Slashdot Mirror
MS SQL Server Worm Wreaking Havoc
defile writes "Since about midnight EST almost every host on the internet has been receiving a 376 byte UDP payload on port ms-sql-m (1434) from a random infected server. Reports of some hosts receiving 10 per minute or more. internetpulse.net is reporting UUNet and Internap are being hit very hard. This is the cause of major connectivity problems being experienced worldwide. It is believed this worm leverages a vulnerability published
in June 2002. Several core routers have taken to blocking port 1434 outright.
If you run Microsoft SQL Server, make sure the public internet can't access it. If you manage a gateway, consider dropping UDP packets sent to port 1434." bani adds "This has effectively disabled 5 of the 13 root nameservers."
Kevin Mitnick is allowed back on the net and the net goes fubar
In South Korea internet services were shut down nationwide for hours on Saturday, the country's Yonhap news agency reported.
It said the shutdown was triggered by "apparent cyber terror committed by hackers".
http://news.bbc.co.uk/1/hi/technology/2693925.stm
I find it lucky that the worm writer didn't make the worm fire out random traffic on random udp ports with spoofed addresses.
/sbin/iptables -I FORWARD -p udp --dport 1434 -j DROP
It's only the fact the traffic is all destined for a certain destination port that makes it easy to filter.
You are filtering it out on your firewalls, aren't you?
This could have been a lot lot harder to filter out. I expect we'll see ThisWorm v2 soon.
I dread the day someone finds a hole in Apache, Sendmail or something really popular and writes a worm like this...
Get your own free personal location tracker
Collected a packet disasembly and some urls here.
Everyone seems to be assuming this is a new use of an old (July) hole; I'm not certain of that. Any facts welcomed, see above url.
mysql will postegresql yoursql
Microsoft released a patch for this 24th July, 2002.
Where I work we ended up with quiet the excitement. Around 1am I lost connectivity on my DSL modem at my house.. and I just figured something was up with the DSL so I fooled around with that for a while.... but then I realized the data light on the hub for the DSL modem was blinking a WHOLE lot and nothing else on the hub was (ie broadcasts were coming through)... I couldn't ping our core router, nothing... YIKES! So I hiked into work... only to find that 3 machines had been compromised. A co-lo we have, and some other ones. Nothing bad mind you.. easy to fix.. install Service Pack, and then firewall the ports out.. but still.... it was interesting.. I walked into the server room and was greated with a ton of orange lights (that are normally just blinking!) That thing can really cook out the damage!
Someone really has carefully crafted this worm to try to bring down the net.. and what better time then on a Saturday morning when all admins are away and not planing to work the next day!
how many quries at the root level are unnecessary. :)
Waking up at 2AM after falling asleep at work on a Friday evening, to be greeted by a wall full of router racks lit up like a wall-shaped christmas tree is a sobering experience indeed. Needless to say I've been working since then to apply appropriate firewall rules accross our network to block port 1434. Once this blows over, it's time to start some real PostgreSQL advocacy..
A server at one of our campuses (a college, campuses all over the state) got infected around 0900 UT and started hammering the hell out of our WAN and their local LAN, sending 10.4MB/sec through the router and then 1.2MB/sec out our internet line (bytes not bits). It stopped about an hour later. Turns out it flooded the router so hard it looks like that router has shut down. I can't ping a darn thing inside that campus now.... Fitting justice.
ZDNet and Yahoo.
Outside a firewall for no apparent reason is a tool. That being said, we live in a world of idiots. Why?
NGSSoftware alerted Microsoft to this problem on the 17th of May 2002 and
they have produced a patch that resolves these issues.
This is January 25 2003 if I'm not mistaken. Are these the same people that leave their cars unlocked with the keys in the ignition?
This was being discussed in a previous article talking about XST. The fun is over by now...
why government or at least major Internet bodies and ISP groups should be spending some amounts of money on scanning for vulnerabilities and notifying the owners of such systems. It's a bit like leaving a gun on a table around the house, or for that matter, when considering script kiddies, leaving a bazooka in the toy box at a pre-school.
What does this worm rank compared to other DDOS in the past?
Has someone scanned the UDP packets and reported what's inside ?
I just want to see with my own eyes that the worm isn't quietly spitting out a SELECT * from a random table, record per record...
Karma cannot be described by words alone.
I was very surprised to discover both AP and CNN beat Slashdot to this story.
Very disappointing.
Timely is as important as accurate SlashEditors. Many of us look to you when big events occur...
Especially considering this all began about 8 hours ago!
e3 :: blogging the wireless freenet
Like Kazaa. Oh.
Sig for sale or rent. One previous user. Inquire within.
Come on, a lot of people will not patch their server, and thats the bite. Youve got to ship it secure in the FIRST PLACE, and very few servers can actaully hold that title.
So, regardless if the patch was released on 2002-07-24, people will not patch it because people are lazy.
The biggest security risk is humans, and not even tcpa/paddilum will solve this crap. Your password is 123456, your private key is abcdefghijklmnopqrstuvwxyz, and everyone knows your mothers maiden name.
If I don't have any instances of MS SQL Server on my network, is there any benefit to me or other people to block the affected port?
Thanks.
If you run Microsoft SQL Server, make sure the public internet can't access it.
What a pathetic overkill response. If you're running SQL server, make sure it's patched. When the last set of bind exploits came out no-one said "Unplug all your DNS servers", why is this any different?
SQL is easy to secure, and the guidelines are well known
And of course, patch it when patches appear
From digitaloffense: A new worm which exploits a vulnerability in MS SQL Server is bringing the core routers to a grinding halt. The speed of the propagation can be attributed to the attack method and simplicity of the code. The worm sends a 376-byte UDP packet to port 1434 of each random target, each vulnerable system will immediately start propagating itself. Since UDP is connection-less, the worm is able to spread much more quickly than those using your standard TCP-based attack vectors (no connect timeouts). Some random screen shots and information about the worm can be found HERE.
Whoever puts a database outside a firewall? and then leave its external port open???
Sysadmins like that should be dragged into the street and shot.
...the Slashdot article, that is. I've been watching this since I got up this morning (about five hours ago, local time). There's been plenty of discussions about this on various mailinglists, including NANOG and NordNOG, as well as several IRC channels I frequent. I'm surprised it took this long for Slashdot to post anything about it.
According to unconfirmed sources on NANOG, the worm seems to eat up bandwidth at line rate (even at GigE links), is rumored to amplify itself via Cisco routers, and is the creation of Saddam Hussein.
My journal on the worm.
Best writeup I've seen is over at iss.net. They were the first to update their internet status homepage alerting of the vulnerability as far as I can tell.
http://average.matrixnetsystems.com/Daily/markR.h
http://mrtg.nac.net/switch9.oct.nac.net/3865/swit
The advisory announcing the flaws:m /
http://www.boredom.org/~cstone/worm-annotated.txt
http://www.nextgenss.com/advisories/mssql-udp.txt Various disassemblies and discussions: http://www.snafu.freedom.org/tmp/1434-probe.txt http://www.digitaloffense.net/worms/mssql_udp_wor
Writeups:n et.attack.ap/index.html / 20030125/ap_wo_en_po/na_gen_internet_attack_2 r tdetail.jsp?oid=21824
http://www.cnn.com/2003/TECH/internet/01/25/inter
http://news.bbc.co.uk/2/hi/technology/2693925.stm
http://story.news.yahoo.com/news?tmpl=story&u=/ap
http://bvlive01.iss.net/issEn/delivery/xforce/ale
that there are still way to many slack-assed admins out there. Not that getting nailed by something of this nature is a sign of bad administration, but it had to start with stupidity and laziness at some level. INSTALL THE PATCHES. INSTALL THE SERVICE PACKS. KEEP EVERYTHING UP TO DATE. It's your job, do it. Everyone's internet connection will thank you.
even /. editors have to sleep!
I've been watching this havoc unfold all night as well. I wonder how long it's going to take for the entire problem to clear. Most sites that were previously unaccessible are for me are now, except some of our own. Makes me wonder if something else is going on in these datacenters.
Some snippets from there:
So wil it be this year that MicroSquash will sell us the fix for this, or will the release date slip.
Ya know... On a more serious note, one of these days one of these little worms will have a really mean and nasty payload attached. Instead of just swamping us with annoying packets it could do some major harm. Remember Code Red? something like 90% of infectable hosts infected in 26 hours... the thing could have destroyed the server's OS/file system/whatever. It was the kindness of the coder that he/she spared us from that. We should not let the world economy's security be handeled by the kindness of these worm/virii coders!!!
I say we should shoot l4m3r windows sysadmins on sight... for the sake of the world... and our beloved Internet.
It's those darn Al-Quaeda, I tell you! Them and Saddam Hussein! Damn them for retaliating against our Righteous Attacks!
Having used Orcle, SQL Server, and PostgreSQL, I'm wondering... why use anything other than PostgreSQL? This attack just further reinforces my belief that 95% of folks using Oracle and SQL Server should switch.
Is anyone else offended that this user thinks that EVERY server runs MS SQL or even Microsoft Anything? Our servers haven't been affected at all by this, FYI.
Ever notice how fast Windows runs? Neither did I.
The only problem is that most of responsible people are computer scientists and sometimes even only with a BS in CS and therefore have no clue of harmonic analysis and advanced probability theory.
If you project your network system in the C^n- space of markovian probability measures and with to the frequency domain, you can easily see that our system represents a compact manifold of superharmonic measures. And malign overflow is just a upper bound in this set, therefore harmonic. It's well known that the only harmonic functions on compact manifolds are constant. So going back into the time domain this means that you must just analyze the frequency of the packets. All packet streams with a constant frequency are malicious by the above calculation and therefore should be dropped. Of course there are some minor points with the frequency reflection on edges etc. but this is very basic stuff and can be easily solved.
If think there was a paper of Lorgajev and Starniktov in the 80ies about this, but I'm not really sure.
Owner of a Mensa membership card.
While part of the problem is that Microsoft software sucks particularly badly when it comes to security, something like this can happen with other software as well. The real problem is that we have a software monoculture: we need many more, different, independently implemented software systems. They will all have bugs, but as long as they all have different bugs, we are mostly OK. And that's the real reason why Microsoft's market dominance, in particular on large numbers of small machines run by non-experts, is a problem.
Seriously though, you should have upgraded!
It looks like if you stop the proccess sqlservr.exe it will take all of the CPU proccess back down to normal. Obviously you dont want to delete this file, but with it stopped you can at least get the box on the network to trouble shoot this stuff. So far from what we can tell, when you restart SQL the load stays down, but that could also just be that its sitting there idle waiting to be activated again. Hope this helps.
Alchemy Support
Alchemy Communications
It can giggle all it wants. The galaxy's not gettin any of our Bourbon.
Care to offer up one particle of evidence that this was Saddam's doing? Or are you just beating the Bush war drum like a good little puppet?
Gr.... All the more reason to run a host firewall on every machine.
Need a Linux consultant in New Orleans?
Mitnick just received his Alubook from Woz, and here's the result... ;)
Me no sig.
Any server that doesn't need to be accessed from the public internet in the course of it's normal use should be firewalled off from it. That's just common sense.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
I think it's funny that all of the media outlets are talking about "a worm like Code Red has infected the internet and is causing worldwide slowing of the internet" but they don't mention at all that it has to do with a Microsoft product or that it was a known bug that MS has ignored for almost a year.
Want will they think of next ?
I am now seeing connections from the HTTP ports?
14:18:44.018023 64.4.30.24.http > 193.128.xxx.xxx.ms-sql-m: FP 537:706(169) ack 334 win 16983
14:18:44.019965 64.4.30.24.http > 193.128.xxx.xxx.ms-sql-m: . 1:537(536) ack 334 win 16983
Is this a new variant already?
Get your own free personal location tracker
If it hadn't been for a last minute scud that hit a barracks and killed a bunch of US servicemen, the united states would have killed more of its own soldiers than iraq did. friendly fire may be an oxymoron, but it happens...
Or maybe patch their servers? There is no excuse for not having this patch applied, it's been available for over 6 months....
Its human controlled through Internet Relay Chat (IRC) communications. The bots are set up on a password-protected IRC channel, where they monitor any conversations taking place. A DDoS attack is launched when an attacker logs onto the channel and types in a command, which is then recognised and acted upon by the bots. Affected servers will then scan netblocks for other vulnerable SQL servers on port 1433, and will try to log on and run the malicious code.
Kudos to cstone@boredom. Interesting & educational, with a nutty crunchy flavor.
So, every colocated server has a system admin checking it?
... outside of their regular duties which may include making coffee or sorting mail (depending on the size of the organization)?
All servers that were placed up there years ago to host one silly site get checked regularly?
All companies (or individuals) who host sites pay to have them maintained?
All sysadmins are competent and on top of their patches
There are alot of servers and alot of sites. There aren't alot of "great" admins IMHO. And, often, patches are bundled together when you upgrade a server which may be once EVERY TWO TO FOUR YEARS.
Reality folks.
