Cross-Site-TRACE

quackking writes "Uh-oh! Looks bad for RFC 2068! Kudos to WhiteHat out of Santa Clara, CA for this one. ALL current web servers comply with this RFC, which means they ALL are vulnerable to this newly named attack - XST - cross-site-trace. When misused, TRACE, part of the HTTP protocol, allows an unauthorized script to be passed to a Web server for execution even if the server is secured against running such scripts. Even devices like web-managed routers are open to this."

Most science fiction

[Amsterdam+Vallon]

Seems to use neither science nor fiction.

I find that most stories I peruse contain such far-out "scientific principles" that the events that occur could never happen anywhere on this planet.

Then again, some parts (even in Doctorow's 0wnz0red series) are simply stolen facts from things that have already happened and been talked about in the news.

I find it ironic that the best new science fiction works are not science and barely contain any fiction.

Re:Most science fiction

[nEoN+nOoDlE]

as Kurt Vonnegut once said (paraphrased), good science fiction writers don't know anything about science. Personally, I would agree with him since Vonnegut is my favorite writer and I read science fiction not for the scientific facts, but for the writers interpretation of the "human condition" with perhaps the future or some crazy invention thrown in as a plot device. If I wanted a view of the future, I'd read science journals.

Re:Most science fiction

[schlach]

I can't figure out why the reaction to the 0wNz0red story in August was so bad on slashdot. I thought it was a very entertaining, enjoyable, and thought-provoking read, in the grande style of good science fiction.

I think most of it was a reaction to the language, which strikes me as bizarre. This is how we think! Maybe shutter-geeks are intolerant of words coined after 1960, but I hate to tell you folks, look how many pieces of language we owe to Gibson's contribution.

Check out Tales for the 1337 presents: Romeo & Juliet". That's funny shit, because of the way it illustrates how language is changing with the kids. Before you dismiss them as punks, remember that in ten years they'll be dismissing us as foges.

It's always been the case that language is purely the spoken word, and that writing is only linguistically interesting in the sense that it helps us track the progress of language. That's not exactly what I mean, but close enough. Anyway, what's come to be known as '1337' (but I'll generalize as "chat colloquialisms" b/c ppl ph34r th4t w0rd) is the first time that writing is dictating language. kewl.

When you find yourself saying - outloud - "bbl", or "brb", or "haxor, fuxor, suxor", or "warez, filez, skillz" in 'real life', you know you're part of the change. Hell, when I say "owned" wrt computer security, I know it's spelled with a zero. Writing is leading language in this case, unlike others, because within this particular group of people, writing has become the dominant communication medium. Otherwise, it would follow the same slang-path that you are probably more familiar with, like "cool", "sweet", "rock", etc, which progresses from within spoken circles to the dictionary in an orderly fashion.

Quoth sirinek,

I'd like to thank the submitter of the story for calling it a "weblog" instead of some lame-ass made-up-for-the-sake-of-making-a-name-up name like a "blog" or a "wiki". :)

I'm sure I'm not alone in my praise :)

He's right, he's not alone. But I'm not with him. I have a blog. I blog things on my blog. This comment will probably be blogged in some shape or form. And I'm thinking about starting a wiki for a different project. 'Wiki' is the only word there is for a wiki. The only way I can think of to avoid using it is to not think about the idea that 'wiki' represents ... which just seems faulty.

Interrobang,

It's nice to see someone play with language, and it's nice to see someone who apparently knows a little bit of something (instead of a whole lot of nothing) about computers writing speculative fiction, for a change. Or don't you guys get a little bit annoyed about totally impossible (instead of wildly improbable) computers (and/or technology) in speculative fiction?

Aren't we progressive? Aren't we adaptive? I've got a lot of hope riding on this generation of geeks, to look forward to the future, optimizing the world, if you will... I shudder to think that, underneath it all, we geeks think that our own language and the way we think should be constant and unchanging throughout our (adult) lives...

why would i buy?

[bje2]

first off, i remember when slashdot posted his short story "0wnz0red", and i really enjoyed reading it...

secondly, not that i'm saying i'm cheap or anything, but why would i go buy the book, when i just downloaded the pdf for free?

Re:why would i buy?

[Erasmus+Darwin]

"why would i go buy the book, when i just downloaded the pdf for free?"

For the same reason that you'd go see a concert of a band that allows you to trade bootlegs of their concerts. The content may be the same, but the presentation of the for-pay version is in a format that is usually considered more desirable.

