Slashdot Mirror
MS SQL Server Worm Wreaking Havoc
defile writes "Since about midnight EST almost every host on the internet has been receiving a 376 byte UDP payload on port ms-sql-m (1434) from a random infected server. Reports of some hosts receiving 10 per minute or more. internetpulse.net is reporting UUNet and Internap are being hit very hard. This is the cause of major connectivity problems being experienced worldwide. It is believed this worm leverages a vulnerability published
in June 2002. Several core routers have taken to blocking port 1434 outright.
If you run Microsoft SQL Server, make sure the public internet can't access it. If you manage a gateway, consider dropping UDP packets sent to port 1434." bani adds "This has effectively disabled 5 of the 13 root nameservers."
Kevin Mitnick is allowed back on the net and the net goes fubar
In South Korea internet services were shut down nationwide for hours on Saturday, the country's Yonhap news agency reported.
It said the shutdown was triggered by "apparent cyber terror committed by hackers".
http://news.bbc.co.uk/1/hi/technology/2693925.stm
I find it lucky that the worm writer didn't make the worm fire out random traffic on random udp ports with spoofed addresses.
/sbin/iptables -I FORWARD -p udp --dport 1434 -j DROP
It's only the fact the traffic is all destined for a certain destination port that makes it easy to filter.
You are filtering it out on your firewalls, aren't you?
This could have been a lot lot harder to filter out. I expect we'll see ThisWorm v2 soon.
I dread the day someone finds a hole in Apache, Sendmail or something really popular and writes a worm like this...
Get your own free personal location tracker
Collected a packet disasembly and some urls here.
Everyone seems to be assuming this is a new use of an old (July) hole; I'm not certain of that. Any facts welcomed, see above url.
Microsoft released a patch for this 24th July, 2002.
Where I work we ended up with quiet the excitement. Around 1am I lost connectivity on my DSL modem at my house.. and I just figured something was up with the DSL so I fooled around with that for a while.... but then I realized the data light on the hub for the DSL modem was blinking a WHOLE lot and nothing else on the hub was (ie broadcasts were coming through)... I couldn't ping our core router, nothing... YIKES! So I hiked into work... only to find that 3 machines had been compromised. A co-lo we have, and some other ones. Nothing bad mind you.. easy to fix.. install Service Pack, and then firewall the ports out.. but still.... it was interesting.. I walked into the server room and was greated with a ton of orange lights (that are normally just blinking!) That thing can really cook out the damage!
Someone really has carefully crafted this worm to try to bring down the net.. and what better time then on a Saturday morning when all admins are away and not planing to work the next day!
how many quries at the root level are unnecessary. :)
Waking up at 2AM after falling asleep at work on a Friday evening, to be greeted by a wall full of router racks lit up like a wall-shaped christmas tree is a sobering experience indeed. Needless to say I've been working since then to apply appropriate firewall rules accross our network to block port 1434. Once this blows over, it's time to start some real PostgreSQL advocacy..
ZDNet and Yahoo.
Outside a firewall for no apparent reason is a tool. That being said, we live in a world of idiots. Why?
NGSSoftware alerted Microsoft to this problem on the 17th of May 2002 and
they have produced a patch that resolves these issues.
This is January 25 2003 if I'm not mistaken. Are these the same people that leave their cars unlocked with the keys in the ignition?
What does this worm rank compared to other DDOS in the past?
I was very surprised to discover both AP and CNN beat Slashdot to this story.
Very disappointing.
Timely is as important as accurate SlashEditors. Many of us look to you when big events occur...
Especially considering this all began about 8 hours ago!
e3 :: blogging the wireless freenet
If you run Microsoft SQL Server, make sure the public internet can't access it.
What a pathetic overkill response. If you're running SQL server, make sure it's patched. When the last set of bind exploits came out no-one said "Unplug all your DNS servers", why is this any different?