A Large number of ISPs here in OZ have been affected by the worm, it started about 3 and a half hours ago in OZ, and pretty much killed the net here
:D
Just thought u'd like to know
Shit, Im still getting hit with LAST year's M$ vulnerability.. ;)
/us2 /cmd. exe /us2 /cmd .exe /us2 /cmd. exe /usm 32/cm d.exe /usm 32/cm d.exe
[Sat Jan 25 02:26:01 2003] [error] [client 66.57.128.6] File does not exist:
r/local/www/data/scripts/..Á../winnt/system3
[Sat Jan 25 02:26:01 2003] [error] [client 66.57.128.6] File does not exist:
r/local/www/data/scripts/..À../winnt/system3
[Sat Jan 25 02:26:02 2003] [error] [client 66.57.128.6] File does not exist:
r/local/www/data/scripts/..Á../winnt/system3
[Sat Jan 25 02:26:02 2003] [error] [client 66.57.128.6] File does not exist:
r/local/www/data/scripts/..%5c../winnt/syste
[Sat Jan 25 02:26:02 2003] [error] [client 66.57.128.6] File does not exist:
r/local/www/data/scripts/..%2f../winnt/syste
It's like putting up a fence when you're trying to keep out solicitors. Although you only push the solicitors back to the fence, you can walk around your front yard now without anyone harrassing you.
So although you won't be preventing any infections of your system, you will keep out the traffic caused by external infections from adversely flooding your internal networks. You may take a slight penalty at the border router, as it will have an extra rule in it, of course.
Build it, and they will come^Hplain.
All packet streams with a constant frequency are malicious?
What crack are you smoking? Streaming media is malicious, then?. Traffic that is latency-constrained on the window (e.g. bandwidth * delay > window) is also periodic-- I assume it's malicious as well? Not to mention my little ping monitor watching my colo box to be sure it's up.
No Biggie. It's just another indication of problems in IT overall - i.e. IT professionals who are too good at being "professional" and who do not execute their technical responsibilities.
Things seemed slow and nasty, so I Googlenewsed for "internet worm" and sure as shit, there it was.
I groggily stumble up to my computer, it being a normal enough sort of Saturday AM, and as I sit down I cast a lazy eye at my firewall counter.
/. -- a lengthy process due to my dumbass ISP not having reverse DNS entries -- so I sniff around my logs.
.edu's with cute names like 'staging3', 'testing1', and, no joke, 'snoogans'.
Woah! What's.. uh.. 150 inbound requests.. doing.. today.. worm?
I start to fire up
*clickity click*
1434? The hell is 1434. Worm?
*slashdot shows*
Ah ha! Ve haf comprehension.
*groggily shuffle off to get coffee, oooo black gold*
For what it's worth, a majority of the packets so far have been mostly US servers --
Disassembly of the 404 bytes being sent by affected systems
Microsoft software
Damn, no porn for me today
Patch it up, admins
If you don't know about it, this is a good time to know.
Packet loss reached 14% at 2:20, and the global traffic index dropped to just below 73%. However, according to the many graphs on the site, things have pretty much recovered.
Heh...on the Fox News Channel's ticker, they had the following tidbit of information:
"The virus spreads using a Microsoft vulnerability known as "SQL Server""
This space intentionally left blank.
Postgresql and oracle are like screw drivers. Do you use one screw driver for all tasks? No. There are some things that oracle really kicks ass at that postgres really plain sucks at. Vice versa as well.
-
ping -f 255.255.255.255 # if only
WTF?
How the hell did you get to there being a monoculture of database systems?
MSSQL is in a pretty serious minority overall on the Internet.
There's this other company you might have heard of. They're called Oracle and are the second biggest software firm on the planet.
The only reason the Scud hit the army barracks was because it was "shot down" by a US Patriot missle.
This one has surprised me most so far:
tybclbsqla02.listbuilder.com
Hmm. Lists equal large databases.
Large databases usually mean a DBA.
DBAs should know better.
whois listbuilder.com
Technical Contact:
Microsoft (EJSEHEQUAO)
msnhst@MICROSOFT.COM
Microsoft
One Microsoft Way
Redmond, WA 98052
US
425-882-8080
Get your own free personal location tracker
... and sees all the hubbub. Stops, checks his logs. Yup. That's one helluva lot of hits on 1434 overnight. All dropped just like they should be. He wonders what the problem is? Surely nobody out there is silly enough to leave ports unnecessarily open on the firewall, are they? *yawn* Time for caffeine and comics.
"An unarmed man can only flee from evil, and evil is not overcome by fleeing from it." Col. Jeff Cooper
No, firewalls are for use as your needs require.
I, for instance allow no incoming, but don't restrict outgoing.
Firewalls are not just for your needs. They are also for the protection of others, too. It's the all-ports-open-on-outgoing stuff that allows worms like this to spread and wreak so much havoc. It's dial-up Internet providers leaving port 25 open on outgoing that allow spammers to use throwaway accounts for spamming.
I don't think you should tell people what firewall rules they should be running.
Hey, if it's my network being affected by your lack of rules, I've got a moral right to tell you what rules your firewall needs.
Is this thing directly targetting root/tld servers? Is the worm doing dns lookups as opposed to just picking an ipaddr? Is it the PTR servers which are being hammered by loggers doing reverse lookups?
Did someone jump to a bad conclusion based on ping stats?
I don't know if anyone else has had the same problem, but xxx@msn.com email addresses seem to not be working on Hotmail. I doubt they're related, but has anyone else had the same problem, and is this likely to be the cause? By the way, xxx@hotmail.com accounts work fine.
Glad to see that HP isn't affected. http://www.hp.com Anything is possible.
See how Microsoft products enhance one's Internet experience!
Who can't install a bloody service pack fix within even a MONTH of when it comes out.. Let alone 7-8 months after it comes out. My steps for service packs were always install it 3 weeks after the fix comes out after checking the net forums for any major problems reported with it. Always worked for me, and I never had a comprimised server. Then again, I also had our FIREWALL set up properly where I only opened the ports that we needed open. Freaks! Probably some arsehole with a BS in MIS making twice of what I am, but still doesn't know jack because he only entered the computer field to make the $$.
http://www.cert.org/advisories/CA-2003-02.html
Yeah, windows is bloated and insecure but geeks here act like *nix is somehow perfect.
Heya, At our routers and firewalls, we ban ALL traffic both inbound and outbound. Then we only open ports that we need (i.e. 80 and 443) in the directions they are allowed to go! Our MS SQL boxes have not been touched! It's great. Iain Chesworth SysAdmin
---- "I would be careful in separating your weirdness, a good quirky quantum weirdness, from the disturbed weirdnes
Last night around 12:45, gamespy.com went down. I was just about to start playing BF1942 after a week of hard work!!! Boooo
Couldn't they have started this on, say a Monday?
-- taking over the world, we are.
Despite panicky headlines, and mails to bugtraq with titles such as "MS SQL WORM IS DESTROYING THE INTERNET", reports of "some hosts being hit by as many as ten packets a minute" don't seem too serious to me.n ed.uppsn ed.bits
Take a look at the LINX traffic statistics at
https://stats.linx.net/cgi-pub/combined?log=combi
and
https://stats.linx.net/cgi-pub/combined?log=combi
and you won't even see a glitch.
End of the world? I don't think so.
The old Art Bell show, now hosted by some new guy covered this going on at around 1am MST while I was driving into work... I was surprised when I got in and loaded up /. and there was nothing... till SIX HOURS Later... what the F?
This is what would happen if /. ever became a search engine.
Lots of companies are now putting at least a database snapshot online for their customers and suppliers, to smooth the flow of business. It's CRM. Now how the hell do you firewall/gate that and sleep easily?
What about order entry for Lands' End and Amazon? Those are all database queries. Dear God, I hope they're not using MS SQL for that.
HAW! What are you, French? Or just some wormy American abortion ghoul / assmaster? "Oh, boo hoo, blood for oil, boo hoo hoo hoo..." Fuck you and your mewling plea for "evidence."
Suppose the Bush Administration (oh yes he IS your President) decides to say it WAS an Iraqi attack? Suppose they claim it was a deliberate attempt to take down the power grid and water lines? Who's going to convince Joe and Jane sixpack that it WASN'T? You? "democraticunderground.com?" HA! Yeah, trust me, we care what you think. Those pathetic anti-war demonstrations really grew your numbers, huh? Sure.
Get used to it, we're TAKING the fucking OIL, whether you cry about it or not. Then Bush is getting re-elected, Scalia's getting named Chief Justice, and you're getting relegated to the irrelevant fringe, FOREVER.
And good GOD, is it ever FUNNY.
I'm not justifying behavior of the assholes who release these worms, but leaving the SQL server visible to the public internet is just slightly retarded.
If these boxes actually have someone employed as admins, they should get fired, plain and simple
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
all you rebel programmers, join together in a glory of defeat and dishonourment.
We will create an Anti-worm! It will counter these attacks, patching, disabling, and even illiminating!
Band together now!!!!!!!!
I'm a big retard who forgot to log out of Slashdot on Mike's computer! LOOK AT ME.
Any estimates of the cost in terms of bandwidth/downtime yet?
And what are the chances Mirocosft will be forced to pay for it?
About half of the sources I've seen have been either .edu sites or sites in other countries which belong to colleges (ualberta.ca, etc.). Is there some sinister corellation here? Perhaps colleges get free MS-ware, and let the students run the networks?
I want to delete my account but Slashdot doesn't allow it.
http://slashdot.org/article.pl?sid=03/01/24/154920 7&mode=thread&tid=95
what timing...ironic, eh?
Suncoast Linux - Sarasota, FL
Because MS takes this line: "It isn't *our* fault for writing insecure, buggy software. *We've* had a patch out for N days/weeks/months. *You admins* screwed up.
Should the admin have patched it? Sure. Are they as much at fault as the people that introduced the original vulnerability? Heck, no.
May we never see th
"...the volume from this triggers the Cisco netflow switching bug and is causing routers to lock up at places, etc."
Are these the same people that leave their cars unlocked with the keys in the ignition?
If this were a fair analogy, the *auto maker* would be at fault for leaving spare sets of keys attached to the outside of the car...and you'd simply be (much less) at fault for not having removed the latest set of spare keys the auto maker decided to tell you about.
May we never see th
thanks for pointing that out. I plead lack of sleep and the evil influence of cold medications
The MS educational site license is a flat $40 per year for every computer, including Apples and Suns.
For that, a school can install any and every MS product where ever they please. Not only that, MS supplies training and testing materials and answer keys with that. So the classes are pre-written, too, and a GTA or undergrad can run them.
So yes, MS SQL is all over the place, and they've got lab assistants and volunteers admining them.
This is the same server that's had worms on a regular basis for the past few years?
May we never see th
Having used Orcle, SQL Server, and PostgreSQL, I'm wondering... why use anything other than PostgreSQL?
Because if you're using PostgreSQL, you don't have the satisfaction of saying "I have so much power than I can waste N hundred thousand dollars of company funds on Oracle." It's a status thing.
May we never see th
(thanks to the poster in the alleged HTTP Trace vulnerability), and I think it's funny that the government's Infragard website was inaccessible (at least from the West Coast) for several hours.
After looking at my traffic log, I am still getting packets looking for MySQL....aparently it hasn't realized that I don't have it as it has been trying for a long long time today...
A few sites I frequent seem to be out because of this [most notably, and annoyingly, http://ojuice.net]. This has been patched for an age [in computing terms]. It's almost shameful that admins haven't applied the patches by now, ESP after spending a whole lot of money on Microsoft Software - you'd bloody think they'd keep it up to date.
Don't these backbone providers have NOS that monitor for this type of activity? Don't know if it's just because of the job cuts, but my line from UUNET still isn't up (constant activity; can't get a ping out), so I'm stuck with cable that has major upstream from AT&T, whom as I understand it had automatically detected a dramatic increase in traffic on port 1434 and blocked the port.
Funny thing is when I try to ping my UUNET IP address, or at least traceroute to it, from my cable line I get a destination net unreachable -- wtf this thing is supposed to be more reliable than a cable modem!!
"I'll just chip in a bit for RedHat: I actually have that installed on my university machine." - Linus, '95
Well, I'm not too annoyed about it... I finally got to bed before 3AM because the Internet was so dang slow (and I thought it was my campus resnet, like normal).
I liked this one particularly :
le1 @0:1 b 207.171.0.104,1221 -> xx.xxx.xxx.xxx,1434 PR udp len 20 404 IN
bash-2.05a$ host 207.171.0.104
Name: secure.pacificnet.net
Address: 207.171.0.104
What was that about mission critical applications?
But it makes the majority - your generic non-thinking folks - feel "protected" and a lot less prone to panic.
Worms that do this sort of thing will continue ad infinitum. The reason is that there's no financial detriment to having one of your own boxes act as a zombie and send out tons and tons of packets. None whatsoever. There's no central accountability. That's the way the Net is set up. I don't see any way around it.
Your security guidelines are good advise, but I'm amazed (concerned?) that you have completely missed the basic, fundamental principles of 2+ tier architecture.
Perhaps you can provide an example of a situation where a database server would need to be accessible directly over the public internet? I can't think of any. Even for remote administration, that's what VPN's are for.
-CausticPuppy "Of all the people I know, you're certainly one of them." -Somebody I don't know
Is there actually ANY good reason to use the expensive MSQL over free Mysql or Postgresql? I've been using both free databases for years, and still haven't stumbled on a feature that would make me think about trying out a commercial one.
given also this previous slashdot story, the root servers must join and sue microsoft for DDOS attacks against them.
Windows clients send TOO much shit to any dns - check your dnscache log to see that. Don't have a dnscache? Bad! You're flooding your preferred DNS server with a shitload of useless or meaningless queries.
