Slashdot Mirror
MS SQL Server Worm Wreaking Havoc
defile writes "Since about midnight EST almost every host on the internet has been receiving a 376 byte UDP payload on port ms-sql-m (1434) from a random infected server. Reports of some hosts receiving 10 per minute or more. internetpulse.net is reporting UUNet and Internap are being hit very hard. This is the cause of major connectivity problems being experienced worldwide. It is believed this worm leverages a vulnerability published
in June 2002. Several core routers have taken to blocking port 1434 outright.
If you run Microsoft SQL Server, make sure the public internet can't access it. If you manage a gateway, consider dropping UDP packets sent to port 1434." bani adds "This has effectively disabled 5 of the 13 root nameservers."
In South Korea internet services were shut down nationwide for hours on Saturday, the country's Yonhap news agency reported.
It said the shutdown was triggered by "apparent cyber terror committed by hackers".
http://news.bbc.co.uk/1/hi/technology/2693925.stm
Where I work we ended up with quiet the excitement. Around 1am I lost connectivity on my DSL modem at my house.. and I just figured something was up with the DSL so I fooled around with that for a while.... but then I realized the data light on the hub for the DSL modem was blinking a WHOLE lot and nothing else on the hub was (ie broadcasts were coming through)... I couldn't ping our core router, nothing... YIKES! So I hiked into work... only to find that 3 machines had been compromised. A co-lo we have, and some other ones. Nothing bad mind you.. easy to fix.. install Service Pack, and then firewall the ports out.. but still.... it was interesting.. I walked into the server room and was greated with a ton of orange lights (that are normally just blinking!) That thing can really cook out the damage!
Someone really has carefully crafted this worm to try to bring down the net.. and what better time then on a Saturday morning when all admins are away and not planing to work the next day!
Waking up at 2AM after falling asleep at work on a Friday evening, to be greeted by a wall full of router racks lit up like a wall-shaped christmas tree is a sobering experience indeed. Needless to say I've been working since then to apply appropriate firewall rules accross our network to block port 1434. Once this blows over, it's time to start some real PostgreSQL advocacy..
What does this worm rank compared to other DDOS in the past?
I was very surprised to discover both AP and CNN beat Slashdot to this story.
Very disappointing.
Timely is as important as accurate SlashEditors. Many of us look to you when big events occur...
Especially considering this all began about 8 hours ago!
e3 :: blogging the wireless freenet
I've been watching this havoc unfold all night as well. I wonder how long it's going to take for the entire problem to clear. Most sites that were previously unaccessible are for me are now, except some of our own. Makes me wonder if something else is going on in these datacenters.
No, firewalls are for use as your needs require.
I, for instance allow no incoming, but don't restrict outgoing. It's not a huge corporation, it's a R + D lab, where the overhead and hassle I'd cause by restricting outbound traffic would stiffle the lab users productivity. Still, I added the block to that specfic port in the slim chance that an internal box was infected (lord knows how) that it would be a localised problem, not contributing.
I don't think you should tell people what firewall rules they should be running.
Get your own free personal location tracker
No reason? Really? What about distributed servers taking to a central database? Desktop software that queries a remote database? Remote administration of a remote database? All legitimate reasons.
I don't know if anyone else has had the same problem, but xxx@msn.com email addresses seem to not be working on Hotmail. I doubt they're related, but has anyone else had the same problem, and is this likely to be the cause? By the way, xxx@hotmail.com accounts work fine.
"Tier 1 backbones are reporting a bad night: routing instabilities, one major dropped most of its peering for a while, the volume from this triggers the Cisco netflow switching bug and is causing routers to lock up at places, etc."
About half of the sources I've seen have been either .edu sites or sites in other countries which belong to colleges (ualberta.ca, etc.). Is there some sinister corellation here? Perhaps colleges get free MS-ware, and let the students run the networks?
I want to delete my account but Slashdot doesn't allow it.
If a unix vulnerability was ever exploited to the levels that this sql one or nimbda or sircam were, I'm sure one of you AC's would let us know!
It's amazing how many people just don't feal they have to upgrade their machines. Im stil getting nimda hits. The sql exploit is using a vulnerability 6mos old!
Show's you the real vulnerability is the image the MS has palmed off on the public for 20 years! With our system you don't need to worry about good administration! It just works and works and works! Why pay for an admin when you can by MS Win-X?
-- Many men would appreciate a woman's mind more if they could fondle it
I have argued for many years that people tend to get the idea that a firewall is some kind of +8 amulet of protection they just strap on which will protect them from pretty much anything.
However there are real benefits to using firewalls and NAT boxes. Unfortunately there are some members of the IESG who are confused on this point but thats because they are blinkered by the end-to-end dogma. I'll note here that Steve Bellovin, the new security AD knows a thing or two about firewalls.
There are actually two end-to-end principles. Applied to networking it meant put the intelligence at the ends, not in the middle of a communication. This was applied to security to mean the same thing.
End-to-end is appropriate to the design of network protocols, it is inappropriate as a guide to operational security. Many protocols are not designed securely, most protocol implementations have flaws.
