Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS SQL Server Worm Wreaking Havoc

Posted by ryuzaki0 on from the no-man-will-know-the-day-or-the-hour dept.

defile writes "Since about midnight EST almost every host on the internet has been receiving a 376 byte UDP payload on port ms-sql-m (1434) from a random infected server. Reports of some hosts receiving 10 per minute or more. internetpulse.net is reporting UUNet and Internap are being hit very hard. This is the cause of major connectivity problems being experienced worldwide. It is believed this worm leverages a vulnerability published in June 2002. Several core routers have taken to blocking port 1434 outright. If you run Microsoft SQL Server, make sure the public internet can't access it. If you manage a gateway, consider dropping UDP packets sent to port 1434." bani adds "This has effectively disabled 5 of the 13 root nameservers."

9 of 906 comments (clear)

  1. Terrorism, must be by isorox · · Score: 4, Interesting

    In South Korea internet services were shut down nationwide for hours on Saturday, the country's Yonhap news agency reported.

    It said the shutdown was triggered by "apparent cyber terror committed by hackers".

    http://news.bbc.co.uk/1/hi/technology/2693925.stm

  2. wow yeah! by matth · · Score: 5, Interesting

    Where I work we ended up with quiet the excitement. Around 1am I lost connectivity on my DSL modem at my house.. and I just figured something was up with the DSL so I fooled around with that for a while.... but then I realized the data light on the hub for the DSL modem was blinking a WHOLE lot and nothing else on the hub was (ie broadcasts were coming through)... I couldn't ping our core router, nothing... YIKES! So I hiked into work... only to find that 3 machines had been compromised. A co-lo we have, and some other ones. Nothing bad mind you.. easy to fix.. install Service Pack, and then firewall the ports out.. but still.... it was interesting.. I walked into the server room and was greated with a ton of orange lights (that are normally just blinking!) That thing can really cook out the damage!

    Someone really has carefully crafted this worm to try to bring down the net.. and what better time then on a Saturday morning when all admins are away and not planing to work the next day!

  3. First hand report by AirLace · · Score: 4, Interesting

    Waking up at 2AM after falling asleep at work on a Friday evening, to be greeted by a wall full of router racks lit up like a wall-shaped christmas tree is a sobering experience indeed. Needless to say I've been working since then to apply appropriate firewall rules accross our network to block port 1434. Once this blows over, it's time to start some real PostgreSQL advocacy..

  4. Re:As I said in a previous post... by caluml · · Score: 4, Interesting

    No, firewalls are for use as your needs require.
    I, for instance allow no incoming, but don't restrict outgoing. It's not a huge corporation, it's a R + D lab, where the overhead and hassle I'd cause by restricting outbound traffic would stiffle the lab users productivity. Still, I added the block to that specfic port in the slim chance that an internal box was infected (lord knows how) that it would be a localised problem, not contributing.

    I don't think you should tell people what firewall rules they should be running.

    --
    Get your own free personal location tracker
  5. 50% from Colleges??? by Gothmolly · · Score: 4, Interesting

    About half of the sources I've seen have been either .edu sites or sites in other countries which belong to colleges (ualberta.ca, etc.). Is there some sinister corellation here? Perhaps colleges get free MS-ware, and let the students run the networks?

    --
    I want to delete my account but Slashdot doesn't allow it.
  6. Re:As I said in a previous post... by Zeinfeld · · Score: 5, Interesting
    Firewalls promote softer security.

    I have argued for many years that people tend to get the idea that a firewall is some kind of +8 amulet of protection they just strap on which will protect them from pretty much anything.

    However there are real benefits to using firewalls and NAT boxes. Unfortunately there are some members of the IESG who are confused on this point but thats because they are blinkered by the end-to-end dogma. I'll note here that Steve Bellovin, the new security AD knows a thing or two about firewalls.

    There are actually two end-to-end principles. Applied to networking it meant put the intelligence at the ends, not in the middle of a communication. This was applied to security to mean the same thing.

    End-to-end is appropriate to the design of network protocols, it is inappropriate as a guide to operational security. Many protocols are not designed securely, most protocol implementations have flaws.