Looks like they have read some websites some years ago and then decided to steal words like "domain", thus confusing a nt-domain and a REAL domain name. The rest is pure mess because nt-domains are queried with DNS. Pretty crappy isn't it?
Look at that (dnscache log):
@400000003e329b973170f1bc tx 0 33 _kerberos._tcp.dc._msdcs.[mydomain]. . 97010201
@400000003e329b973874c81c tx 0 33 _kerberos._tcp.dc._msdcs.[mydomain]. . 97010201 97010101
@400000003e329b981c3f8394 tx 0 33 _kerberos._tcp.dc._msdcs.[mydomain]. . 97010101
this is a laptop trying to find a network share on the server (which is called server2000.[mydomain].it). It is querying [mydomain], not [mydomain].it as I set up the laptop (default domain, network identification). Imagine if I did not have a dnscache but set up all PCs to use an external dns server....
-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
Good God, how fucking stoopid is Microsoft anyway?
What on this good Earth did they do, a gets() in a ping packet? How downright moronic is that when the damned documentation itseld on the gets() function tells you that it's insecure?
This is a totally unacceptable product from a professional perspective.
NO - if this were a fair analogy, this would be compared to moving into a house and leaving all of the windows open, but only closing a window after you realize that your neighbors have been using this window to pilfer your cheesy poofs. While still leaving the rest of the windows open.
If you're infected - you're a tool.
How many of these infections also had SAs with blank passwords
At least the ^auto makers^ shipped the car in a Semi Locked down state - and only opening the ports that need access [hood/doors/trunk] (though there is much general havox that can be had with just playing under the chassis.)
Hmm, the one in my log that made me laugh the most--admittedly it was slightly hysterical laughter--was:
nctamslant.navy.mil
Yikes!
When Trent Lott even implied he might find past racism acceptable, the Republicans dumped him.
Yet today we have the entire slate of potential Democratic Presidential hopefuls sucking on race-baiting Al "Tawanya Brawley" Sharpton's dick. And Al's going to win the first Democratic primary - the one that's going to be in DC!
Oh - and about 75% of the American public actually support more restrictions on abortion.
If you radical left DimocRats want to marginalize yourself by siding with Stalinist-funded anti-war protesters protecting heinous pigs like Saddam Hussein, I'm laughing all the way through the rest of recorded history!
BWAAA HAAA!
But back then, bombing Iraq would have been a good a noble thing, since it was for the righteous cause of getting Monica Lewinski off the front page, not some frivilous reason like making sure no US cities get hit with a nuclear bomb or biological attack.
Somebody should give that fucktard a serious beatdown.
Except the admin cannot know where the windows are until the contractor tells him where they are. Then, suddenly, the contractor tells him that it's *his* fault if he doesn't keep closing the windows within a day after the contractor tells him about the window.
Firewalls are not a panacea. Software still has to be secure -- trojans getting in through mail, IIS exploits, exploits through SOAP or over VPNs from a remotely exploited location let one zip right past a firewall.
IT admins tend to think "I'm firewalled -- I'm secure." I'd argue that firewalls have literally *worsened* security, because it makes admins take a casual approach to ensuring that their *software* is secure -- and software developers. The fact that MS doesn't trust their high-end database software to be secure from remote attacks (as they say in their advisory) makes a certain statement.
The problem is a lack of secure server software (particularly on the part of MS), unrealistic expectations of admins, and a security industry that would rather push easy-to-sell "solutions" like firewalls.
May we never see th
2003-01-25 00:30:41 DROP UDP 66.227.96.24 (XP's built-in firewall caught it, surprise, surprise)
OrgName: KingComp Systems, Inc.
OrgID: KINGC
NetRange: 66.227.96.0 - 66.227.111.255
CIDR: 66.227.96.0/20
NetName: YIPS-KINGCOMP-S102802-2
NetHandle: NET-66-227-96-0-1
Parent: NET-66-227-0-0-1
NetType: Reassigned
Comment:
RegDate: 2002-10-28
Updated: 2002-10-28
OrgTechHandle: PKR-ARIN
OrgTechName: Kral, Petr
OrgTechPhone: +1-312-957-0755
OrgTechEmail: petr@kingcomp.net
Surely, this can't be Petr from 'User Friendly'... Can it?
Hrm... Oh well, flame away at the incompetent admin...
If you go to cnn.com in the tech section on the main page, the story is there. It's titled "Electronic attack slows Net".
:P
Immediately above that is the other tech story, titled "Gates pledges better software security".
billg cannot be an enemy combatant because he
does not wear a military uniform.
So he must be an _illegal_ combatant.
Therefore, if guilty, he will have to go to
Guantanamo Bay for a few years to "help with
investigations".
Of course, proof cannot be given for his guilt
because that might jeopardize national security.
Therefore no trial until terrorism is defeated.
Can't afford to take chances with them terrorists!
Yes it can indeed get inside a firewall. Say you got bonehead web developer front page dude at home running the developer version. It is no doubt infected with the worm since said developer is using front page and MS SQL on his home xpeeee box. He thanks you by logging in via VPN into your network and spreads the joy. Priceless.....
Got Code?
Here is Symantec and mcafee info about that worm.
Whfg nabgure EBG-13 unpxre...
When will mankind learn to stop doing such things? It's such a lame & petty thing to do.
typical M$FT wormware kludge, what else is new...
Don't worry - it'll just be one of .mil's free domains
Gates acknowledged that the technology industry must make significant improvements, adding that, "Microsoft has a responsibility to help its customers address these concerns, so they no longer have to choose between security and usability."
How about easier ways to apply hotfixes remotely to desktop computers? (There are ways apparently, but requires installing IIS and SQL ironically, to run something called SUS.) I'd prefer the hotfix to simply have an option like '-m\\machine' to apply to domain machines in a domain admin context so I can script the installs to my tastes and needs. No need to get overly complex. Besides, I'd rather not have an IIS server at my site if I can help it. Apache runs everything. Just another damn thing to learn for something that should be simple.
Also, the hotfixes themselves only have about 10 different ways of applying at the command line unattended. How about standardizing the hotfix installers too...
Example, this is what is run after an XP desktop install with SP1 at our location...
It doesn't include latest javavm fix, which for some reason won't install right during the guirunonce part of an install, so I have to script to reboot the machine TWICE before running... Think that's bad? Here's some pre sp1 hotfix command lines from an earlier script.. And the syntax to install unattended is never easy to find on their site. I usually have to use google to search microsoft.com to find what I need, their search engine really sucks. Others must feel the same way since there is a dedicated google page for this at http://www.google.com/microsoftI agree. a good firewall will do the trick also, but one infected server in your closed circuit and they all be infected.
and there always is the human factor of error (the existance of the worm is a nice example) so you can never be 100% sure you're safe.
On the internet, always use some kind of protection.
Privacy is terrorism.
I've been a call all morning and we are sure now that SP2 does NOT protect your server from this attack...YOU MUST APPLY MS-039 to protect your server
Those weapons of mass destruction that nobody seems able to find? Good thing W just *knows* they're there, otherwise you might think they don't exist...
Also, if the choice is Saddam or endless civil war I know what I'd choose. Remember how we abandoned the Afghans after our little proxy war with the USSR? Remember how we egged on the Kurds to rise up and then left them hanging when we got cold feet at the last minute? Remember how we were supposed to build reactors that could only generate electricity for North Korea and then didn't? It'd be a lot easier to get all righteous about this stuff if we actually held up our end of the bargain once in awhile.
I don't think that Microsoft will be sued for damages in this circumstance. Since the fix was already available for several months, it's the fault of the server admin if they didn't patch it up properly.
My logfiles started reporting the worm at 6:30 (The Netherlands) and after an uninterrupted strean of packages it seems to have stopped at 15:32 :)
Privacy is terrorism.
Put together a website listing all the IP address that sent you port 1434/udp 376 traffic.
My firewall blocked 167 of these requests before we lost our upstream connection (our co-lo ISP gets its bandwidth from uu.net, which was hosed).
Write a short script to get whois/admin info, then send automated email to management pointing out the stupidity of running an unpatched server months after the fix was available, and the stupidity of having it available unfiltered to the internet.
Point out that there are many smart, unemployed tech people who wouldn't allow this kind of stupidity to occur.
(Yes, I know MS patches sometimes break other things, and you need to test them before deploying them. But it has been many months.)
Are you sure you want to DROP those packets, or do you want to send icmp-port-unreachable? Which will cause less traffic in the long run?
... I send port unreachable by default.) I thinking just discarding the packet may cause it to continually attack you ...
Of course the port unreachable adds traffic to this mess, but if the worm stops attacking you once it recieves that (and in my logs I've noticed I only have one attempt per host for this attack
Don't take this as being anti Microsoft, but you need to realise that the "software ecosystem" has to include serious competitors. Survival in an ecosystem also means diversity!
You should do what the lemmings did when they shouted OH NO!
I called him. He mumbled something about "Slashdot", "No sleep", "Bill Gates", and then hung up. Weird, eh? I wonder when he'll stop.
Dan
You think that's bad, those fuckers are causing snow in my TV picture! Will they stop at nothing?!
No.. the US sold them that.
I bet RedHat throwing a party now. I guess we will see more Unix systems, like it happen after Red worm Watch MS stock on Monday Happy hour! heheheh
Really, unless you've created a superior alternative, and until you're charged for the services provided by /., why bitch like a little schoolgirl? Try being nicer, like me!
"Would it kill you to put down the toilet seat?" -- Maya Angelou
Is here: http://www.boredom.org/~cstone/worm-annotated.txt
u dp_worm /
Some more information from digitaloffense here:
http://www.digitaloffense.net/worms/mssql_
I passed the Turing test.
Funny stuff...
now why just apply a patch that has been available for 6 months when you can instead completely change your database system over to a new one? That way you can pretend it wasn't your fault.
The truth doesn't care what I think.
I wonder if this is why my SMC Barricade firewall here at home lost its mind? Piece of crap.
I use a screwdriver to open my can Ovaltine, cuz otherwise it hurts my fingers. Can PostgreSQL do that? I don't think so!
09:05:08.973985 207.194.92.190.1646 > my.network.1434: rad-account-req 376
[id 1] Attr[ User User User User User User User
(imagine "User" going on continuously from here)
If you're trying to sniff this, don't let it pick up stuff on port 1646! tcpdump will flip out!
how about if there is a worm without a fucking patch? and how about if the patch just came out? you blindly patch servers without a QA process? sounds like msce advice to me.
I'm in France. I have 1434 in my logs all morning, but nothing since about 11:30 greenwich. The source IP's are about half and half Europe/US.
A few things are down over here, like my university's network, but haven't noticed any major crashing.
Congratulations! Now we are the Evil Empire
what about shared web hosting companies that run SQL as part of their business?
The truth doesn't care what I think.
While I agree with you that in the land of inexpensive, and easily maintained and used VPNs it is abnormal to have the database server as publicly accessible, I totally disagree that this is some sort of travesty. Indeed in reality the firewall ends up being a crutch that the sysadmins leans on to protect them from their own ignorance and laziness (in this case the patch has been available for some 8 months. Given that the original advisory gave specific instructions on how to exploit it of course there was going to come a worm): Why bother keeping only necessary services running, with the same being actively monitored and administered, when one can just firewall the problem. What's that? The firewall doesn't protect you from the inside? An exploit came through a firewall sanctioned route (email, HTTP, etc) and it proceeded to wreak havoc on your carefully firewalled little world?
Firewalls are a false sense of security, and anyone should be able to defend their system running without a firewall on the public internet at any time (well this is doubly so because the same moronic admins who look for such a blanket protection are the ones who go "Geee...I can't figure out how to get netmeeting to work through the firewall...I'll just take it down for a couple of hours....".
Maybe the PostreSQL guys released this worm to demonstrate that their product is better than Microsoft's...
Probably shouldn't have said that.
Lack of eloquence does not denote lack of intelligence, though they often coincide.
Yes, this will be slightly offtopic, but I'm currently working on an IT project at my college that involves a MySQL server running off a Linux box, and we will have to potentially have a port open to trusted hosts only to connect to it through ODBC. I'm trying to find comparisons between security on these databases and failing miserably. Is Postgresql inherently better for this kind of thing? I haven't even found MySQL mentioned in this thread. Someone point me in the right direction!
--T.
Angry IT woman in big clompy boots. And talking lint!.
I slapped a line on our access list in our BGP routers this morning at around 8:30 A.M. Even though our firewall was blocking this port, figured it would be better to block in silicon rather than at the O/S level. In almost 2 hours, we have recieved over 190,000 packets from this wurm. I have a feeling its going to get a lot worse before it gets better
that was the first port I blocked on my firwell at home.. along with the other nasty wiNT and windows ports..
Pretty soon you will see every firewll and dns server product come defaulted with these ports blocked..
Always remember Ms sense of design on secuirty is that.. oh we can't do it because the cstmore did not aks for it.. Ms claims it knwos Software Engineering.. I seriously doubt it..
Don't Tread on OpenSource
Despite the BBC having a story on this (the first place I learned of it: I had a looong lie-in this morning, er, afternoon) that incidents.org which collates scanning activity worldwide has "status: green" showing with a small note that "some scanning by new SQL Server worm causing some slowdowns" - not exactly apocalyptic, huh? And here in the UK (My ISP) everything looks fine. Slashdot's faster than usual if anything... sounds like a storm in a teacup to me.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
- I have a small team of folks that are constantly rotating because we don't have the money to keep them on indefinately, and as soon as they have enough knowledge, they take off for better digs -- which I don't blame them what so ever. These folks have to take care of a lot of the minor details but don't have the big picture that comes from a full time job for several years and experience that comes from this type of activity.