Another dogma that is inappropriate to operational security is the 'security through obscurity' trope. A design that relies on security through obscurity is broken. This does not mean that operators should divulge all the details of their operations to attackers in the hope this will improve security, it will not. Argument of this type was used to block the introduction of shadow passwords on UNIX for years after the vulnerability to dictionary attacks was widely known and being exploited by attackers.
A firewall and NAT box provides a significant degree of security at low cost. NAT provides a means of concealing the internal structure of the network. This does not eliminate the possibility of attack but raises the bar significantly. If you are running a site that is considered attractive to hackers a technology that weeds out the knob turners and dimmer script kiddies has value.
What we need to move to is security in depth, recognizing that design security and operational security are different and that both are important.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
I slapped a line on our access list in our BGP routers this morning at around 8:30 A.M. Even though our firewall was blocking this port, figured it would be better to block in silicon rather than at the O/S level. In almost 2 hours, we have recieved over 190,000 packets from this wurm. I have a feeling its going to get a lot worse before it gets better
I wouldn't say firewalls make people lazy; it's more a problem of people not understanding security.
These people are just as likely to say things like "I'm 3DES encrypting my data, so there's no way anybody can read it", because they fail to understand the meaning of statements like "cracking 3DES is computationally infeasible". When you try to explain to them that their webserver and applications are much more likely to be their weakness than their encryption algorithm, they give you blank looks and mutter about the Computerworld article that said 3DES is "unbreakable encryption". It's not a problem with 3DES (or any strong algorithm); it's a problem with people not understanding that any security measure can be negated by poor design in other parts of their architecture.
It's the same thing with firewalls. Only the unknowledgable would drop in a firewall and then go off to the bar to celebrate their newly "secure" network. That doesn't mean that the firewall is useless; it is still a crucial tool for securing one's network. The problem is the people who have no idea how to use the tool properly, and no concept of what a real-world attack actually looks like.
I work for an ISP and I just got home from work where we had to deal with this madness. It was absoultely horrible people. We got word from UUNET that it is port 1434/udp traffic and they are adding that to their egress filters. We just blocked 1434/udp altogether, at least initially.
We have many many colocated customers, many of whom run msql. This issue is horrible in that it is causing massive packet loss and when packets do get through the latency is around 500ms and up and that is for an all ethernet network segment. Our core router was getting slammed and cpu utilization would hang out at around 100%.
When we started unplugging switches from the routers, traffic would return to normal. We then pinpointed it down to all of our colo customers and disconnected just the sql servers from the network. Effing pain in the ass though.
Goddamned MS and their crappy no-password-requirement for the sql admin user and the moron admins who don't patch their system. Are people this trusting of MS that their servers are safe and/or this stupid they just don't apply patches until they get screwed?
Whatever, I am soooo tired... g'night
ZERO ZERO ONE ZERO ONE ZERO ONE ONE! Just brushing up for my next big invention: Ethernet over Voice (EoV)
The problem with logging is that it is usless unless you actually review the logs. This rarely happens until after a site has been compromised.
Much more useful is to have the firewall connected up to a 24x7 monitoring, or better management service like Counterpane, VeriSign or whatever.
Over time I expect that cost of high end firewalls to drop significantly. I have two firewalls at home, neither cost more than $200 and they are both pretty adequate for my needs. So why does an enterprise setup cost $80K rather than $4K or so?
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
... is that our Corporate IT has *outsourced* all control of our firewalls (to a company which recently filed chapter 11, if I recall), and so can't update them on the fly...
And, on top of this, our "corporate IT security" just sent out an email that some of their *internal* machines were infected (so obviously *something* was accessable through the firewall) and now we who are connected to corporate via a T1 must apply the patches. So much for the firewall.
This also happened with Code Red two years ago. Big panic, everyone patching their systems, because corporate had holes in the firewall.
Yet, we have our own firewall to a customer site (which we've managed on our own for years, and which corporate now wants to take over) which we have *never* been infected via. Go figure.
Not saying that we shouldn't have been up on it, but we have noone dedicated to IT Security (funny, since we do DOD work) in our building, and we are all so swamped with other stuff we rarely have the time to keep up with it.
At my *last* job, however, we setup a new box and immediately port-scanned it... knew what every service was on the box, and if we didn't, closed it down. And that *wasn't* DOD... e-commerce. And we kept on top of patches.
So... you credit card number was *really* safe at my old job... but our nation's secrets may not be at the new job.
Go figure.
My only question is that if this is so important, why do they banish it to parts unknown (pardon, the depths of their Technet site) rather than placing it in everybody's Start menu? Cheers to their security consciousness, jeers to their halfassed methods of information deployment.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
One of the big problems with applying Microsoft patches, is that Microsoft uses patches to push unpopular and/or useless software on people.
For example, applying security hotfixes to Windows XP causes MSN Messenger to be installed, even if it was previously removed. This practice got a Microsoft infantry mobile-computing solution to be disqualified when Outlook Express and MSN Messenger were installed to Army XP-Embedded machines.
If you blindly apply MS patches to a mission-critical system, you're nuts. If you have the time to verify the multitude of MS patches as they come, you are probaly soon to be unemployed.
Conformity is the jailer of freedom and enemy of growth. -JFK