    Another dogma that is inappropriate to operational security is the 'security through obscurity' trope. A design that relies on security through obscurity is broken. This does not mean that operators should divulge all the details of their operations to attackers in the hope this will improve security, it will not. Argument of this type was used to block the introduction of shadow passwords on UNIX for years after the vulnerability to dictionary attacks was widely known and being exploited by attackers.

    A firewall and NAT box provides a significant degree of security at low cost. NAT provides a means of concealing the internal structure of the network. This does not eliminate the possibility of attack but raises the bar significantly. If you are running a site that is considered attractive to hackers a technology that weeds out the knob turners and dimmer script kiddies has value.

    What we need to move to is security in depth, recognizing that design security and operational security are different and that both are important.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/
  7. Re:As I said in a previous post... by Dudio · · Score: 5, Interesting

    I wouldn't say firewalls make people lazy; it's more a problem of people not understanding security.

    These people are just as likely to say things like "I'm 3DES encrypting my data, so there's no way anybody can read it", because they fail to understand the meaning of statements like "cracking 3DES is computationally infeasible". When you try to explain to them that their webserver and applications are much more likely to be their weakness than their encryption algorithm, they give you blank looks and mutter about the Computerworld article that said 3DES is "unbreakable encryption". It's not a problem with 3DES (or any strong algorithm); it's a problem with people not understanding that any security measure can be negated by poor design in other parts of their architecture.

    It's the same thing with firewalls. Only the unknowledgable would drop in a firewall and then go off to the bar to celebrate their newly "secure" network. That doesn't mean that the firewall is useless; it is still a crucial tool for securing one's network. The problem is the people who have no idea how to use the tool properly, and no concept of what a real-world attack actually looks like.

  8. Re:UUNET woes? by RazzleDazzle · · Score: 4, Interesting

    I work for an ISP and I just got home from work where we had to deal with this madness. It was absoultely horrible people. We got word from UUNET that it is port 1434/udp traffic and they are adding that to their egress filters. We just blocked 1434/udp altogether, at least initially.

    We have many many colocated customers, many of whom run msql. This issue is horrible in that it is causing massive packet loss and when packets do get through the latency is around 500ms and up and that is for an all ethernet network segment. Our core router was getting slammed and cpu utilization would hang out at around 100%.

    When we started unplugging switches from the routers, traffic would return to normal. We then pinpointed it down to all of our colo customers and disconnected just the sql servers from the network. Effing pain in the ass though.

    Goddamned MS and their crappy no-password-requirement for the sql admin user and the moron admins who don't patch their system. Are people this trusting of MS that their servers are safe and/or this stupid they just don't apply patches until they get screwed?

    Whatever, I am soooo tired... g'night

    --
    ZERO ZERO ONE ZERO ONE ZERO ONE ONE! Just brushing up for my next big invention: Ethernet over Voice (EoV)
  9. Whats interesting... by Anonymous Coward · · Score: 4, Interesting

    ... is that our Corporate IT has *outsourced* all control of our firewalls (to a company which recently filed chapter 11, if I recall), and so can't update them on the fly...

    And, on top of this, our "corporate IT security" just sent out an email that some of their *internal* machines were infected (so obviously *something* was accessable through the firewall) and now we who are connected to corporate via a T1 must apply the patches. So much for the firewall.

    This also happened with Code Red two years ago. Big panic, everyone patching their systems, because corporate had holes in the firewall.

    Yet, we have our own firewall to a customer site (which we've managed on our own for years, and which corporate now wants to take over) which we have *never* been infected via. Go figure.

    Not saying that we shouldn't have been up on it, but we have noone dedicated to IT Security (funny, since we do DOD work) in our building, and we are all so swamped with other stuff we rarely have the time to keep up with it.

    At my *last* job, however, we setup a new box and immediately port-scanned it... knew what every service was on the box, and if we didn't, closed it down. And that *wasn't* DOD... e-commerce. And we kept on top of patches.

    So... you credit card number was *really* safe at my old job... but our nation's secrets may not be at the new job.

    Go figure.