Re:why would i buy?

[gotroot801]

For that matter, why wouldn't I buy the book, when the dead-tree edition would probably reach me quicker than the free download on the slashdotted server? :)

Re:why would i buy?

[bje2]

true, when you consider printer ink, printer paper, etc, the book might end up being cheaper after all...but then again, i can just print it out at work, and do away with all that overhead for me...

Re:why would i buy?

[fucksl4shd0t]

No, actually I was trolling. :)

I don't know anything about Cory, I just felt that his example was a tad contrived. One thing that has been demonstrated time and time again, especially with people that work in entertainment, is that success corrupts. A band (or an author) that starts out with high ideals frequently drops them later on when they're looking a huge chunk of cash in the face. When a band (or an author) is able to resist the cash and keeps their ideals, it is the EXCEPTION and NOT the rule.

I don't know enough about Cory to even be able to take a guess that I would feel good about taking, but I remain cynical. I'm also cynical that both RedHat and Mandrake will continue to offer free download versions of their OSs. I'm a cynic. :)

Re:why would i buy?

[WNight]

Because part of being a useful member of society is taking responsibility. If you wish to see the series continue, take responsibility for a part of that and help finance it.

It's not a theft issue or anything, the author isn't harmed by you reading it. You have no obligation to pay, otherwise it wouldn't have been a gift, it'd have been a guilt-trip. But stand up and be counted. If you like something, make sure it keeps happening.

Support the author. If you don't want the book (and someone who doesn't re-read them probably wouldn't) then just send what you think is a fair price (a buck or two probably is more profit than he'd see from an actual sale) through paypal. Then pass the e-book on to someone else who might like it.

Personally, I wouldn't buy the book (in paper form anyways). Paper is becoming more and more obsolete. I read on the computer with preference to paper. When I re-read 1984 I did it on the computer, when I read the last honor-harrington novels, I read them on the computer instead of from the hard-copy book I had. I like having Baen books on CD though, and if the price of that is to buy a little obsolete paper every now and then, so be it.

Re:why would i buy?

[Robotech_Master]

You might want to say, "Hey, man, right on, kudos!" and support him with some money. (Heck, you don't even have to buy the book to do that; you could probably paypal him a few bucks and say it's pay-back in lieu of buying the book.) Or you might simply like the book enough that you want to have a professional-looking dead-tree version to stick on your shelf, or to lend to someone who doesn't like reading electronically and wouldn't understand being handed a bound printout.

You probably find it hard to conceive of paying for something you could get for free, but not everybody does...not by a long-shot. In fact, as I mentioned in this comment, doing something quite similar has worked wonders for Baen. Blockquoth Jim Baen:

Baen has experienced a mysterious 50% increase in gross dollar sales in the previous year. Also, our "sellthrough" (percentage of books placed in the market that sell to end-point customers) has improved from the rather startling 63% to the truly stunning 74%. I'm tentatively blamiing this on my wacko e-net proclivities. (Insert a Crazy Eddie ad pastiche here)

People who prefer print books but wouldn't otherwise look at Baen's titles in the store are taking free ganders (or even buying the e-versions first!), reading for long enough that they like it, and going out to place an order. Judging from what he says on the linked page and in the introduction to the free e-version of his book, Doctorow seems to be hoping that much the same thing will happen to him...and who's to say that it won't?

BoingBoing is amazing

[TerryAtWork]

When this was a physical magazine, it was one of the most fun, intelligent and readable cyber magazines ever. I bought my copies at the short lived Binary Cafe in Toronto (three computers on dialup to the net...) - and now I can't find them.

Kind of like Mondo 2000, Wired and National Lampoon (jeez - anyone here remember when those were good?) all rolled into one. Now it's a web site and a HECK of a mail list.

Highly recommended and I'm looking forward to DLing the book. (As soon as the /. effect ends.)

Return to Pleasure Island

[AndroidCat]

Got his little chapbook right here, signed even. And if you flip though the pages, the donkey changes into a boy, or is that the other way around?

How could this happen?

I thought the Magic Kingdom was the happiest place on earth? If you cry Mickey will give you free gifts.

Re:obligatory /.-ted remark

[Jodrell]

Just in case, here's a mirror. No PDF but bzipped versions of the HTML and text versions.