SQL is easy to secure, and the guidelines are well known
And of course, patch it when patches appear
From digitaloffense: A new worm which exploits a vulnerability in MS SQL Server is bringing the core routers to a grinding halt. The speed of the propagation can be attributed to the attack method and simplicity of the code. The worm sends a 376-byte UDP packet to port 1434 of each random target, each vulnerable system will immediately start propagating itself. Since UDP is connection-less, the worm is able to spread much more quickly than those using your standard TCP-based attack vectors (no connect timeouts). Some random screen shots and information about the worm can be found HERE.
Whoever puts a database outside a firewall? and then leave its external port open???
Sysadmins like that should be dragged into the street and shot.
...the Slashdot article, that is. I've been watching this since I got up this morning (about five hours ago, local time). There's been plenty of discussions about this on various mailinglists, including NANOG and NordNOG, as well as several IRC channels I frequent. I'm surprised it took this long for Slashdot to post anything about it.
According to unconfirmed sources on NANOG, the worm seems to eat up bandwidth at line rate (even at GigE links), is rumored to amplify itself via Cisco routers, and is the creation of Saddam Hussein.
My journal on the worm.
Best writeup I've seen is over at iss.net. They were the first to update their internet status homepage alerting of the vulnerability as far as I can tell.
http://average.matrixnetsystems.com/Daily/markR.h
http://mrtg.nac.net/switch9.oct.nac.net/3865/swit
The advisory announcing the flaws:m /
http://www.boredom.org/~cstone/worm-annotated.txt
http://www.nextgenss.com/advisories/mssql-udp.txt Various disassemblies and discussions: http://www.snafu.freedom.org/tmp/1434-probe.txt http://www.digitaloffense.net/worms/mssql_udp_wor
Writeups:n et.attack.ap/index.html / 20030125/ap_wo_en_po/na_gen_internet_attack_2 r tdetail.jsp?oid=21824
http://www.cnn.com/2003/TECH/internet/01/25/inter
http://news.bbc.co.uk/2/hi/technology/2693925.stm
http://story.news.yahoo.com/news?tmpl=story&u=/ap
http://bvlive01.iss.net/issEn/delivery/xforce/ale
I've been watching this havoc unfold all night as well. I wonder how long it's going to take for the entire problem to clear. Most sites that were previously unaccessible are for me are now, except some of our own. Makes me wonder if something else is going on in these datacenters.
Some snippets from there:
It's those darn Al-Quaeda, I tell you! Them and Saddam Hussein! Damn them for retaliating against our Righteous Attacks!
The only problem is that most of responsible people are computer scientists and sometimes even only with a BS in CS and therefore have no clue of harmonic analysis and advanced probability theory.
If you project your network system in the C^n- space of markovian probability measures and with to the frequency domain, you can easily see that our system represents a compact manifold of superharmonic measures. And malign overflow is just a upper bound in this set, therefore harmonic. It's well known that the only harmonic functions on compact manifolds are constant. So going back into the time domain this means that you must just analyze the frequency of the packets. All packet streams with a constant frequency are malicious by the above calculation and therefore should be dropped. Of course there are some minor points with the frequency reflection on edges etc. but this is very basic stuff and can be easily solved.
If think there was a paper of Lorgajev and Starniktov in the 80ies about this, but I'm not really sure.
Owner of a Mensa membership card.
While part of the problem is that Microsoft software sucks particularly badly when it comes to security, something like this can happen with other software as well. The real problem is that we have a software monoculture: we need many more, different, independently implemented software systems. They will all have bugs, but as long as they all have different bugs, we are mostly OK. And that's the real reason why Microsoft's market dominance, in particular on large numbers of small machines run by non-experts, is a problem.
Seriously though, you should have upgraded!
No point in having a router that can't sustain max-traffic on the network it's put on...
What if your campus get slashdotted ? Kinda boring if the router shutsdown because of legit traffic
My guess is that some MSCP caught panic when he saw the load on the mssql-server and pulled the plug...
