Date: Sat, 25 Jan 2003 04:20:07 -0500
From: Jeremy Kister <[email protected]>
To: [email protected]Subject: Fw: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
Some News: http://news.zdnet.co.uk/story/0,,t269-s2099780,00.html
Advisory: http://www.nextgenss.com/advisories/mssql-udp.txt
Microsoft Fix:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-039.asp
MS SQL listens on port 1434/udp so that clients can figure out which method
of communication to use (named pipes, tcp/ip et al)
there are two problems that yield ability to execute code remotely while
unauthenticated.
-------------------------------------------------------
Jeremy Kister
www.jeremykister.com
PGP: http://www.jeremykister.com/jeremy/public_key.asc
-------------------------------------------------------
-----Original Message-----
From: Michael Bacarella [mailto:[email protected]]
Sent: Saturday, January 25, 2003 2:12 AM
To: [email protected]; [email protected]; [email protected]Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
>
> I'm getting massive packet loss to various points on the globe.
> I am seeing a lot of these in my tcpdump output on each
> host.
>
> 02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376
> 02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp
port
> ms-sql-m unreachable [tos 0xc0
>
> It looks like there's a worm affecting MS SQL Server which is
> pingflooding addresses at some random sequence.
>
> All admins with access to routers should block port 1434 (ms-sql-m)!
>
> Everyone running MS SQL Server shut it the hell down or make
> sure it can't access the internet proper!
>
> I make no guarantees that this information is correct, test it
> out for yourself!
>
> --
> Michael Bacarella 24/7 phone: 646 641-8662
> Netgraft Corporation http://netgraft.com/
> "unique technologies to empower your business"
>
> Finger email address for public key. Key fingerprint:
> C40C CB1E D2F6 7628 6308 F554 7A68 A5CF 0BD8 C055
>
>