Slashdotted.... I've mirrored the PDF

[Tyler+Eaves]

Grab it at Mirrored on an OC3

Intelligent linking

[muyuubyou]

If you look at the link, it's http://www.craphound.com/down/

Yep, that's exactly how it is, "down".

P2P download

[mlinksva]

Tickets below list MAGNET (some gnutella clinets), ed2k and fasttrack links:

• Cory_Doctorow_-_Down_and_Out_in_the_Magic_Kingdom. htm
• Cory_Doctorow_-_Down_and_Out_in_the_Magic_Kingdom. pdf
• Cory_Doctorow_-_Down_and_Out_in_the_Magic_Kingdom. txt

Interesting possibilities...

[Schnapple]

I see lots of interesting possibilities if this "thing" catches on.

It would appear that the publishing industry and the recording industry are similar in that they are difficult to get into and tend to "stiff" new artists/authors. Of course the recording industry is difficult to get into because they're looking for the next 18-24 year old Britney Spears clone and the publishing industry is difficult to get into unless your work has something that will sell (for sci-fi your works these days either have to be attached to a franchise or be militaristic in nature).

The main difference, as far as I can see, is that this author and, say, Bruce Eckel, is that they also publish their works through major book publishers. There's lots of websites wherein you can download the entire CD of a small artist, usually the ones who press their own albums on CD-R. But as soon as these guys sign to a major record label, this practice goes away. How it is that TOR is allowing Doctrow to do this is beyond me. No way would they let Robert Jordan release Wheel of Time 10 this way.

But something occured to me - this is a book that's like 136 pages (though Amazon says the hardcover is 208). And it's being published in hardcover for $22.95. That's more than most DVD's or CD's. You can usually pick it up for less than that, but doesn't that seem a little pricey to anyone else? I know that hardcover first issue books are steep, like $29.95 for Wheel of Time 10, but that's a 700 page book whose target audience is rabid about it. Shouldn't a 136 page hardcover book be a little cheaper?

Even better question - how come no one complains about this? People complain about the price of a lot of things - CD's, DVD's, Movies, etc. but they never complain about the price of books. Of course you can download your music if you really want to, you can wait for the movie to hit DVD, you can download the DivX of the movie/DVD if you can find it, and the DVD is loaded down with extras so you don't feel jipped. Could uneasy accessibility to books in digital form be the reason no one complains about their prices?

And what will this do to the mix? Will authors release their material this way in the future in the hopes that being noticed will land them a book deal so they can sell copies to all of those who want a keepsake of something they read for free? Will this guy sell a ton of copies of this book because he was on a Slashdot story? Will this work on a fiction document (Eckel's works are programming books)?

Can the recording industry learn a thing or two from the publishing industry? Or is it the other way around? And whose cause does it help if the Slashdot community buys a ton of this book?

relation?

[minddog]

This isn't at all related to whats going on right now is it?

Re:relation?

[lecca]

Check out http://average.matrix.net/Daily/markR.html if you want to really see whats going on in detail.

Re:relation?

[rchatterjee]

Don't know if this is the reason for the internet slowdown right now but it seems likely, from about a few hours ago I've getting tons of incoming traffic on port 1434 which I believe is the port that MS SQL listens on. So it's probably another exploit on MS sever software.

Re:relation?

[hudmond]

The issue currently happening, from what anyone can tell at any rate is that a flaw in MSSQL has been found, due to everyone noticing a lot of traffic on 1434.. MSSQL port anyhow, I was running MSSQL earlier and my dns crapped out ctrl+alt+del'd and saw 85% cpu used by mssql server, killed it and boom everything was okay, possibly a worm traveling around, http://internethealthreport.com/ UUnet seems absolutely destroyed ;)

Re:relation?

[LinuxPunk]

Oh my god, they killed UUnet! Those bastards!

Sprint seems to be doing very well, though.

Re:relation?

[hudmond]

excerpt taken from http://www.internet.com/

Microsoft Promises a More Secure 2003 After a year of working on its security issues, the company's Trustworthy Computing initiative is taking more of a 'push' approach starting with Windows Server 2003. -internetnews

Anyone else find this laughable? I'm slightly entertained I'll admit.

Re:relation?

[amigaluvr]

hrm kevin mitnick is allowed back o the net and the net goes fubar

hrmmmmmmmmmmmmmmm????

not related

[benh57]

This vulerability is about sites getting access to other sites' cookies.

It is not likely to be related to the current DDOS, which seems to be this MS vuln.