Webmin will help unify your Unix systems at the administration level, while Usermin is as it sounds; "a simplified version of Webmin designed for use by normal users".I personally try to keep up with the systems we have running...but while its not hard, in most of the real world, babysitting a single server will not get you far. If thats all most of us were doing, we'd be able to easily take care of this stuff.
Secondly, why do you ever have to baby sit a server? There are tools that allow you to keep multiple systems up to date and monitor the health of them automatically. Backups should be checked a few minutes in the morning and adjusted if needed.
The rest of your day can be on other things.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
nimda? i have two screens full of "Deny from" rules because i get tons of CodeRed hits every day. yes, people are stupid when it comes to watching their stuff. especially ms admins (and i use the word lightly)
I just checked my logs...WOW.
There are a lot of home users/business that have SQL server installed and no firewall set up. Just like code red this thing is infecting personal boxes, therefore adding to the high volumes we see. I have SQL on one of my machines at home, behind two linux based firewalls, and when I use any tool to connect to a database I am given all sorts of choices. Most of the IP addys I see belong to other cable users. I wonder how many have kept up on their patches? The problem is any fool without any training can install this stuff on their computers, I think home users are the main reason that simple worms like this are so successful.
This, hot on the tails of the .org nameserver changing to postgress? They're gonna look super cool today. And I don't think anyone can blame them for not using microsoft either.
This is attrocious and I hope more of the name servers switch because this is ridicoulous.
Why is such an important internet protocol being run on MS boxes? where were they when the internet was being created? No in existance. Keep the interent where it belongs, on unix. (Granted bind does have a bad history, but still, 9.2.1 has given me no problems. :)
Ah nice, when the US and Great Britain bombed Iraq without any backing from the UN and against the will of veto-holding security council members, now they suddenly had authorization. It seems new technology allows changing past facts...
No wonder there were surveys among young Americans that show that the majority beliefs the US won the Vietnam war.
A nation so full of ignorant people like the United States should not be allowed to have weapons of mass destruction.
Insightful? How? If you haven't patched PostgreSQL within the last 6 months you are vulnerable to multiple buffer overflow/remote root exploits. If PostgreSQL had the volume of boxes that MSSQL had on the 'net, you can be sure that there'd be a large number of idiot sysadmins who A) don't patch and B) don't know how to use a firewall to protect their systems.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Can we have weasels of mass destruction instead?
I guess even Gates saw this coming. ;-)
"New security risks have emerged on a scale that few in our industry fully anticipated," Gates wrote in a 1,500-word e-mail distributed late Thursday to about 1 million people. (Full article at CNN.com)
DOH!
Seems no one's mentioned that SQL Server's going to power the next version of the windows file system... :)
heh, heh...
The George Orwell Party strikes again. Irony or Republican?
And today we are seeing the one thing at which Microsoft products really kick ass...
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
This software has not passed Microsoft Logo Testing and will not be installed.
Wonderful.
Whoever puts a database outside a firewall
24,432 fuckwits have done so, counting the hits on my firewall. 1 hit on port 1434 yesterday, 0 on thursday.
Wait, there are some dups, it seems that each machine hits the same addresses over and over again, about once every 4 to 12 minutes. grep|awk|sort|uniq gives 11,901 unique IP addresses in my firewall logs.
Quickly scanning a statistical sampling of machines which have probed my IP space, I see that most of them are wide open to the internet. Ports 137/139, 25, 1029, etc. are all available, and 3 of the 11 show BackOrifice on port 31337.
I have a friend (oracle expert) over trying to set up a vulnerable MS Sqweal server so we can study the worms actions on an isolated test network. I want to see which addresses does it scan, rate of repetition, and other things, since the code is pretty simple and just hashes the addresses (low cyclical rate) over and over again. I've also learned some new bad Vlamsk (dutch) language today.
I've got a packet that might crash vulnerable MsSqueal server processes using the same buffer overflow technique. Could be a good return packet to send to scanning machines to get them to shut up until the admins get around to patching/rebooting their fucked windoze machines.
But first I will test it on my own machines, I really don't believe in affecting other's machines on the internet, even if the owners are fuckwits. But after yet another microshit worm fucking things up for everyone else, I've moved my limit closer to their processes.
the AC
I'm also waiting for the first few variants with better IP address scanning routines, which will be much more virulent. Monday will be a *fun* day
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
I had installed the patch (although patches and SPs are notorious in "looking as though they have been installed), and I got it anyway.
As I understand it the July 2002 vulnerability has to do with exploiting a weak or null sa password on open TCP with mixed-mode or SQL Server authentication. So if being patched wasn't enough, my server also had a non-guessable sa password.
The humorous irony is that I had only opened up SQL Server to the internet a few weeks ago to service something specific for a client (who was on a dynamic IP of course), and was about to shut it down again on Monday...
Want to Know How to Cheat the GPL? Read On!
On january 17th, Service Pack 3 was released for SQl Server. This release included the July release of the patch to address the exploit that the current worm is using. Shame on SQL Server admins for not patching their servers up to the current release. What good are patches and updates if people don't install them?
Some info from my perspective;
I am at 66.192.31.140
First logged packet at Jan 25 00:30:47 EST
Last logged packet at Jan 25 12:17:40 EST (15 minutes ago)
Number of hits, only 136.
grep PROTO=UDP
136
If you follow the link to google you'll see the infamous words "Code Red" ranked third. Perhaps just another coincidence... Or is it?? (/me looks provacatively into the camera)
Geek out
The claim that "no hosts should be allowed to send traffic to this port" is based on a lack of understanding about how IP works.
If my machine, for example, does a DNS query to port 53 on your DNS server, it can use a more or less randomly assigned source port. If that source port happens to be 1434, then to respond to my query the DNS server will have to send a packet to port 1434.
Most systems don't use such low numbered ports for anonymous (aka. ephemeral) ports, but they can and some do. Filtering all traffic to udp port 1434 (or any particular udp or tcp port) is _NOT_ a good practice in general without knowing what is running on the hosts in question. However, it is unfortunately necessary at this time on many networks to deal with this worm.
This isn't limited to DNS, but any UDP query.
lawsqlsrv2.hotmail.com this one suprised me even more. :)
dont need to whois that one to know who owns it.
Saw this attack start 2 days ago, but just assumed it was another simple M$ SQLServer attack, because I get a 1433 on occasion.
:01:1e:00:10:67:00:14:7c:08:00 SRC=208.17.213.124 DST=xxx.xxx.xxx.xxx LEN=29 TOS=0x00 PREC=0x00 TTL=116 ID=22683 PROTO=UDP SPT=38105 DPT=1434 LEN=9
Jan 23 06:11:41 mail kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:50:04:a9
Jan 23 06:11:41 mail kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:50:04:a9:01:1e:00:10:67:00:14:7c:08:00 SRC=208.17.213.124 DST=xxx.xxx.xxx.xxx LEN=29 TOS=0x00 PREC=0x00 TTL=116 ID=22684 PROTO=UDP SPT=38105 DPT=1434 LEN=9
Then as the day progressed on the 23rd, things started to coughed and sputtered until this morning. Last night was a bitch, I could hardly resolve a single domain to anywhere.
I guess the ISP's are just getting the 1434 UDP traffic under control by blocking the port outright.
I goes to show that M$ software is still 100% hackable and will be used for something like this for years to come. When will people learn?
> billg cannot be an enemy combatant because he
does not wear a military uniform.
OMG! If he's not wearing his uniform, he's a SPY!! Spies get shot when they're caught!
So much for a secure 2003.
is Tango Uniform today. Forget about making changes to those domains for awhile...
Was nice to see one coming from 207.46.196.109 which is activex.microsoft.com - used by m$ mediaplayer for codec downloads etc (it connects there first, then to codecs.m$.com or something)..
Interesting ports on activex.microsoft.com (207.46.196.109):
Port State Service
1434/udp open ms-sql-m
What do you want to own today?
While the Internet is bogging down, my old-fashioned land line phone still works fine.
Just think how wonderful things will be once VOIP is in place and all of your voice connections are IP based!
Oh... wait a minute... never mind.
I was infected with this worm this morning. I detailed removal instructions and posted them on my web site here http://www.mediagab.com/story.asp?id=300
Hope this helps someone.
My ISP said there was a patch for the problem but a later patch or upgrade broke the original patch.
It figures in with their new security iniative don't ya know?
-- Many men would appreciate a woman's mind more if they could fondle it
Got you, you bastard.
Jan 25 12:54:33.451077 rule 1/0(match): block in on tun0: 209.186.12.6.3934 > adsl-xx-xx-xxx-xx.dsl.wotnoh.ameritech.net.1434: udp 376
376 bytes, check
udp 1434, check
infected sender, identified.
... I wonder if evil-doers might be mining the Microsoft patch libraries, looking for exploits that already have fixes, but depending upon the cluelessness of Microsoft site admins to fail to implement them...
Why go to all the trouble to invent a problem, when there is a large population of targets and a database of vulnerabilities?
If you don't believe we should have enough nukes to wipe your silly litte country off the map, why don't you crawl out from under your tent, jump on your camel, and come your sorry ass over here and take them away from us?
Ohhh. Right. You Cant.
Its idiot admins, who would compromise any system they are given to manage. Just wait until free operating systems reach the same level of usability and market penetration and then watch the absolute hellstorm caused by the exact same idiots, only you won't be able to blame MS. :)
it all depends on the value of the service being provided. if someone is running a large enterprise and a security hole is uncovered, they don't shut it down ("ok folks, no airplane reservations in the entire world...") while you perform rote qa. you probably are not aware of this because they don't give you this particular job.
Can someone explain why I could not browse the web with IE 5.5 this morning, but I could with Mozilla?
Running W2K, but no SQL Server (that I'm aware of).
So, I'm getting a little bit peeved.
/no/ press coverage outside of independant sites like the 'net?
/media/ can do something to M$. The media is basically why M$ exists. M$ got big by being the superior marketer in every way, and I would enjoy arguments otherwise. M$ is our 800 lb. repeating joke for exactly the reasons the jokes suggest: our pointy haired bosses prefer Outlook and Exchange to corporate security, internet stability and good neighbor policies.
On the one hand, I do not support penalties for software developers which open security holes. I've seen some good arguments that suggest that the problem would be akin to suing an engineering concern over a faulty building, but I don't believe them to be accurate; these are attacks, committed against studied weaknesses of a design. We didn't sue the people that built the World Trade Centers for the damage caused by the falling buildings (though, in my opinion disgustingly, I did hear a few people rumble about the topic.)
On the other hand, though, I believe Microsoft to be reprehensible in their behavior here. The weakness was published, according to the Slashdot article (yeah, we know how accurate those are, but still,) in June of '02. Seven months and change.
Seven months.
Now, when someone leverages a widespread exploit that broadsides a company, even Big M$, I'm all for fixing it, learning, and moving on with life. But there has been more than enough time for them to patch this.
They're supposed to be on some trustworthy computing initiative, right? And this is recieving
We need to do something. It's getting bad; we've seen real, concerted attacks on the 'net a couple of times, lately. This one apparently got to five of the root servers; the one a few months back did the same, and it probably won't be too much longer until they make actual headway.
We can't do a damn thing to M$. This has been shown: they're convicted monopolists and nothing happened.
However: the
It's time for us to put our weight where it matters. The media doesn't exist on a lark: it's there because we [read|watch|etc] it.
Why are we still doing this?
It's time we started really letting people know what's going on. It's time for us to begin to collect and catalog the serious vulnerabilities and risks on the 'net, and in a nonpartisan fashion. We need to log things that have nothing to do with M$. We need to track everything.
And we need a way to show just how many of the really serious problems - code red, nimda, IIS (which should be called a trojan, IMNSHO); potential things like curious yellow; it's just a mess what would happen if someone tried more than one concurrent attack in more than a haphazard Gargamel-style "this'll get Papa Internet and all his meddling little smurfs" fashion.
Not all badguys are stupid, and soon enough one of them will figure out how to go about it: don't give them one thing to vaccinate at once, and let each problem propogate the entire set.
We are sitting ducks for as long as we allow big corporations with both the knowledge of and the resources to fix their problems get away with things like this. Over the last two years, attacks have gotten more and more serious, and we've listened to platitudes about trustworthy computing and focus less on featuritis (doubtless so they can thing up new indispensible widgets) and more on security (which they verifiably have not done; though their product release rates have dropped, their patch release rates haven't even climbed by as fast as their hole discovery rates.)
We have a lot of intelligent people at slashdot. Unless I'm a loon (well, probably in spite of it, natch) we're looking at one of our last chances to get fixes underway in time.
I don't have the planning abilities, resources, foresight or time to organize a self-help movement. That said, I firmly believe that it needs to be done. This is my appeal: someone who can, please begin to keep a timeline of the problems, a review of their comparative severities (this, code red, and other things which crippled the 'net should be nicely high on that list), and a running tally of who's responsible for what ratio among each threat level.
We have places like CERT, which release top ten lists per OS, thinking they're being helpful while muddying the waters for the corporate types who genuinely do not understand the risk by making it look as if other things are as vulnerable as M$ products.
