because all people are getting the patch now and the server is full there are some people reporting network failures over switches because the worm made so much icmp packets to broadcast in a intend to amplify th ddos. the backbone internet routers were collapsed, we are in one of the most wirespread ddos in all the internet's history have a nice day
Strange behaviour and no clue here why. A server floods random (??) IP-addresses with udp-packets from iad1 to 1434 (msql), overflowing the external router,yadayadayada. DoS, in short. Anyone seen this before ?? Uwe __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- strange attacks - flood udp packets from 1030 to msql Uwe Dippel (Jan 25)
- Re: strange attacks - flood udp packets from 1030 to msql Víctor (Jan 26)
- RE: strange attacks - flood udp packets from 1030 to msql Dan Perez (Jan 26)