It's happened to me... (and he wasn't even MSCP just vanilla dumb...)
It looks like if you stop the proccess sqlservr.exe it will take all of the CPU proccess back down to normal. Obviously you dont want to delete this file, but with it stopped you can at least get the box on the network to trouble shoot this stuff. So far from what we can tell, when you restart SQL the load stays down, but that could also just be that its sitting there idle waiting to be activated again. Hope this helps.
Alchemy Support
Alchemy Communications
It can giggle all it wants. The galaxy's not gettin any of our Bourbon.
Gr.... All the more reason to run a host firewall on every machine.
Need a Linux consultant in New Orleans?
Any server that doesn't need to be accessed from the public internet in the course of it's normal use should be firewalled off from it. That's just common sense.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Kudos to cstone@boredom. Interesting & educational, with a nutty crunchy flavor.
So, every colocated server has a system admin checking it?
... outside of their regular duties which may include making coffee or sorting mail (depending on the size of the organization)?
All servers that were placed up there years ago to host one silly site get checked regularly?
All companies (or individuals) who host sites pay to have them maintained?
All sysadmins are competent and on top of their patches
There are alot of servers and alot of sites. There aren't alot of "great" admins IMHO. And, often, patches are bundled together when you upgrade a server which may be once EVERY TWO TO FOUR YEARS.
Reality folks.
There are no SQL commands in the worm. It just initiates a bouncing ping between two MS SQL servers that continues until the network or one of the servers is brought down. An annotated dissection of the worm is provided here.
I groggily stumble up to my computer, it being a normal enough sort of Saturday AM, and as I sit down I cast a lazy eye at my firewall counter.
/. -- a lengthy process due to my dumbass ISP not having reverse DNS entries -- so I sniff around my logs.
.edu's with cute names like 'staging3', 'testing1', and, no joke, 'snoogans'.
Woah! What's.. uh.. 150 inbound requests.. doing.. today.. worm?
I start to fire up
*clickity click*
1434? The hell is 1434. Worm?
*slashdot shows*
Ah ha! Ve haf comprehension.
*groggily shuffle off to get coffee, oooo black gold*
For what it's worth, a majority of the packets so far have been mostly US servers --
Disassembly of the 404 bytes being sent by affected systems
Heh...on the Fox News Channel's ticker, they had the following tidbit of information:
"The virus spreads using a Microsoft vulnerability known as "SQL Server""
This space intentionally left blank.
Postgresql and oracle are like screw drivers. Do you use one screw driver for all tasks? No. There are some things that oracle really kicks ass at that postgres really plain sucks at. Vice versa as well.
-
ping -f 255.255.255.255 # if only
This one has surprised me most so far:
tybclbsqla02.listbuilder.com
Hmm. Lists equal large databases.
Large databases usually mean a DBA.
DBAs should know better.
whois listbuilder.com
Technical Contact:
Microsoft (EJSEHEQUAO)
msnhst@MICROSOFT.COM
Microsoft
One Microsoft Way
Redmond, WA 98052
US
425-882-8080
Get your own free personal location tracker
No, firewalls are for use as your needs require.
I, for instance allow no incoming, but don't restrict outgoing.
Firewalls are not just for your needs. They are also for the protection of others, too. It's the all-ports-open-on-outgoing stuff that allows worms like this to spread and wreak so much havoc. It's dial-up Internet providers leaving port 25 open on outgoing that allow spammers to use throwaway accounts for spamming.
I don't think you should tell people what firewall rules they should be running.
Hey, if it's my network being affected by your lack of rules, I've got a moral right to tell you what rules your firewall needs.
Is this thing directly targetting root/tld servers? Is the worm doing dns lookups as opposed to just picking an ipaddr? Is it the PTR servers which are being hammered by loggers doing reverse lookups?
Did someone jump to a bad conclusion based on ping stats?