Re:not related

[benh57]

Oops, 2nd link should be to CERT.

Re:not related

[h2odragon]

this is a new exploit; beginning with a buffer overflow related to the referenced CERT, and then proceeding to another buffer overflow ....

Disassembly of the current probe packets available here for what its worth. This is a nasty little sucker.

The write-up is misleading

[Admiral+Burrito]

When misused, TRACE, part of the HTTP protocol, allows an unauthorized script to be passed to a Web server for execution even if the server is secured against running such scripts.

The script is not executed on the server. It is executed on the client.

This is a sort of cross-site scripting vulnerability, not an "execute arbitrary commands on any web server" vulnerability like the writeup suggests.

Re:The write-up is misleading

[dirkx]

Or in more detail; TRACE simply echos back wath the client send to the server; i.e. what the client fundamentally already *knows*. The server reveals nothing to the client than what it already knows; namely the request it just send.

It is just that on the client, to prevent cross side scripting, there is some sandboxing; which is now violated.

That is called cross site scripting.

/!\ Security Alert _ [] [X]

[Seehund]

Your Computer Is Currently Broadcasting An
Internet IP Address. With This Address, Someone Can
Immediately Begin Attacking Your Computer! [ OK ]

Shut up Slashdot. I get all the Security Alerts I need from media*.fastclick.net.

This story is crap

[evilviper]

This story is utter alarmist crap. There is nothing wrong with TRACE, and the internet is not falling apart. It's just another IE cross-site scripting vulnerability. Here's a few choice links from the discussion on bugtraq:

http://online.securityfocus.com/archive/1/307778/2 003-01-22/2003-01-28/0
http://online.securityfocus.com/archive/1/308165/2 003-01-22/2003-01-28/0

Re:This story is crap

[eyeball]

This story is utter alarmist crap.

Hey, don't knock alarmist crap. It's a real cash cow for some people!

THE XSL VULNERABILITY IS SNAKE OIL

[defile]

If your applications aren't vulnerable to XSS, you have nothing to worry about w.r.t. HTTP TRACE. If your applications ARE vulnerable to XSS, you have bigger problems than HTTP TRACE.

If users visiting other sites somehow have untrusted code running in them, which performs an HTTP TRACE to your site, the user's browser is broken for not enforcing domain restrictions.

Ignore this advisory, it's sensationalist snakeoil. Leaving HTTP TRACE enabled is harmless (although you probably don't use it, so disable it anyway).

A couple choice quotes from the "whitepaper"

[jeremie]

Typical Sky-Is-Falling (tm) propoganda, this is so 90's:

"Scenarios assume the following:
A user visits a malicious web site or views malicious content hosted by a trusted source (message board, web mail, etc..)"

"To resolve this limitation, we had to utilize extended client-side scripting technologies to create and send a specially formatted HTTP request to a target web server." (this must pass through the web browser which must foolishly attach authentication cookies in question (which properly implemented secure systems don't rely on anyway))

"To restate, all the sensitive information is still accessible even over an SSL link." (what the hell? it's just the friggin headers! cookies and weak basic auth (they didn't even show and I'm not convinced the (broken) browsers send the auth headers in such forged requests)

"There is however at this point a limiting factor preventing wider a danger escalation. The TRACE connection made by the browser, will NOT be allowed by the browser, to connect to anything other than the domain hosting the actual script content... To increase the exposure of the exploit, we are in need of a domain-restriction-bypass vulnerability" (MAKE THIS CLEAR, IT ONLY WORKS IN A CROSS-SITE SCRIPTING VULNERABLE BROWSER)

To re-iterate: your web server or site isn't vulnerable because it supports trace, that's about as silly as blaming ping packets for the ping-of-death problems on early windoze systems, sheesh.

This is all a bunch of crap that requires a browser to be vulnerable to cross scripting, and for the user to have visited a malicious site just beforehand.

sorry about the lack of breaks...

[eecue]

Resent-From: mbac@romulus.netgraft.com
From: Michael Bacarella
Date: Fri Jan 24, 2003 11:11:41 PM America/Los_Angeles
Resent-To: bugtraq@securityfocus.com
To: nylug-talk@nylug.org, wwwac@lists.wwwac.org, linux-elitists@zgp.org
Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

I'm getting massive packet loss to various points on the globe.
I am seeing a lot of these in my tcpdump output on each
host.