It's time that we stop whining and start acting. No silly email campaigns where they get mocked in alternating caps and numbers-for-letters, no derision, no humiliation; fun and cathartic as they may be, they would weaken what I feel is nearing on being a desperate purpose.
Please comment. Maybe I'm overreacting. I'd like to see how you all feel.
StoneCypher is Full of BS
I think not. There were three simple things that would have saved your ass, first apply the patch, second don't allow everyone in the world to connect to your database server, and last turn off the box if you don't know how to secure it. I also work for a company that uses SQL Server for the backend of our web apps, but I don't have any interesting stories for you. I think our admin was asleep in bed when this all when down, but that is because he did all the hard work ahead of time.
...and we lost tons of money. We were down for more than 8 hours and no customer could call in to check on their server problem tickets, hospitals needed service and we couldnt get technicians out there...our servers were swamped. This is serious when companies who deal with the lives of idividuals are at risk. Hospitals had ptient databases that couldn't get accessed, nor banks needed techs onsite to install new software or hardware upgrades before the open of business....nothing could get done. This was the first time IBM got hit this hard where it brought down 95 percent of the company globally. Yikes....Now I got back to collecting the hair I've been pulling out for the past 8 hours.
Many folks are blaming admins for not installing patches.
Why do they assume that the admins are still employed?
Until the machines choke and die, anyone with a clue is overhead.
mechanisms for thermodynamically analyzing
Who moderated this +1, Insightful?
Definitely +1, Funny... but insightful? Did the moderator even understand the words yeOldSkeptic was using?
military.com? wow that's so cool. i wish i was that cool.
I thought SQL Server used port 1433. What am I thinking of?
THIS SPACE FOR RENT
Hey moron, don't read the news much do you? Or don't get out of the house much, huh?
The burden of PROOF rests on Saddam Hussein to PROVE that he doesn't have any weapons of mass destruction, according to the UN charter. Forgot about that little detail, huh? And he has failed to meet this burden.
Also, jackass, remember they found those empty containers of chemical agents? Hans Blix himself said this was "the smoking gun."
I recommend you try to be less of an idiot, if that's possible, and maybe some sun, and listen to the news now and then. You will find educating yourself about the actual issues will prevent you from sounding like a moron like the above post.
So who really won?
Someone has taken advantage of a KNOWN expoit in Windows again, for which a patch had been released LAST YEAR (if what i am reading is correct). SO, who do you blame? Yes, Microsoft has quite a few serious coding issues with their OS, but how many patches are released for various *nix sustems on a daily basis? I use a mixed environment for my computing needs, and I d/l every patch i find for ALL my environments. Guess what? I have never experienced any vulnerabilities! People need to learn: THIS IS THE PRICE FOR LAZINESS! Point the finger at those who DO NOT keep their systems up to date. Just my $.02 worth......
... to prosecute those owners of systems that become infected -- at least when the infection is due to their negligence in not applying known fixes.
If this were done, the internet would become a MUCH more secure place very quickly. And a lot more attention would be given to software that has been demonstrated to be more secure.
It's a lot like holding the owner of a motor vehicle liable for damages incurred during its use.
The bad assumption people are making here is that there's "no reason to break this rule." Well, unfortunately, this is just not so.
In my case, a project involved upsizing a client's access database, and then transferring it from my dev machine to an ISP's SQL Server instance. The client has a dynamic IP address, and they would never even consider the cost of using a VPN. My SQL Server ports were open for only 3 weeks, during the transition period, and would have been shut down next week.
I kept up on service packs (I was up to SP2), and had installed every SQL Server security patch I could find. I had a non-guessable sa password. I got it anyway.
So why is that? I'm not sure. But I have some observations about the manner in which you're supposed to keep SQL Server (and other MS applications for that matter) current which bear seriously on the issue:
Anywhere? I can't find it today. Maybe it exists and I just didn't notice it. That would be atrocious site design. Or maybe a simple, centralized "MS SQL Server 2000 Security Page" with ordered patch list and instructions doesn't even exist. That's just atrocious.
All I can find is top-level references to service packs and an unqualified link to an all-microsoft download search page. When you select SQL Server 2000 in it, you get everything, not in order, patches thrown together with samples, evaluation downloads, etc.
And I'm supposed to check here... every week? Sounds sensible on the surface, but if they really wanted to prevent trouble:
IT'S SO BLOODY SIMPLE. Yet they didn't bother.
Compare this to redhat, where there's one tool, up2date, and it works for everything. And you are trivially notified by email when there's an update.
At any rate, we can at least tell people a convenient fix - go install SQL Server 2000 SP3.
What's the bottom line? I had a reason to have the port open. And I had a not-for-nothing false sense of security that I was protected against this vulnerability. And most of all, if this was RedHat (for instance) I would never have had this problem - because I would have been notified the moment the patch was available, and would have installed it in a heartbeat, through their single, consistent, easy-to-use interface; and so would tens of thousands of others.
Want to Know How to Cheat the GPL? Read On!
It didn't take years. It didn't take months. I think it happened in a few weeks.
If the country cooperates it's easy.
If the country doesn't it's impossible. Think about that. If an entire country is trying to hide evidence of something, and if you squeal you're killed, how hard is it going to be to find something. Never mind recent allegations that the inspectors have been intimidated and/or suborned.
Also, disarming was part of a surrender agreement where the victors specifically reserved the right to resume hostilities if Iraq did not cooperate in its disarming.
The legal basis for resuming hostilities is in place. The troops are probably almost in place. And the French will eventually support the war because if they don't the whole world is going to see just how irrelevant the French UN veto and the UN itself really is.
These are the same French who claimed no UN sanction was needed to remove Milosovic from power.
The issue is that postgresql doesn't yet scale as well as Oracle does. Postgresql doesn't currently support multimaster replication. The core development team is working on an implementation that will be groundbreaking but it probably won't be done for a year or two. Postgresql also launches one process per connection, which really bites. It doesn't prefork either and there is a fair amount of per-process startup overhead.
maru
Starting around the same time, www.whitehouse.net began receiving about 100 times the normal requests for the home page and its associated graphics. Most of the offending hosts are in China thought at least a few aren't. So far, there are at least 1000 distinct addresses spread accross their entire IP space that reloaded the page at least 30 times.
I have no direct evidence this is related to the worm, but it begs coincidence.
www.whitehouse.net is a privately-owned parody of the US White House web site.
Source samples with counts include:
3302 61.171.37.209
2443 218.17.216.111
2037 218.4.128.50
1962 218.25.204.219
1527 61.187.169.160
1336 61.131.48.222
1183 218.58.69.26
1079 68.37.179.107
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
I'm sysadmin for a web app by a 3rd party vendor, using sqlserver as the database, of course. The vendor hasn't certified anything beyond sqlserver patch level 1 with their software. And patch level 2 DOES break their software. They just say "run it behind a firewall".
Complaining to their support people has gotten nowhere, and they know they have us over a barrel, because our management and user community regard this application as strategic. Stupid, yes. Any suggestions, besides getting another job?
We were joking, but while the barrage of UDP traffic taxed our front-end, we figured it might a great time to take systems down for maintenance - WTF, we were up, nobody could hit our site, no explanation to management!
"Our site was down"
"It was the worm, sir."
"I like the new layout. Did the worm do that?"
"Uh... yes?"
Dell's support sites (support.dell.com or "support" link from Dell's home page) seems to be dead due to what looks like a database error. I wonder if they had to kill all their database servers, or if they had to block them internally?
Can anyone else get to them?
A nice collection of data and NOTES.TXT here.
-- When you look to see how the system works, you usually find that it doesn't.
how about if there is a worm without a fucking patch? and how about if the patch just came out? you blindly patch servers without a QA process? sounds like msce advice to me.
Sounds like a damn good advice to me. Why the hell should either of those be exclusive?
You keep your damn boxes patched, and you ALSO keep them behind a firewall. No what's so hard or bad advice in that?
I went to buy groceries this morning and was told that the networks of all the major Canadian banks are down except TD. Plus I haven't been able to connect to the toronto star all morning. Now I'm hungry and searching the couch cushions for change to buy myself lunch and a newspaper. It's scary how reliant on the availability of network services i am. Might not be too bad of an idea to stash some cash under the matress just in case something much much worse ever happens.
Oh please. I'm not a fan of MS either, but SQL Server is actually quite good (aside from the security hole of course.) Performance and feature wise it is a top notch product.
We are seeing this problem due to lazy network / sysadmins. This problem has had a fix for over six months already, and there is no reason network admins leave the front door wide fucking open.
My linux machine is on ph.cox.net (Phoenix Cable Modem via Cox). I too couldn't surf the net at about 10:30 PM MST last night. The firewall (iptables) logs every blocked packet. The first packet with a destination port of 1434 came into my machine at 10:31:31 PM MST, if anyone cares. The next one at 10:37:06. The very last packet was received at 3:16:38 AM. I assume Cox shut the port down at that time. It's interesting that the onslaught to my machine came from 112 different IP addresses.
My funniest, I shit you not, is "isecureserver.smsu.edu". Apparently some "I" at Southwest Missouri State University did not secure their server as well as they thought. At first I actually wondered if it was a practical joke.
Pray, foul heathens! Thou hast been led astray by years of worshipping the golden calf, i.e. Linux. Your God, Bill, is an angry God, and he hath sent this virus to you as a warning. Thou art dependant upon thy God, thou art reliant upon thy God, and thou shalt not attempt to break up God's monopoly on your life.
So, give more money to God today by buying a new copy of MS SQL Server 2000, Version 2.0. It doesn't patch the vulnerability, but maybe if you continue to support God and pray for salvation he might send the "Divine Fix" your way in a few months or so.
You have been warned.
Tuck
Tuck's Journal.
I can't move my phone service with Verizon because the worm knocked out their systems nationwide. The first time I called I asked the rep. I spoke with if it was because of the MS SQL worm. She said,"Yes, how did you know?". The next time I called, with the systems still down, the rep. I spoke with said in a very excited tone, that the systems were being attacked by a worm and that American Express was down too. She said it was pretty scary.
I just wanted to move my phone service, and the rep. was like MS SQL worm; and I was like bummer; and it was a really good phone service...
I am getting pounded on port 1516 from the same address over and over; about 2/minute. It's been going on all night long. Seems to be a Lotus Notes port; is this a totally different attack?
I bloody hope no-one is specifically blocking this port. That's not how firewalls are supposed to be used. First you block everything then only open the specific ports you need. In most cases, these are 80 and 22 and maybe 25.
Don't take it personally, but I sure am glad you aren't my IT admin. I'd get pissed in no time.
May we never see th
All it takes is for someone to have SQL Server running on a laptop. They dial in when they're outside the company LAN, get infected, come to work, and boom!
There are a *lot* of people out there running server tools on laptops - pre-sales, consultants, contractors, as well as your internal staff.
My network got hit hard this morning. The article claims 10 packets per minute. We were getting 10 packets in about 1 nano second. It sent our firewall to a load average of 10+ and brought our entire network (inbound and outbound traffic) to a halt. We found a single Windows host causing all the problems _behind_ our firewall. After disconnecting it all was well again. Thank you MS.
Buffer overflows as a security hole aren't only a Microsoft problem -- although you would think they could afford better code reviews -- they are an almost universal C/C++ problem.
First, using fixed-size buffers for strings (and other arrays) seem almost to be encouraged by the language design, or at least by common practice.
Second, strings (and other arrays) unfortunately do not have a size inherently associated with them in the language, and null-terminated strings can be slow to check for length.
Third, the stack layout of typical C/C++ implementations makes it *possible* to overwrite the return address. Some other programming languages I have used had implementations with the return address below the local variables, making it essentially impossible to overwrite.
But then, years ago, nobody ever seemed to think about security issues in language design.
This is a direct result of what happens when you let stoopid people operate computers on the internet.
I blame the likes of MS and AOL for encouraging the the use of the internet by people who don't know and better and don't care to know any better than to keep their systems patched and configured securely.
Here is a program they have for the NT/2000/XP line that lists hotfixes that have not been applied. It certainly is more comprehensive than the windows update site.... Hotfix Checker at MS
Yeah, that's the ticket, Saddam's been up all night long for weeks in his bunker downloading 'sploits and talking to k1dd1es on IRC orchestrating this attack. He only took time off to praise Allah and to torture a few dissidents; other than that, he's been boning up on MS SQL for the past few weeks.... Sure, he says, the Great Satan might blow me away with their tactical nuclear weapons, but they will feel the mighty wrath of Allah when their unpatched SQL servers go haywire. I will hit the imperialists where it hurts by introducing significant delays in their pr0n downloads and ecommerce traffic....
> It looks like if you stop the proccess sqlservr.exe it will take all of the CPU proccess back down to normal.
> Obviously you dont want to delete this file
I think he meant "Obviously you want to delete this file"
You just got a fan. Or a friend. Or something like that.
best web host ever
Well it was nice, around midnight, the network (as in internet) at my college became unusable untill 10 in the morning.
Turns out the only MS-SQL boxes on campus are under the IT director's desk....
Hate mail to IT is in the works.
Thank Tux I run Linux.
Hotmail still has *nix at it's base, so it's still up.....
No
It
Doesn't.
The site www.hotmail.com is running Microsoft-IIS/5.0 on Windows 2000.
All i can say, is to each their own man... to each their own. :)
-
ping -f 255.255.255.255 # if only
... is that our Corporate IT has *outsourced* all control of our firewalls (to a company which recently filed chapter 11, if I recall), and so can't update them on the fly...