I don't know if anyone else has had the same problem, but xxx@msn.com email addresses seem to not be working on Hotmail. I doubt they're related, but has anyone else had the same problem, and is this likely to be the cause? By the way, xxx@hotmail.com accounts work fine.
This is what would happen if /. ever became a search engine.
I'm not justifying behavior of the assholes who release these worms, but leaving the SQL server visible to the public internet is just slightly retarded.
If these boxes actually have someone employed as admins, they should get fired, plain and simple
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
"Tier 1 backbones are reporting a bad night: routing instabilities, one major dropped most of its peering for a while, the volume from this triggers the Cisco netflow switching bug and is causing routers to lock up at places, etc."
They'll sell it to us over six months ago.
For free.
Asshead.
About half of the sources I've seen have been either .edu sites or sites in other countries which belong to colleges (ualberta.ca, etc.). Is there some sinister corellation here? Perhaps colleges get free MS-ware, and let the students run the networks?
I want to delete my account but Slashdot doesn't allow it.
"...the volume from this triggers the Cisco netflow switching bug and is causing routers to lock up at places, etc."
Are these the same people that leave their cars unlocked with the keys in the ignition?
If this were a fair analogy, the *auto maker* would be at fault for leaving spare sets of keys attached to the outside of the car...and you'd simply be (much less) at fault for not having removed the latest set of spare keys the auto maker decided to tell you about.
May we never see th
The MS educational site license is a flat $40 per year for every computer, including Apples and Suns.
For that, a school can install any and every MS product where ever they please. Not only that, MS supplies training and testing materials and answer keys with that. So the classes are pre-written, too, and a GTA or undergrad can run them.
So yes, MS SQL is all over the place, and they've got lab assistants and volunteers admining them.
That doesn't mean that Amazon's DB servers have public IPs you know. There is no reason to have a DB connected to the internet, unless you just wanna see what happens...
Wax-Museum Fire Results In Hundreds Of New Danny DeVito Statues
What was that about mission critical applications?
Worms that do this sort of thing will continue ad infinitum. The reason is that there's no financial detriment to having one of your own boxes act as a zombie and send out tons and tons of packets. None whatsoever. There's no central accountability. That's the way the Net is set up. I don't see any way around it.
given also this previous slashdot story, the root servers must join and sue microsoft for DDOS attacks against them.
Windows clients send TOO much shit to any dns - check your dnscache log to see that. Don't have a dnscache? Bad! You're flooding your preferred DNS server with a shitload of useless or meaningless queries.
Looks like they have read some websites some years ago and then decided to steal words like "domain", thus confusing a nt-domain and a REAL domain name. The rest is pure mess because nt-domains are queried with DNS. Pretty crappy isn't it?
Look at that (dnscache log):
@400000003e329b973170f1bc tx 0 33 _kerberos._tcp.dc._msdcs.[mydomain]. . 97010201
@400000003e329b973874c81c tx 0 33 _kerberos._tcp.dc._msdcs.[mydomain]. . 97010201 97010101
@400000003e329b981c3f8394 tx 0 33 _kerberos._tcp.dc._msdcs.[mydomain]. . 97010101
this is a laptop trying to find a network share on the server (which is called server2000.[mydomain].it). It is querying [mydomain], not [mydomain].it as I set up the laptop (default domain, network identification). Imagine if I did not have a dnscache but set up all PCs to use an external dns server....
-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
billg cannot be an enemy combatant because he
does not wear a military uniform.
So he must be an _illegal_ combatant.
Therefore, if guilty, he will have to go to
Guantanamo Bay for a few years to "help with
investigations".
Of course, proof cannot be given for his guilt
because that might jeopardize national security.
Therefore no trial until terrorism is defeated.
Can't afford to take chances with them terrorists!
If a unix vulnerability was ever exploited to the levels that this sql one or nimbda or sircam were, I'm sure one of you AC's would let us know!