02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376
02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0

It looks like there's a worm affecting MS SQL Server which is
pingflooding addresses at some random sequence.

All admins with access to routers should block port 1434 (ms-sql-m)!

Everyone running MS SQL Server shut it the hell down or make
sure it can't access the internet proper!

I make no guarantees that this information is correct, test it
out for yourself!

--
Michael Bacarella 24/7 phone: 646 641-8662
Netgraft Corporation http://netgraft.com/
"unique technologies to empower your business"

Finger email address for public key. Key fingerprint:
C40C CB1E D2F6 7628 6308 F554 7A68 A5CF 0BD8 C055

Re:sorry about the lack of breaks...

[ender81b]

There is a patch available for this and it has been available for 6 months. So if your server is infected it is because you weren't paying attention/lazy/whatever. Go Here for the patch, or Here to read the CERT bulletin.

At least...

[mraymer]

...they didn't provide a link to an example script for this exploit. ;)

Can you imagine the royal slashdotting that RIAA/MPAA/MS/etc would receive if the thousands of script kiddies that read /. suddenly had access to such a thing?

Perhaps this is what Obi-Wan was talking about when he felt the tremor in the force, and the whole Alderaan blowing up thing was just a bizarre coincidence...

Read BugTraq

[Goodbyte]

As been discussed on BugTraq the latest days, this is not a 'general' vunerablility, rather a bug in Microsoft's XMLHTTP component (nomatter what the whitepaper says).

References: RE: TRACE used to increase the dangerous of XSS.
Original posting to Bugtraq

Turn Javascript, activex, java off

[TheLink]

Without them on 99% of the recent browser/http/www problems go away. And 100% of the popups go away too. Sure you stop being able to view many sites, but most of those sites that lock you out when you don't have this stuff on are full of junk anyway.

Given what this attack can do, you have to 100% trust any site which you visit with these active stuff on, because they can use the active stuff to snarf your cookies and info for other sites.

In this light, how should you treat a site which absolutely _requires_ you to turn such dangerous stuff on in order to use their site? Is it worth all that potential hassle just to see some stupid shockwave which only the PHB likes?

Is there a javascript/activex/java program that will turn off javascript/activex/java support in a viewer's browser?

I also proposed a tag to mark regions of HTML as unsafe so the browser ignores any javascript/active stuff that slips through the site's filters. But there wasn't any interest. This doesn't help if users visit malicious sites, but it helps decent sites protect their users from stuff slipping through.

SitRep

[mabu]

Two T3s with Quest: DOWN. Port udb traffic 1434 totally flooded. Uplinks have their heads up their asses and have no answers at this point. My uplink says he has a Linux server that when activated starts spamming port 1434. Is this or is this not a MS SQL-related issue?

I'm up because I'm multi-homed and I have no MS servers at all running on my network, but every other network that i know of running some MS servers is having blackouts.

We need to find out what is going on right now, and we need to make sure the media does NOT misrepresent exactly what is at fault. Everyone here has a responsibility!

Update

[mabu]

Here's what we've been able to learn, at 4:30am Central time.

We have reason to believe that something called the "SQL Worm" is in play. Some sort of DDOS attack which creates overwhelming traffic on port 1434. This is all preliminary stuff, so take it as such but I have one link up and 3 others down.

I don't have confirmation or details on what systems are affected but we have information to indicate that the following networks are currently affected: Quest, Cable & Wireless, Broadwing, Sprint (partially). My Worldcom link seems to be unaffected (which is why I can post). Note that the connectivity interruptions may be regional but that's what we are dealing with in the South Central area of the US. This has been going on now for about 4-5 hours.

What we are seeing is a major outage due to DDOS on port 1434, on portions of the Internet backbone. At this point, the exact pattern of the outage has not been clarified.

Expect the problem to potentially be addressed when the backbone providers start filtering port 1434. However, it's taken them at least four hours to figure this out.

We just got notice (a few moments ago) that Quest finally started filtering port 1434 and everything went back up. So now we need to figure out what vulnerability this was. My information indicates that port 1434 is MS SQL server resolution service (see related CERT advisory. My initial impression is that while this vulnerability was discovered awhile back, someone just recently figured out a very effective exploit using the vulnerability. I am looking forward to hearing more about what people find out.

Alarmist crap article!