And, on top of this, our "corporate IT security" just sent out an email that some of their *internal* machines were infected (so obviously *something* was accessable through the firewall) and now we who are connected to corporate via a T1 must apply the patches. So much for the firewall.
This also happened with Code Red two years ago. Big panic, everyone patching their systems, because corporate had holes in the firewall.
Yet, we have our own firewall to a customer site (which we've managed on our own for years, and which corporate now wants to take over) which we have *never* been infected via. Go figure.
Not saying that we shouldn't have been up on it, but we have noone dedicated to IT Security (funny, since we do DOD work) in our building, and we are all so swamped with other stuff we rarely have the time to keep up with it.
At my *last* job, however, we setup a new box and immediately port-scanned it... knew what every service was on the box, and if we didn't, closed it down. And that *wasn't* DOD... e-commerce. And we kept on top of patches.
So... you credit card number was *really* safe at my old job... but our nation's secrets may not be at the new job.
Go figure.
Will M$ be sued for damages due to gross negliegence? With all the bullshit lawsuits around, I simply can't believe that not a single lawyer is seing this as his golden path towards uncountable riches. Especially after the like 4th or 5th time the Internet as a whole suffers.
I couldn't care less about all the windos dummies if only they would stop damaging me (eating bandwidth, stuffing my inbox with virus mails and whatever).
Assorted stuff I do sometimes: Lemuria.org
My intial thought on this was that this isn't MS's fault and we shouldn't be bashing them for this worm; almost every os and daemon out there has had it's holes and exploits and MS has already put out the fix so it's in the admins hands now.
But on second thought, when I look at the serious impact of the worms that have been created for MS products and their vulnerabilities the last few years, the obvious becomes apparent: admins of MS OS's and processes on them are a LOT slower to patch than any of their counterparts (read: stupider). And the thing is, MS knows this, they specifically market to the stupid/lazy admins. They're the "easy" OS, they sell their products by telling people that you just install them and never worry about them again. I've taken too many MS courses (I am an MSCE and MSCDBA if they haven't expired on me, but I couldn't care less) and not once was patching the operating systems or server processes ever mentioned during all those courses, which is amazing to me.
And hey, to each their own I guess... apparently there aren't enough intelligent or well read admins around so there is a demand for these products and this approach. But if that's the case, then I think it has to be said that MS has a greater responsibility to create products free from exploits than anyone else, if they're marketing and teaching the idea that you don't need to patch.
It's by creating that laissez faire attitude towards administration that MS is directly responsible for the proliferation of these worms.
----- sXe
Or what else does it mean?
So this won't be stopped until the open source community actually admits it and spends a week or two trying to fix it. You can get the patch now from Microsoft if you are using there software.
...now we gotta "un-fuck" what you fucked-up.
I want to be alone with the sandwich
two things:
i run a solitary box at a colo with win2000 advanced server and sql server 2000 on it (not all of us are technical or engrossed enough to deal with linux/ mysql and not all of us have enough $ to have two boxen).
when i installed sql server, sql server has a server network utility that allows you to control which protocols sql server uses. again, i am not that technical, but without visiting any SANS or other security site, or reviewing any server hardening techniques, or patching anything, it was pretty damn obvious to me to disable the tcp/ip protocol for sql server 2000. it really doesn't take much technical expertise to understand the need for this.
anyone screaming "apply your damn patches" also doesn't consider another simple statement they should be screaming: "familiarize yourself with the BASICS of your box/ the internet before you run a web server and/ or database."
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Well I am recieving a UDP 1434 request about once every 5 minutes on my homenetwork. Doing so IP whois I have found out that the request have come from: <i>RIPE Network Coordination Centre, Vanderbilt University, Sprint, and Asia Pacific Network Information Centre</i>. So they look to be pretty generic sources and quite possibly spoofed. Just my $0.02.
I work at a large University in the US. We have several class B's worth of address space. When Susie Stretchpants from the College of XYZ wants to connect her server to the network, the networking folks activate a jack in the room where she wants her server and give her an IP address. This IP is not in RFC1918 address space. Nor are the IP addresses of every workstation in her building/department. It's all out in the open. The reason for this is that the network infrastructure provides connectivity to a multitude students, staff, and faculty, all of whom are scattered all over the place. Putting a firewall in front of a whole department or college's workstations and servers is a technical nightmare.
Think "Port A on switch B in building C belongs to College (or department) D, and as such should be on VLAN E, which is behind firewall F".
Welcome to adminstrative hell.
You might say that Susie should know enough to install some sort of hardware firewall in front of her server, but guess what? She doesn't want to spend the money, and if she did she'd have no idea how or what sort of packets to allow and block.
So... What you end up with is some very basic filters on your border routers and a whole shitload of servers and workstations on the public internet. We do security scans on our own networks and try to badger people who aren't keeping up on patches to get with the program. It's about the best we can do.
That's why.
More from The Globe and Mail
e ws /front/RTGAM/20030125/wintern/Front/homeBN/breakin gnews
:-)
http://www.theglobeandmail.com/servlet/ArticleN
I especially like the nickname somebody gave it: "SQ Hell"
..to use MySQL, instead of proprietary MScrapSQL.
Ha ha! My boss is one of those fuckwits! I've tried for the entire year I've been there to get him to patch servers and get a fucking firewall up, to no avail.
Time to send an email to his boss.
Qualitas edurus commercium, nullus penitus net rimor, nullus deus beneficium
Funny how the site www.internettrafficreport.com is being slashdotted right now. In the last 5 min alone, the global traffic index went from 85 to 65, apparently a new wave of attacks as the worm discovers new ground. My 5-domain webserver hasnt received a packet yet, but Im keeping my eye on it. Glad to be using Postgres with its ports blocked from the Internet.
Holy cow! Israel is completely down according to the site.. all routers with 100% packet loss.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
SQL Slammer? A worm virus? Sounds more like a shooter at Hooters on geek night.
__ Someday, but not this morning, I'll finally learn to use the preview button.
I just heard about the worm on television on MSNBC. The report was painfully opaque: The worm was said to attack "servers" or "the Internet". No mention of the fact that it was specifically Microsoft software at risk.
The report on the MSNBC web site is more forthcoming. Still, I can't help but feel that the omission in the broadcast report shows editorial influence at work from MSNBC's parent company.
But he is an American citizen, which gives him some protection from being an enemy combatant.
Internet Security System (ISS) was the first to discover and name a new worm it is tracking - "SQL Slammer" - that is rapidly spreading across the Internet via Microsoft SQL servers. The worm is responsible for large amounts of Internet traffic as well as millions of UDP/IP probes causing the Internet and online service to be inaccessible. Reports of major Internet Service Providers (ISPs), banking services and telecommunications worldwide have been affected Severe latency in domain name service (DNS) causing Web sites to be completely unreachable Other nations affected include South Korea's Internet infrastructure which has come to a stand still This worm exploits MS/SQL servers vulnerable to the SQL Server Resolution service buffer overflow (CVE CAN-2002-0649). Once a vulnerable computer is compromised, the worm will infect that target, randomly select a new target, and resend the exploit and propagation code to that host. ISS X-Force team responsible for the discovery and naming of this worm are available to provide help at: https://gtoc.iss.net/issEn/delivery/gtoc/index.jsp
Impact:
The Slammer is generating a damaging level of network traffic when it scans for targets that are vulnerable. Billions of attacks have been detected in the last 12 hours from ISS Global Threat Operations Center (GTOC).
Affect Versions:
Microsoft SQL Server 2000
Microsoft Desktop Engine (MSDE) 2000
Note: Unpatched or base installations older than SP3 are vulnerable.
Description:
The Slammer worm propagates via Microsoft SQL installations without patches from Microsoft Security Bulletin MS02-039 or higher. The main function of the Slammer worm is to continue propagation. No Denial of Service or backdoor functionality is incorporated into the worm. Infection can be removed with a reboot, however without protection in place, it is likely that vulnerable servers will be quickly re-infected.
The Slammer worm seeks to replicate itself and does not try to compromise servers or retain access to compromised hosts. The Slammer worm does not infect or modify files, it only exists in memory.
Warning: Anti-virus programs do not detect nor stop this worm.
Recommendations:
The ISS Dynamic Threat Protection platform has protected ISS customers for this major vulnerability for 6 months.
Protection mechanisms have been available in RealSecure Network Sensor XPU 20.4 and XPU 5.3 and Internet Scanner XPU 6.15 (available as of 7/25/02).
ISS X-Force recommends that system administrators immediately take steps to protect their networks. To remove the infection, apply the necessary patches listed below and restart the server. This action will remove the worm from memory.
The following ISS updates address the issues described in this alert.
These updates are available from the ISS Download center
(http://www.iss.net/download)
Additionally ISS X-Force recommends blocking UDP port 1433 and 1434 traffic to protect SQL Server databases with a firewall or packet filter.
Microsoft SQL Server customers should refer to the following address for
information and securing Microsoft SQL Server against this buffer
overflow: http://www.microsoft.com/technet/security/bulletin /MS02-039.asp.
Additional Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the Name CAN-2002-0649 to this issue. This is a candidate for inclusion in the CVE list http://cve.mitre.org), which standardizes names for security problems.
Additional Links:
ISS: Security Center: X-Force Threat Forecast
https://gtoc.iss.net/issEn/delivery/gtoc/index.jsp
Microsoft SQL Slammer Worm Propagation
http://bvlive01.iss.net/issEn/delivery/xforce/aler tdetail.jsp?oid=21824
ISS Advisor community feedback
http://www.issadvisor.com
______
About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems, Inc. (ISS) is a world leader in Dynamic Threat Protection software and services that protect critical information assets from an ever-changing spectrum of threats and misuse.Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East.
... but it can't survive Microsoft's software
Does that mean that Redmond is in possession of somehthing *worse* than WOMD???
We demand IMMEDIATE soure code inspections!!!
Or there will be severe consequences.
someone want to start a petition?
"a powerful and unexpected ally..."
"Network security is a important front in our war on terrorism.
"That's why Saddam Hussein is a menace that must be stopped with all due force."
to write a variant of this virus to propagate itself to all these servers, delete the bad virus, then after a few hours, download and install the security fix patch and delete itself?
Well, it has a lot to do with the worlds economy. It is already in the crapper and if a net worm was really nasty (as noted in my post) it could cause real damage. How many machines were infected with code red? Now what would happen if all of those machines were destroyed (its drives formatted or something) How much would that cost in dollars to repair/restore? hundreds of millions to tens of billions? All over the world...
A hypothetical Sircam III that erases all emails in your in box, out box, and contact list? That can do major economic damage to business.
...and you and I know, nobody runs backups like they should...
I wonder how many admins blindly upgraded to SP3 just to get rid of the worm, and of course without reading the terms of SP3, gave M$ unfettered access to pillage and plunder their systems?
Think about it...
... may have replaced that tool you mentioned in your point 4. Take a look: MBSA
Utilizing magnetic schemata since
I like the duck...
--- Hindsight is 20/20, but walking backwards is not the answer.
Sounds like a damn good advice to me. Why the hell should either of those be exclusive?
It's very BAD advice! What happens when you blindly apply the patch and find out your mission critical app won't run anymore? A little QA testing would show you that on a test system instead of your live servers. If a firewall rule can protect you, use that, then QA the patch and apply if it is safe.
Consider that sometimes, the 'security patch' just disables a feature that 'nobody uses anyway' (except for your mission critical app, that is). Other times, it doesn't fix the hole, it just changes it's shape a little. In that case, you go from a hole you know about and can guard against at the firewall to one you don't know exists that has less information about it available.
It's not purely a dig at MS (though their track record for quality patches is spotty), any sudden change to widely deployed software runs the risk of causing a problem for sombody's configuration.OMG! If he's not wearing his uniform, he's a SPY!! Spies get shot when they're caught!
Feel sorry for the guy in the bath
A link to this thread has hit drudgereport.com, 2nd link from the top. I think this is the first time I've ever seen that!
Look at the title of your post, again, and see if you can find the error :)
nuclear presidential echelon assassination encryption virulent strain
Whizzmo
Heh, looks like it took out a big portion of Bank of America's ATM (cash) machines! Link
Yeah, it means rather than sending him to Cuba without a trial, the CIA will blow him up from a UAV without a trial
All's true that is mistrusted
The patch install is a hand job. Old filed get copied to a backup directory. Then the new files have to get copied into the right places all by hand. It takes 1-2 hours per machine.
Maybe MSFT will add an install script for this patch!
http://www.theinquirer.net/?article=7418
Religion is the main cause of atheism.
While you are at it, you should plug the spill pipe in your toilet tanks (the one with the opening just above the high water line). In a properly engineered toilet, the float will always float and the valve will always valve. And if the float doesn't float, hey, it's not our ceiling that will begin to drip.
A firewall should not be considered as a wall. A firewall is best regarded as a damping mechanism. My firewall is configured to make it impossible for my internal network to send out bad packets (forged return address, strange TCP/IP bits or fragments, anything addressed to known virus promulgation ports). Those rules function like the spill valve in the back of your toilet tank. Even if something goes terriby wrong (e.g. with a binary patch where I can't even read the source code) and my float doesn't float or my valve doesn't valve, I'm not going to cause a septic disaster for everyone "downstream".
My suggestion: stop polishing your Brass Testicles ninja sysadmin award and start thinking about reality.