It's amazing how many people just don't feal they have to upgrade their machines. Im stil getting nimda hits. The sql exploit is using a vulnerability 6mos old!
Show's you the real vulnerability is the image the MS has palmed off on the public for 20 years! With our system you don't need to worry about good administration! It just works and works and works! Why pay for an admin when you can by MS Win-X?
-- Many men would appreciate a woman's mind more if they could fondle it
Yes it can indeed get inside a firewall. Say you got bonehead web developer front page dude at home running the developer version. It is no doubt infected with the worm since said developer is using front page and MS SQL on his home xpeeee box. He thanks you by logging in via VPN into your network and spreads the joy. Priceless.....
Got Code?
Gates acknowledged that the technology industry must make significant improvements, adding that, "Microsoft has a responsibility to help its customers address these concerns, so they no longer have to choose between security and usability."
How about easier ways to apply hotfixes remotely to desktop computers? (There are ways apparently, but requires installing IIS and SQL ironically, to run something called SUS.) I'd prefer the hotfix to simply have an option like '-m\\machine' to apply to domain machines in a domain admin context so I can script the installs to my tastes and needs. No need to get overly complex. Besides, I'd rather not have an IIS server at my site if I can help it. Apache runs everything. Just another damn thing to learn for something that should be simple.
Also, the hotfixes themselves only have about 10 different ways of applying at the command line unattended. How about standardizing the hotfix installers too...
Example, this is what is run after an XP desktop install with SP1 at our location...
It doesn't include latest javavm fix, which for some reason won't install right during the guirunonce part of an install, so I have to script to reboot the machine TWICE before running... Think that's bad? Here's some pre sp1 hotfix command lines from an earlier script.. And the syntax to install unattended is never easy to find on their site. I usually have to use google to search microsoft.com to find what I need, their search engine really sucks. Others must feel the same way since there is a dedicated google page for this at http://www.google.com/microsoftI've been a call all morning and we are sure now that SP2 does NOT protect your server from this attack...YOU MUST APPLY MS-039 to protect your server
I'm in France. I have 1434 in my logs all morning, but nothing since about 11:30 greenwich. The source IP's are about half and half Europe/US.
A few things are down over here, like my university's network, but haven't noticed any major crashing.
Congratulations! Now we are the Evil Empire
I slapped a line on our access list in our BGP routers this morning at around 8:30 A.M. Even though our firewall was blocking this port, figured it would be better to block in silicon rather than at the O/S level. In almost 2 hours, we have recieved over 190,000 packets from this wurm. I have a feeling its going to get a lot worse before it gets better
There are a lot of home users/business that have SQL server installed and no firewall set up. Just like code red this thing is infecting personal boxes, therefore adding to the high volumes we see. I have SQL on one of my machines at home, behind two linux based firewalls, and when I use any tool to connect to a database I am given all sorts of choices. Most of the IP addys I see belong to other cable users. I wonder how many have kept up on their patches? The problem is any fool without any training can install this stuff on their computers, I think home users are the main reason that simple worms like this are so successful.
I work for an ISP and I just got home from work where we had to deal with this madness. It was absoultely horrible people. We got word from UUNET that it is port 1434/udp traffic and they are adding that to their egress filters. We just blocked 1434/udp altogether, at least initially.
We have many many colocated customers, many of whom run msql. This issue is horrible in that it is causing massive packet loss and when packets do get through the latency is around 500ms and up and that is for an all ethernet network segment. Our core router was getting slammed and cpu utilization would hang out at around 100%.
When we started unplugging switches from the routers, traffic would return to normal. We then pinpointed it down to all of our colo customers and disconnected just the sql servers from the network. Effing pain in the ass though.
Goddamned MS and their crappy no-password-requirement for the sql admin user and the moron admins who don't patch their system. Are people this trusting of MS that their servers are safe and/or this stupid they just don't apply patches until they get screwed?
