nanog mailing list archives
Re: New worm / port 1434?
From: Josh Richards <jrichard () cubicle net>
Date: Fri, 24 Jan 2003 22:59:17 -0800
* Avleen Vig <lists-nanog () silverwraith com> [20030124 22:44]:
It seems we have a new worm hitting Microsoft SQL server servers on port 1434.
A preliminary look at some of our NetFlow data shows a suspect ICMP payload delivered to one of our downstream colo customer boxes followed by a 70 Mbit/s burst from them. The burst consisted of traffic to seemingly random destinations on 1434/udp. This customer typically does about 0.250 Mbit/s so this was a bit out of their profile. :-) Needless to say, we shut them down per a suspected security incident. The ICMP came from 66.214.194.31 though that could quite easily be forged or just another compromised box. We're seeing red to many networks all over the world though our network seems to have quieted down a bit. Sounds like a DDoS in the works. Anyone else able to corroborate/compare notes? -jr ---- Josh Richards <jrichard@{ geekresearch.com, cubicle.net, digitalwest.net }> Geek Research, LLC - Digital West Networks, Inc - San Luis Obispo, CA KG6CYK - IP/Unix/telecom/knowledge/coffee/security/crypto/business/geek
Current thread:
- New worm / port 1434? Avleen Vig (Jan 24)
- Re: New worm / port 1434? Dave Stewart (Jan 24)
- Re: New worm / port 1434? Lloyd Taylor (Jan 25)
- Re: New worm / port 1434? Pete Ashdown (Jan 24)
- Re: New worm / port 1434? Gary Coates (Jan 25)
- Re: New worm / port 1434? Peter van Dijk (Jan 25)
- Re: New worm / port 1434? Dr. Mosh (Jan 25)
- Re: New worm / port 1434? Gary Coates (Jan 25)
- Re: New worm / port 1434? Josh Richards (Jan 25)
- Re: New worm / port 1434? Jake Khuon (Jan 25)
- Re: New worm / port 1434? Josh Richards (Jan 25)
- Re: New worm / port 1434? Mike Tancsa (Jan 25)
- Re: New worm / port 1434? Simon Lockhart (Jan 25)
- Re: New worm / port 1434? Curtis Maurand (Jan 25)
- Re: New worm / port 1434? Adam "Tauvix" Debus (Jan 25)
- Re: New worm / port 1434? Jack Bates (Jan 25)
- Re: New worm / port 1434? Mike Tancsa (Jan 25)
- Re: New worm / port 1434? Simon Lockhart (Jan 25)
- Re: New worm / port 1434? Troy Rader (Jan 25)
- Re: New worm / port 1434? Mark Radabaugh (Jan 25)
(Thread continues...)
- Re: New worm / port 1434? Dave Stewart (Jan 24)