Where is the complete list of all patches, with downloaded links?
It should be the law that all software companies need to keep a public record of vulnerabilities in their software for a year. If the software is sold in box sets it should include a have a URL printed on the outside of the box where people can find the list. This would provide financial motivation for companies to write secure software.
I have never used SQL Server, but my experience with PostgreSQL leads me to believe it might be competitive in many circumstances with it.
.org DNS registry come to mind) it's quite likely that postgreSQL is "good enough", but a brief examination of the oracle documentation will reveal exactly what kinds of enterprise features differentiate Oracle from Postgres. Simply comparing this with the Postgres docs should end the discussion.
For enterprise grade solutions, PostgreSQL is not remotely competitive to Oracle. For small operations (the recent story on the
For anyone who thinks of them as comparable, I make the following challenge. Pick one of the core manuals from the above page. Register with Oracle Technet and simply read through the table of contents and mark Oracle features identified in the docs and assess if and how well Postgres implements it. I recommend starting with the Performance Tuning Guide, and the maybe the Data Warehousing Guide.
By doing this you can quickly fill up pages with Oracle features that PostgreSQL does not have. I chose the two guides listed above because I can say with confidence that the features listed in the Oracle docs are heavily used because I have personally done so.
It's all an evil plan by Bill and Co: "If they won't take
problem is microsoft's crap-ass O/S doesn't come with a filter (like ipchains, iptables) that allows you to block traffic based on ip.
so you have to install buggy/crappy firewalls like tiny, blackice, sygate, etc. - all of which crash under very high loads
and their patches often come out too late, as opposed to linux patches - which seem to come out way before....
if you have a busy MS box, there's no way you can put it on the internet without a separate firewall. they should just let people know that, or warn you when the nic card detects that it's on the net.
my solution:
a dirt-cheap linux box with ipchains on it makes a great NAT 1-1 firewall - if you run a bunch of servers. so does the zywall-10.
if you just run workstations or only 1 server there's a lot of super-cheap firewalls from netgear/linkys/etc.
If you haven't patched PostgreSQL within the last 6 months you are vulnerable to multiple buffer overflow/remote root exploits.
remote root???? Just about EVERY postgresql system runs as a normal user, how the hell do you get root out of that?
By default postgresql does NOT even support IP connections, you have to turn it on by either the -i option to postmaster or in the config file.
I think your looking at the Mordred buffer overflows from about 5 months ago. ALL of these require a valid user account to exploit. NONE were remote. Please post the location/posting of a REMOTE for a recent release of PostgreSQL. Versions 6.X, 7.1.X and 7.2.0 do count.
BWP
I've noticed that this whole discussion is just packed full of ridiculously bad analogies: From cars to houses, and now to toilets. Of course they're all incredibly wide of the mark and offer absolutely no parallel to this situation, but it certainly doesn't stop people from proposing them.
Installing a patch for a very high visibility piece of software is not rocket science here, and it should have been done long, long, long ago. The parent post to my original supposes that if we were all firewalled then there would be no problem: Hardly. As mentioned there are many ways for one system in your network to be exposed and to then saturate your network (or do you firewall every port on your switch and have zero port sharing? If not then what are you? CRAZY!?)...and even if you're a super kung fu master admin that has the world firewalled, it's likely that UDP DNS and port 80 traffic can still stream out at an unconstrained rate.
In any case, you totally missed the point. I never said that firewalls should all be turned off (indeed I MOCKED a situation where they did turn it off), but rather that they should be presumed to be a minor moat in the real world of security (instead of the invincible gate that they are often treated as).
"problem is microsoft's crap-ass O/S doesn't come with a filter (like ipchains, iptables) that allows you to block traffic based on ip."
Sure it does since NT 4 SP4
Is it as fine grained as ipchains/tables hell no but the basic functionality needed to block traffic by IP is there.
I think that the reason that a lot of these patches do not get applied is due to the "If it isn't broken, don't fix it" mentality. I know that many Microsoft Security patches in the past have caused say 1 out of 10 small volume custom applications to fail in some way after they were applied. The business being conducted by the application may have justified say a 50K dollar initial investment to have it written by a developer. However, the month-to month return does not justify paying a Maintenance fee in order to keep a developer up to speed on your code base. Microsoft has been releasing patches for either IIS, or SQL Server, or OS on roughly a schedule of 2-4 a month. Your average 10-50 man company that had an application written for their specific need is not going to be willing to pay you $4000.00 a month to maintain a secondary system with their application installed, 10-20 hours to test every single function, etc every time Microsoft releases a batch of patches. In their minds it's built, it works, and it's done and they are not going to pay a dime more. If you are lucky, they might do that when something like today's situation comes up. That is why most systems (I will even say Linux/Apache/XSQL systems) don't get every single patch that comes down the pipe applied. In a perfect world you would not accept the work unless there was a good maintenance fee included, but in the real world you take the work that people will give you and deal with the ongoing maintenance on a case-by-case basis. The only contracts where you get that kind of commitment is when there is EXTREMELY good revenue involved and the companies business absolutely relies on the application.
You should be using the Microsoft Baseline Security Analyzer to ensure that ALL the machines on your network are properly patched and locked down. It's so easy to run there should be no excuse for attacks like this.
!!!ATTENTION MS ADMINS!!!
Hmm, perhaps the hostname is missing an 'n'. Would explain it I think.
Notice the quote at the bottom of ./ today. ;)
...but I wonder if it's necessarily true?
This rather depends on how the worm picks the IP addresses it tries to connect to. If its totally at random then it may never hit your internal servers (or not very soon). If it only hits public address ranges then most internal networks are safe. On the other hand if it primarily targets hosts on the same subnet then Monday's not going to be good for lots of people!
"Linux is a serious competitor"
- Steve Ballmer, Chief Executive Microsoft Corp.
If you've put a Windows box on the Internet you've already screwed yourself. Windows machines should only be connected (if necessary) to internal LANs protected by a firewall and used for simple office automation tasks. Servers should be based on UNIX. This is really a no brainer.
The current DDOS attack caused by a worm that exploits a known vulnerability (for which a patch was already available) raises the following questions :
a. Is this a test or preparatory exercise carried out before a serious of massive attacks due during the time US invades Iraq ?
b. Is there another vulnerability(ies) (probably bigger gaping holes) in the patch available for the current vulnerability which the group is hoping to exploit, during their second phase of attacks ?
These are just questions. I think administrators should be doubly sure about this patch before they apply it.
A Massive DDOS attack during the gulf war could cause:
a. Less or no information
b. With DNS servers down (5 down this time around) a massive disinformation campaign can be launched (Say the CNN site giving false information for a couple of hours)
These are just possibilities. So was September 11th.
You guys forget that a lot of the connections to the SQL port are from a source port of 53. Since there are plenty of firewalls out there which don't do stateful UDP firewalling, the packet filter things the packet coming from port 53 is just an answer to a DNS request the SQL server sent to the internet.
I just got back from an expects trip to my office.
I work in a little office of a REALLY HUGE company
(Cosmodemonic Electric). Our office LAN has no direct connection to the internet. But, I started getting alerts from some monitors, tried to connect to servers on the office LAN, couldn't.
Heard about this virus, put 2 and 2 together
Went in, found that every light indicating network activity in the place was continuous yellow. I had to hunt around a little, found a Win2000 server some one had setup with SQL Server (and probably forgot about), and SQL Server serive would nto shutdown. So I just shutdown the box, all OK now.
So, some SQLServer with an internet connection got it, and is passing is around all over CE. More fun than goonerea.
I work for an ISP... Our phone lines have been solid... have you ever tried to explain the concept of the internet backbone to a pissed off 90 year old lady who only wants to send her apple crisp recipe to the bridge club? Fun stuff...
It's a very GOOD advice in general, always! That is, assuming you go and get your brains from wherever they are, and think for yourself. Advice is just that, an advice, and can and must be adjusted to suit the circumstances.
Nothing in the comment "it would be nice if you would bother to patch the machines" forces you to blindly assume that it says you need to apply any patch nanosecond after it rolls from Microsoft, or if there are known problems with it.
Go ahead, do your QA, and apply the patch after that. If it was patched six months ago, there is no excuse to not have done that QA by now, if it was only recently as some say, then it may very well be acceptable to still be testing it, but that doesn't negate the fact that generally having patches installed is and will always be a good practice.
To be re-elected he would have to have been elected in the first place.
I was just about to post the same thing! Moderators: mod this one up! People need to read this otherwise they'll think their cracked box is safe!
From securiteam.com: ..It can be configured such that clients can use named pipes over a NetBIOS session (TCP port 139/445) or sockets with clients connecting to TCP port 1433 or both. Whichever method is used the SQL Server will always listen on UDP port 1434. This port is designated as the Microsoft SQL Monitor port and clients will send a message to this port to dynamically discover how the client should connect to the Server.
Read further into the report. The exploits use the vulnerability in the code which listens to UDP port 1434. You can't turn this off!
OK.... so at least half of the problem is the sys admins, though some of you seem to think it's all their fault for not patching the systems... You must all have nice cushy jobs where they pay you to stay on top of things! The problem is, not every sys admin gets paid to do what he'd like, and not every one of those ppl have been with a company long enough to FIND everything that needs fixing, never mind FIX it all. They don't get paid enough or else told "no overtime" and things just don't get done... Sure blame the admins, the guy who just took over the mess that was left for him when the last guy quit two weeks ago is surely to blame, especially since he's so digusted with the task he's found himself mired in (not to mention the low salary for 24/7 service or else a NO OVERTIME policy) that he's pondering his next resume and cover letter... And no, I'm not a sys admin, I'm a physics student, a self taught computer junkie and a former construction worker, disabled from being a grunt. i just know scapegoating when I see it, and it's all too easy to blame "the man" when in fact, he's getting screwed just like the rest of us.
i just checked my firewall log. since 4am this morning till now, i've gotten 145 hits on port 1434! 367 bytes * 145 = 53215 bytes! holy crap, 53kB, how did my site manage to stay up with that kind of excess traffic!? :)
Further evidence that MS is continuing to contribute to this problem:
15 out of 16 available versions of MS Desktop Engine, which is vulnerable to the attack, cannot be patched by any available download. You must purchase a CD-ROM and wait for it to be delivered.
From Section 2.2 of spreadme.htm from sql2kDesksp2.exe
When downloading and extracting the Desktop Engine SP2 installation file from the Internet, please use the following guidelines.
Download and extract the Desktop Engine SP2 file as described above for the Database Components and Analysis Services SP2 files, with the following exceptions.
If you download the Desktop Engine SP2 file from the Internet, you can apply the service pack only to instances of the Desktop Engine that were installed from sqlrun01.msi. If you attempt to apply the service pack to instances that were created using sqlrun02.msi â" sqlrun16.msi from the Setup.exe file that was downloaded from the Internet, you will receive one of the following errors:
This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package.
-or-
The upgrade patch cannot be installed by the Windows Installer service because the program to be upgraded may be missing, or the upgrade patch may update a different version of the program. Verify that the program to be upgraded exists on your computer and that you have the correct upgrade patch.
To upgrade instances of the Desktop Engine that were created using sqlrun02.msi - sqlrun16.msi, you must apply the service pack from the Microsoft CD-ROM. You can order the SQL Server 2000 SP2 CD-ROM from Microsoft by visiting the Microsoft SQL Server Downloads Web site.
Actually, I think it is just a matter of basics.
For a thorough treatment, this is as good as any I've found and far better than most: MSSQL-UDP Analysis
-- When you look to see how the system works, you usually find that it doesn't.
I started seeing the effects of this attack somewhere between 10:00pm and 10:30pm Central Time, or about 30 to 60 minutes before most reports of "around midnight Eastern time." It was causing some seriously erratic response times through the Minneapolis UUNet/Alternet POP.
billg cannot be an enemy combatant because he does not wear a military uniform.
The business suit is the "uniform" of the American business man. Here's a picture of Bill Gates III in such a uniform.
Whether Microsoft qualifies as a "military" organization is still an open question. The company does seem bigger than many government agencies.
Will I retire or break 10K?
Hm, that's something to think about. If Microsoft wanted to for whatever reason, would they have the power to take out the Internet? I bet they could. Or they might just hold it ransom.
"My advisory
- If you havn't yet installed SP3 your an idiot
- If you are running your SQL server live your a
bigger idiot
Time to call in the CISSP's
(double click setup.exe)"
Taken from a security related mailing list
Windows 2000 site goes over two years without a reboot?
netcraft is running a story about MS systems that have NOT been reebooted for 2 years. No wonder the SQL Server virus is still around, dumbass MCSEs are trying to run their systems and apply patches without rebooting. What a mistake!!!
Very interestink.
I got 149 inbound connections between
01:01:56AM and 08:08:04AM
Coincidence? or is it something more?
Comment removed based on user account deletion
Please not to whome ever mod'd my post down. The last access log did not have any 1434 hits.
So, no this post is not redundent.
... or ANY product, for that matter, they'd be recalled TOMORROW, wouldn't they?
i don't know enough HTML or WTF, so the link automagically acquires a space :-)
should be:
http://lysy2.archives.nd.edu/cgi-bin/words.exe?
and appended to link above
decimatio
"Writings of mad Lawyers! The Lawyers upon you" - old dwarven alarm cry.
I told this story to slashdot BEFORE anyone had heard of it. Nobody is going to read this post anyways........
