Slashdot Mirror
MS SQL Server Worm Wreaking Havoc
defile writes "Since about midnight EST almost every host on the internet has been receiving a 376 byte UDP payload on port ms-sql-m (1434) from a random infected server. Reports of some hosts receiving 10 per minute or more. internetpulse.net is reporting UUNet and Internap are being hit very hard. This is the cause of major connectivity problems being experienced worldwide. It is believed this worm leverages a vulnerability published
in June 2002. Several core routers have taken to blocking port 1434 outright.
If you run Microsoft SQL Server, make sure the public internet can't access it. If you manage a gateway, consider dropping UDP packets sent to port 1434." bani adds "This has effectively disabled 5 of the 13 root nameservers."
Has someone scanned the UDP packets and reported what's inside ?
I just want to see with my own eyes that the worm isn't quietly spitting out a SELECT * from a random table, record per record...
Karma cannot be described by words alone.
If you're providing network services to others, they probably don't want to beg you everytime they need to open a port.
That is an excellent point. Moderators, mod parent up please.
that was the first port I blocked on my firwell at home.. along with the other nasty wiNT and windows ports..
Pretty soon you will see every firewll and dns server product come defaulted with these ports blocked..
Always remember Ms sense of design on secuirty is that.. oh we can't do it because the cstmore did not aks for it.. Ms claims it knwos Software Engineering.. I seriously doubt it..
Don't Tread on OpenSource
Some info from my perspective;
I am at 66.192.31.140
First logged packet at Jan 25 00:30:47 EST
Last logged packet at Jan 25 12:17:40 EST (15 minutes ago)
Number of hits, only 136.
grep PROTO=UDP
136