[EvilStein]

Apparantly "ALL" web servers are *not* open to this "exploit" - here's a post someone made on macintouch.com:

When I read the article on MacInTouch about the TRACE security flaw, I immediately checked our Mac based servers to find out if they support the TRACE option in HTTP. Here's a summary of the servers and the OPTIONS they support. These results were shown after connecting to the server via telnet:

%telnet www.domain.com 80
Trying 123.123.123.123
Connected to www.domain.com.
Escape character is '^]'.
OPTIONS / HTTP/1.1
Host: www.domain.com

* WebSTAR 3.x answers: 405 Method Not Allowed
* WebSTAR 4.4 and 4.5 allows GET, POST, HEAD
* WebSTAR V allows GET, POST, HEAD
* Apache/1.3.27 (Personal WebSharing MacOS X 10.2.3): GET, HEAD, OPTIONS, TRACE
* Apache/1.3.27 (iTools - MacOS X Server 10.2.2): GET, HEAD, OPTIONS, TRACE
* Apache/1.3.27 (iTools - MacOS X Server 10.2.2 - PHP 4.x): GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE

When connecting to a system that has PHP 4.x installed, a lot more options are available.
This only shows which options are supported by which servers, however as the exact details of the flaw were not published, it's hard to say if you can use those options to exploit a server.

Likely not related to cross-trace issue

[mabu]

There are two things going on here I suspect. There is a discussion on a cross-trace vulnerability, at the same time, some type MS SQL-based worm was unleashed late Friday which caused lots of problems. Two different issues. Excuse the inter-mingling.

Disabling the Use of Trace in Apache

[EkiM+in+De]

Apache Week has a short piece on this "vulnerability". It also includes this short snippet of configuration code to stop traces against your webserver.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

I haven't tried this yet!

Properly secured sites aren't affected

[hyrdra]

Most sites don't store their user password in a cookie, they store a session ID in a cookie that translates to a session ID in a database. Then sensitive information is keyed up with that ID, on the server. The client never recives any of it, unless they are modifying it but it is never put in a cookie or other stateful client storage device.

Upon each page load, the IP address of the original session is checked with the sent cookie ID, and if they don't match, most applications will throw out the session completly. This annoys some with DHCP who like to maintain long sessions, but works a lot of the time for simple ID attacks (since most session IDs are generated from random numbers), because you now need to know both the IP and session ID of the user you want to impersonate. Granted, this can be had with a packet sniffer (for non SSL connections), but so can a lot of personal things. Next they'll be telling us it's quite easy to get into cars: just break the window. That doesn't mean its a security flaw.

Anyway, this is how most [good] sites work. Only fools store sensitive user information in cookies, and I would never subscribe to their site (yes, I check what goes in my cookies).

Also the article/press release (PR for this security company?) seems to be getting client/sever scripting confused, and is generally full of ignorant errors. How can it be trusted with the other claims it makes?

bollocks - just another (IE) cross site vulnerabil

[dirkx]

That web server is just doing what it is supposed to do; it is the client which allows for the cross site vulnerability.

http://www.apacheweek.com/issues/03-01-24

http://online.securityfocus.com/archive/1/308165 /2 003-01-22/2003-01-28/0

Have more details.

1434 is the general connection accept port.

[Otis_INF]

SQLServer listens to 1434 to accept incomming connections. SQLServer 7 would then normally transfer these connections to 1433 by default. SQLServer 2000 would transfer the connection to a random port.

It's best to 'hide' the SQLServer from the internet, and/or disable TCP/IP listening for SQLServer totally when it's connected to the Internet. MS also suggests SQLServer should never be exposed to the Internet directly. You can hide SQLServer (2000) directly, using the Server network utility, shipped with SQLServer. You can there first deselect TCP/IP as a protocol that's active, and if you need it, you can select 'hide' to hide the server on the internet, however it's better to disable TCP/IP totally, since you do not need it when you work with SQLServer from the same box (f.e. a website running on the same box accessing the SQLServer).

Oh, of course it should be mentioned, there is a patch for this available at MS' technet site.

Ironic...

[weave]

/. runs a story on main page about huge security hole in all web servers that will bring the net to its knees, but it really only affects IE clients. They don't run a story about what may end up the biggest net story of the year, ala code red, the MS SQL worm running wild on the net now and shutting down entire sites and playing havoc with the backbone.

/. posters work around the damage in the story and start posting comments en masse about the SQL attack -- the real story this day -- leaving people who lack reading comprehension to confuse the two issues, therefore causing a DDOS on their brain.