MS SQL Server Worm Wreaking Havoc
defile writes "Since about midnight EST almost every host on the internet has been receiving a 376 byte UDP payload on port ms-sql-m (1434) from a random infected server. Reports of some hosts receiving 10 per minute or more. internetpulse.net is reporting UUNet and Internap are being hit very hard. This is the cause of major connectivity problems being experienced worldwide. It is believed this worm leverages a vulnerability published
in June 2002. Several core routers have taken to blocking port 1434 outright.
If you run Microsoft SQL Server, make sure the public internet can't access it. If you manage a gateway, consider dropping UDP packets sent to port 1434." bani adds "This has effectively disabled 5 of the 13 root nameservers."
Kevin Mitnick is allowed back on the net and the net goes fubar
how many quries at the root level are unnecessary. :)
Terrorism? Bill Gates better be detained indefinitely as an enemy combatent then. Finally, some good may come out of this terrorism paranoia!
Are these the same people that leave their cars unlocked with the keys in the ignition? ;-)
A real idiot would leave the car locked witht the keys in the ignition...
I guess they learn something at MSCE courses
I groggily stumble up to my computer, it being a normal enough sort of Saturday AM, and as I sit down I cast a lazy eye at my firewall counter.
/. -- a lengthy process due to my dumbass ISP not having reverse DNS entries -- so I sniff around my logs.
.edu's with cute names like 'staging3', 'testing1', and, no joke, 'snoogans'.
Woah! What's.. uh.. 150 inbound requests.. doing.. today.. worm?
I start to fire up
*clickity click*
1434? The hell is 1434. Worm?
*slashdot shows*
Ah ha! Ve haf comprehension.
*groggily shuffle off to get coffee, oooo black gold*
For what it's worth, a majority of the packets so far have been mostly US servers --
Heh...on the Fox News Channel's ticker, they had the following tidbit of information:
"The virus spreads using a Microsoft vulnerability known as "SQL Server""
This space intentionally left blank.
This one has surprised me most so far:
tybclbsqla02.listbuilder.com
Hmm. Lists equal large databases.
Large databases usually mean a DBA.
DBAs should know better.
whois listbuilder.com
Technical Contact:
Microsoft (EJSEHEQUAO)
msnhst@MICROSOFT.COM
Microsoft
One Microsoft Way
Redmond, WA 98052
US
425-882-8080
Get your own free personal location tracker
What's it matter? It's not like you people have gone to work since last July anyway.
billg cannot be an enemy combatant because he
does not wear a military uniform.
So he must be an _illegal_ combatant.
Therefore, if guilty, he will have to go to
Guantanamo Bay for a few years to "help with
investigations".
Of course, proof cannot be given for his guilt
because that might jeopardize national security.
Therefore no trial until terrorism is defeated.
Can't afford to take chances with them terrorists!
" been watching this all night...
the fun's almost over now"
I sincerely thank you, Sir or Madam. I previously thought that I was the most sad, laughable figure in the entire world, but now, having read your post, which conjures up images of someone sitting in front of their monitor, snacks in hand, gasping in amazement at the output of tail -f on their firewall log all night, I know that there is yet hope for me.
graspee
I found it amusing that the two current headlines on the front page under the technology section at CNN are:
Gates pledges better software security
Electronic attack slows Net
Now if they would only address security before they released their products we might not see these issues.
Imagine if we didn't have firewalls. We'd have to keep our passwords good, our services minimal, and make sure we were running the latest, most secure daemons.
Locks promote softer security.
"Oh, I'm OK because I have locked doors and windows..."
I think door locks make people lazy. Imagine if we didn't have deadbolts, or doors for that matter. We'd have to sit in front of the front door, with a shotgun, never sleeping for more than a few moments.
In South Korea internet services were shut down nationwide for hours on Saturday, the country's Yonhap news agency reported.
And every email admin in the western world heaved a sigh of relief