I had mentioned it a full 3 hours before cnn had it, yes slashdot could have had it first. And to add insult to injury, someone posted it much later and gave me no credit, which wasnt so bad but CNN already had it by then. Slashdot is beginning to suck.
I explained in plain terms what and why and where, so F U im going back to making www.overclockers.com.au my start page.
Because *ANY* monoculture is vulnerable. Even
if the software's written securely, there *ARE*
bugs. Sendmail's ubiquity gave us the Morris
worm. RedHat's popularity gave us a RedHat-only
worm (some RPC exploit, I think) a while back -
it didn't get much publicity because the thing
couldn't *get into* many of the Linux distros.
(AAMOF, I think that particular one actually
checked to see if the target was RH, which caused
it to ignore a couple other distributions that
the exploit it depended on *did* work on without
recompiling...
" In a sense, M$ makes their servers so that folks CAN be more productive...I know Unix and can admin the machines somewhat (been using it since the mid 80s) but its NEVER point and click like Wind'rs."
We have more than 300 servers affected worldwide, half of them have not been patched yet (in the US most of them folks, not in a far remote place with a part time SA).
I can apply a patch to 300 machines with a 5 line script, most patches I apply are done after 5 or 6 hours (it could be much less, but we are conservative for some reason too long to explain here). I administer UNIX machines
The empirical evidence is far to strong for you to be making such comments.
... you have also trained your Admin properly and he is not overwhelmed with 200 different tasks.
IANAL but write like a drunk one.
Far too many people assume that you either lock your doors and rely on the police or you carry a gun with you everywhere you go. There are many levels of security between those two. For one thing, you can get a better locking system for your door than a dead bolt that's going into nothing but WOOD. Many people have front or back doors like that that you can just bust right through in one or two attempts. On the other hand, if you have a metal doorway for your deadbolt to slip into, someone is going to have to seriously kick their ass to get in that door.
You could also get an alarm system. Any thieves that are intelligent enough to use a lock picking gun will be deterred either by the alarm system sticker/sign near your door or by the sound of the alarm going off when they enter your house.
A tazer is also a possibility. They're legal in many places, some come in baton form so that you can wield them more easily, and any innocent people that you might strike will not be dead or even permanently harmed.
Obviously, I completely agree with Hieronymous Cowherd, even though I was originally just making a joke.
Mod that down: ignorant.
/? for more) utility to make all your network tasks more straightforward.
/. blind faith in OSS and the bash of anything MS. I work for a company that has been a 100% MS shop for years. I was not happy to learn that that was the whole enchilada, but I took the job because of good pay, advancement opportunity and challenge. At the time, there were actually two *NIX servers on the network: an LRP gateway and a box running SENDMAIL and BIND. The admin of those boxes refused to patch them because he had "worked too hard to get them like he wanted". They were owned within months. Since then I have replaced them both with MS products: the gateway now runs MS RRAS (Win2k) and not only does firewall (with just as complete filtering as you favorite piece of free OS software), nat and logging but also provides a nice PPTP dial in point as well. In the three years I have run it, many have tried to own it, but all fail. Why? Because it is locked down tighter than a tick. Over-zealous hacks like you fail to realize the true reason most MS installations are insecure: because corporations have bought the MS "lower TCO" bullshit and think that it means they can hire less-competent admins for their boxes and get away with it. The problem isn't with the software as much as it is with the people managing these boxes.
You jack-ass. Microsoft allows you to do whatever you want to short of raw sockets manipulation, and you can get to that in an API if you're abmbitious and malevolent.
Just because you can't get to it in the GUI doesn't mean you can't do it -- I'd think a true GNU user would know that. If you're using a real Redmond OS (not just a DOS extension), you have the wonderful NetShell (NETSH
I'm getting a little fed up with the glib attitude of the
For the guy suggesting the patches can't be used because they will break something, ESAD. MS hasn't broken anything significant with a patch to their real OSes (2k, XP) in years. Further, if it has as big a hole as the one that enabled this exploit, it's already broke -- patch the motherfucker!
And as to the moron who suggests that firewalls make admins lazy, FOAD. Admins are not lazy; some who pretend to be are. Take any of the guys talking here who know what they're talking about, give them a three hour crash-course (no pun) in how MS RRAS works on Win2k, and cut them loose. I guarantee they make it work and they make it safe. Why? Because they know what they're doing. Ask the same task out of your average Windows "admin" and he'll give you something that half works and can be penetrated in minutes. It has nothing to do with the software; it's the user. It really chaps my arse that you guys get so anti-MS, because most of you would make really excellent Windows admins! The side benefits would be that I wouldn't be alone among the AOL-users-turned-admins and my payscale would go up. So what are you waiting for? Come on over!
Can I bum a sig? I left mine at the office.
For the most part I fully agree. A firewall is useless as it gives people a false sense of security.
Recently I saw a box that had been routed via ssh and the owner of it asked if we could protect it with a firewall yet he still wanted access to it from his DHCP based dialup without the hassles of using a VPN. This was someone who is highly computer literate however has been sold on firewalls as a perfect solution by many sales droids. He wouldn't have been protected by a firewall in the ssh case.
This worm got into our network via a DMZ owned by a department that wanted a DMZ for 'research'. Why they ever had an Microsoft box on it is a mystery and why it hadn't been patched for 6 months is something else.
In my view security should be done at the edge and only very simple security in the core. The only problem is that you need users with clue > 0 who can set up personal firewalls properly. Sadly I am yet to see a decent iptables type firewall for windows.
Things are getting easier with layer 3 switches becoming affordable. When they are common place they will make moving security closer to the edge much easier. Core routers should route, they shouldn't access control, that way you can keep your wire speed routing and give a more flexible environment for users while keeping security where you need security.
There is still no substitute for keeping a box patched.
.......And promise more is on the way all to protest the war against Iraq and North Korea.
2 31 141&group=webcast
http://www.indymedia.org/front.php3?article_id=
If it is true that this was some sort of anti-war protest I'm disappointed.
We are at war with Microsoft and we must do everything we can to destroy it. Bringing down all servers running Microsoft software is a start.
We must never rest until the Microsoft Reich is destroyed and Fuhrer Gates blows his head off in a his bunker.
If this attack is part of that effort, then I salute them. To quote Winston Churchill, "never have so many owed so much to so few."
On the other hand, if they are a bunch of script kiddies ... they should be shot.
Here is the correct link to the story - http://www.indymedia.org/front.php3?article_id=23
hmmm,
thats funny, I thought one of IPSEC's features was the ability to filter/block ips/ports.
I suspect there is no love for Mr Gates among the crowd mentioned in that article.
There is a scanner available to find vulnerable systems. The free version can scan up to a class C address at once.
Get it here:
[SapphireSQL]
Also, Microsoft this morning released an updated patch kit for SQL Server 2000 and MSDE 2000, that allegedly eliminates needing to manually copy files and run manual commands. Supposedly, installing the patch only requires two clicks, so most Windows administrators should be able to handle it (ducking for cover....)
You can get the new patch kit here:
[slammer]
PSS Security Response Team Alert - New Worm: W32.Slammer
UPDATED: January 26, 2003
SEVERITY: CRITICAL
DATE: January 25, 2003
PRODUCTS AFFECTED: SQL Server 2000 RTM, SQL Server 2000 SP1, SQL Server 2000 SP2, and Microsoft SQL Desktop Engine Version (MSDE) 2000
Yes, I am talking about a few buffer overflow attacks from October, and the point is that under certain configurations (even if that config is not the default) that a remote exploit was theoretically possible.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Where I work machines providing all kind of internal services (DNS, NIS+, DHCP) were affected due to the traffic.
I can't give more details, but it is clear this has been very serious.
I've explained this to my Information Security department so many times I should make an mp3 and have it auto-emailed to them everytime CERT sends out an alert...
Comment removed based on user account deletion
All I know is that it's making me work today. And I'm not exactly happy about that.
Vista:XPSP2::ME:98SE
I agree, except that I think you give the mindless MS bashers too much credit. If they knew their stuff, they wouldn't make such ignorant comments about Windows.
The most technically sophisticated people I've met in the Unix/Linux world are usually the least dismissive of Windows or Macintosh, because they have a deeper understanding of the issues and tradeoffs. The annoying Slashdot "M$ sux" types are poseurs.
"Those who have never entered upon scientific pursuits know not a tithe of the poetry by which they are surrounded."
Would Ms. God like to change her password?
Then blame the admins. Do you blame Mercedes because a lawyer in a convertible is an accident waiting to happen?
Can I bum a sig? I left mine at the office.
Huh?
None of those overflows were triggerable unless you already had an account with the RDBM. Exploit? Yes. Remote? No.
BWP
Hey troll. Do you have a sister? Is she cute?
Oh, how about your mom then?
Interesting!=Informative!=Insightful && Interesting!=Insightful
The `!=' is not transitive.
Furry cows moo and decompress.
Hey, since it's Monday and all, I was just wondering. Could I just skip writing a response, and you just write another ignorant, juvenile post anyway?
Thanks,
Featureless
P.S. - Don't long for a response. You've been filtered.
Want to Know How to Cheat the GPL? Read On!
As to delivery systems, they have a lot of planes, and here's an overview of their long range missile technology that is known about publically at this time
They are also stark raving NUTZ. By most accounts the most controlled, closed and brainwashed lock step military regime on the planet. Not the largest, but the most controlled-albeit some other "regimes" are headed that way, including ones large and close, but that's another topic. The thought that people are so desperate there they would risk torture and/or death just to escape to mainland china as a step up should be a serious clue. They also get caught all the time basically committing acts of "mini warfare" against south korea and japan, inserting commandos, etc, kidnapping people, etc, etc. And their only realy exports and R&D of note are armaments, that's it.
--delivery methods can be as simple as loading one up in a container and having it delivered to the major port city of your target nation perhaps*. Call it an ICCDS, an intercontinental cargo container delivery system. And just suppose-just for grins-that there exists a global long range plan by a group of nations to eliminate what they perceive to be a "threat" posed by the US. Global politics is too complex for simplistic realities, I don't claim to "know it all" on geopolitics, but it has been a major interest of mine for 4 decades now following it, and the concept of a premeptive assymetrical strike combined with conventional and supra-conventional strike is not totally absent from the realms of possibility or even probability for that matter. And their-back to the NKs now- last test wasn't a failure, by most accounts it went further and "better" than what "they" -the international arms watching community- expected. It might not have hit all of it's projected goals, but it got from point A to B, and did it years earlier than all the previous projections had their analysis pegged for.
I think they are a credible threat, and we'd have a hard time dealing with them short of nukes, and if nukes were used all over the peninsula, japan would be hosed from fallout-more or less, and I got no idea how china would react, call it "most annoyed" to be on the conservativce side. And we aren't even mentioning any other surprises of the biological kind might be hidden inside the US for "just in case" scenarios. And they have blackmailed us, we give them food and until lately oil so they would stop their nuke and export missile projects. The food went to party members and to keep their army fed, and now the scandal is a lot of south korean cash went there as well, that is still developing. It's a complex situation. We also shipped them two reactors gratis of the kind that allegedly can't be used to make weapons with. they didn't even say thanks, just took them. That's blackmail as close as I understand the term, and we paid it. There's no wiggle room there. They threatened to keep working on advanced weapons unless they were paid off, we "trusted' them, paid them off, and surprise! Like most nations they are liars. It was a doomed from the start impractical gambit, so was leaving the war hanging way back when. Yet another subject that would have to delve into the UN and high level traitors in the US and whatnot, another time perhaps.
I think we are more or less on the same page here, I just tend to give them a scosh more of a + rating as a military force than I would say iraq, and a +++ rating on going batsquat sometime. Not that it would matter if they used it-except for the millions of people who would croak, and what the consequences would be of a major war there, and whether or not other wars might break out once that one started, and if assymetrical warfare hit CONUS, which I would give a 99% probability of happening. International "things" have a past historical reality of getting quite out of hand sometimes, too many wildcards to adequately predict what might happen or how far it would go.
** bet this has already happened to the US, and deep (and intelligently) hidden someplace are some nukes, delivered by "some other nation or nations". Another topic, and no, no pure hard evidence (beyond defectors stories)to go on beyond the fact that for the past decades, untold thousands of tons of whatever have gotten successfully smuggled in, and untold millions of completely unvetted humans are waltzing around this nation. I have no idea how many of those millions of folks from various nations are serious badguys and NEITHER do our government agencies tasked with "protecting" us. Our borders have been in the "horse is out of the barn" state for a long time now, and it still hasn't changed much, even after 9-11.
But if you ever have a change of heart, all you need to do is make a daemon that will respond to a 1434 UDP packet with an 04 in the first byte by sending a one-byte UDP 1434 response with an 08 as the data.
Got to love Micro$oft servers. Every virus ever writen attacks M$.... When are IT people going to wake up to the fact M$ servers suck. M$ should stick to workstation operating systems and leave the server OS to Linux, Novell and other REAL NOS programs...
I forgot to mention that those port scans for ms-sql-s first started heavily occurring last wednesday. I guess (they) were busy trying to find SQL Servers out there before the weekend's attack. Also, in the past several months we've had heavy port scans from Asia originations, as specified above with all the C Classes. Keep an eye on the LACNIC (Latin America Networks) as there seems to be a slight ramp up of junk from there, such as 200.x.x.x Also the European Union like Romania 209.239.64.0 Lot's of work to do from the firewall perspective.