Slashdot Mirror


MS SQL Server Worm Wreaking Havoc

defile writes "Since about midnight EST almost every host on the internet has been receiving a 376 byte UDP payload on port ms-sql-m (1434) from a random infected server. Reports of some hosts receiving 10 per minute or more. internetpulse.net is reporting UUNet and Internap are being hit very hard. This is the cause of major connectivity problems being experienced worldwide. It is believed this worm leverages a vulnerability published in June 2002. Several core routers have taken to blocking port 1434 outright. If you run Microsoft SQL Server, make sure the public internet can't access it. If you manage a gateway, consider dropping UDP packets sent to port 1434." bani adds "This has effectively disabled 5 of the 13 root nameservers."

16 of 906 comments (clear)

  1. Who did this I wonder????? by amigaluvr · · Score: 4, Funny

    Kevin Mitnick is allowed back on the net and the net goes fubar

    1. Re:Who did this I wonder????? by Anonymous Coward · · Score: 5, Funny

      It was not Mitnick.

      I investigated into this matter, and came up with the following theory.

      Port 1434 = 1+4+3+4 = 12

      12 is the number of the month when Steve Gibson got hired as a consultant. Coincidence? I think not!

      SQL (alphabet numbered) = S(19) + Q(17) + L(12) = 48

      48 is the number of states which are connected together on US map. That means that attack came either from Hawaii or Alaska.

      Using the search on a popular site called Google, I was able to track down the perpetrator.

      So at the end we are left with one answer: Steve Gibson is just hax0ring back, in an elaborate revenge plan to outlaw port 1434 and raw sockets.

  2. Ok now tell me by vicviper · · Score: 4, Funny

    how many quries at the root level are unnecessary. :)

    1. Re:Ok now tell me by DarkZero · · Score: 4, Funny

      More today than yesterday.

  3. Re:Terrorism, must be by weave · · Score: 5, Funny

    Terrorism? Bill Gates better be detained indefinitely as an enemy combatent then. Finally, some good may come out of this terrorism paranoia!

  4. Re:Whoever puts their database server by cyb97 · · Score: 5, Funny

    Are these the same people that leave their cars unlocked with the keys in the ignition?
    A real idiot would leave the car locked witht the keys in the ignition...
    I guess they learn something at MSCE courses ;-)

  5. Yow! Good call /. by JasonUCF · · Score: 5, Funny

    I groggily stumble up to my computer, it being a normal enough sort of Saturday AM, and as I sit down I cast a lazy eye at my firewall counter.

    Woah! What's.. uh.. 150 inbound requests.. doing.. today.. worm?

    I start to fire up /. -- a lengthy process due to my dumbass ISP not having reverse DNS entries -- so I sniff around my logs.

    *clickity click*

    1434? The hell is 1434. Worm?

    *slashdot shows*

    Ah ha! Ve haf comprehension.

    *groggily shuffle off to get coffee, oooo black gold*

    For what it's worth, a majority of the packets so far have been mostly US servers -- .edu's with cute names like 'staging3', 'testing1', and, no joke, 'snoogans'.

  6. Fox News by avalys · · Score: 5, Funny

    Heh...on the Fox News Channel's ticker, they had the following tidbit of information:

    "The virus spreads using a Microsoft vulnerability known as "SQL Server""

    --
    This space intentionally left blank.
    1. Re:Fox News by Kashif+Shaikh · · Score: 4, Funny

      Heh...on the Fox News Channel's ticker, they had the following tidbit of information:

      Well, on CNN's headline newsticker they have:

      "[Microsoft][ODBC SQL Server Driver]Operation canceled

      [Microsoft][ODBC SQL Server Driver]Timeout expired

      ODBC: Msg 0, Level 16, State 1

      Communication link failure

      Connection Broken"

  7. Re:Yow! Good call /. by caluml · · Score: 5, Funny

    This one has surprised me most so far:
    tybclbsqla02.listbuilder.com

    Hmm. Lists equal large databases.
    Large databases usually mean a DBA.
    DBAs should know better.

    whois listbuilder.com

    Technical Contact:
    Microsoft (EJSEHEQUAO)
    msnhst@MICROSOFT.COM
    Microsoft
    One Microsoft Way
    Redmond, WA 98052
    US
    425-882-8080

  8. Re:wow yeah! by dangermouse · · Score: 5, Funny
    and what better time then on a Saturday morning when all admins are away and not planing to work the next day

    What's it matter? It's not like you people have gone to work since last July anyway.

  9. billg has no uniform; therefore illegal combatant by Swordfish · · Score: 5, Funny

    billg cannot be an enemy combatant because he
    does not wear a military uniform.
    So he must be an _illegal_ combatant.
    Therefore, if guilty, he will have to go to
    Guantanamo Bay for a few years to "help with
    investigations".
    Of course, proof cannot be given for his guilt
    because that might jeopardize national security.
    Therefore no trial until terrorism is defeated.
    Can't afford to take chances with them terrorists!

  10. Re:been watching this all night by Graspee_Leemoor · · Score: 4, Funny

    " been watching this all night...
    the fun's almost over now"

    I sincerely thank you, Sir or Madam. I previously thought that I was the most sad, laughable figure in the entire world, but now, having read your post, which conjures up images of someone sitting in front of their monitor, snacks in hand, gasping in amazement at the output of tail -f on their firewall log all night, I know that there is yet hope for me.

    graspee

  11. Re:Patch by Anonymous Coward · · Score: 5, Funny

    I found it amusing that the two current headlines on the front page under the technology section at CNN are:

    Gates pledges better software security
    Electronic attack slows Net

    Now if they would only address security before they released their products we might not see these issues.

  12. Re:As I said in a previous post... by DarkZero · · Score: 5, Funny

    Imagine if we didn't have firewalls. We'd have to keep our passwords good, our services minimal, and make sure we were running the latest, most secure daemons.

    Locks promote softer security.

    "Oh, I'm OK because I have locked doors and windows..."

    I think door locks make people lazy. Imagine if we didn't have deadbolts, or doors for that matter. We'd have to sit in front of the front door, with a shotgun, never sleeping for more than a few moments.

  13. Re:Terrorism, must be by hardcode · · Score: 4, Funny

    In South Korea internet services were shut down nationwide for hours on Saturday, the country's Yonhap news agency reported.

    And every email admin in the western world heaved a sigh of relief