Whatever, I am soooo tired... g'night
ZERO ZERO ONE ZERO ONE ZERO ONE ONE! Just brushing up for my next big invention: Ethernet over Voice (EoV)
I've used Webmin before (never saw Usermin...have to check that out) but it occasionally screws up as much as it helps.
/. without realizing that most folks can't memorize volumes and volumes of information. Even the little knowledge I have just so I can hit Usenet and troubleshoot from there (not a Unix expert by any means of the word) is more than most Windows admin...and face it, computers are needed everywhere and the average intelligence of the public isn't going to rise any just because of job requirements...thus we will have a very small group of people that are capible of taking care of system administration in a way that is required to manage ALL the computers in the world. Maybe Sun is right...maybe THEY need to be running all of our servers for us :-)
Still, I couldn't trust my Window's folks to touch my Unix servers even if its something this simple. For instance, a few months ago the latest version of GCC killed MySQL. I had to go back and recompile quite a bit of crap to use GCC and MySQL STILL didn't work right. It took a few days to get all of this right...
I don't think Webmin is going to give me the knowledge to fix this kind of problem or even troubleshoot it. Windows is moronic enough that most folks can troubleshoot it enough to get it in a working state...again, most of its point and click. We make fun of that on
clif
Insightful? How? If you haven't patched PostgreSQL within the last 6 months you are vulnerable to multiple buffer overflow/remote root exploits. If PostgreSQL had the volume of boxes that MSSQL had on the 'net, you can be sure that there'd be a large number of idiot sysadmins who A) don't patch and B) don't know how to use a firewall to protect their systems.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
I guess even Gates saw this coming. ;-)
"New security risks have emerged on a scale that few in our industry fully anticipated," Gates wrote in a 1,500-word e-mail distributed late Thursday to about 1 million people. (Full article at CNN.com)
DOH!
Another ignorant post because people insist on attacking the wrong person. EVERY protocol has vulnerabilities, that's the facts. The patch was release almost a year ago for this same issue. If you want to blame anyone, blame the shitty admins who don't filter out traffic if they must use MSSQL over the internet, or flat out block it if they don't. I know people think it's cool to bash MS, but in this case it's directed at the wrong person. Besides, last time I checked the root-servers weren't running Windows and they went down like a date on prom night.
My sig of choice is Marlboro
And today we are seeing the one thing at which Microsoft products really kick ass...
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Whoever puts a database outside a firewall
24,432 fuckwits have done so, counting the hits on my firewall. 1 hit on port 1434 yesterday, 0 on thursday.
Wait, there are some dups, it seems that each machine hits the same addresses over and over again, about once every 4 to 12 minutes. grep|awk|sort|uniq gives 11,901 unique IP addresses in my firewall logs.
Quickly scanning a statistical sampling of machines which have probed my IP space, I see that most of them are wide open to the internet. Ports 137/139, 25, 1029, etc. are all available, and 3 of the 11 show BackOrifice on port 31337.
I have a friend (oracle expert) over trying to set up a vulnerable MS Sqweal server so we can study the worms actions on an isolated test network. I want to see which addresses does it scan, rate of repetition, and other things, since the code is pretty simple and just hashes the addresses (low cyclical rate) over and over again. I've also learned some new bad Vlamsk (dutch) language today.
I've got a packet that might crash vulnerable MsSqueal server processes using the same buffer overflow technique. Could be a good return packet to send to scanning machines to get them to shut up until the admins get around to patching/rebooting their fucked windoze machines.
But first I will test it on my own machines, I really don't believe in affecting other's machines on the internet, even if the owners are fuckwits. But after yet another microshit worm fucking things up for everyone else, I've moved my limit closer to their processes.
the AC
I'm also waiting for the first few variants with better IP address scanning routines, which will be much more virulent. Monday will be a *fun* day
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
Microsoft can patch until they're red in the face, and they do. But it doesn't change the fact that they released a server with a very major and potentially viral vulnerability. Not everyone in the world is going to do their patches the second they're released. Granted, security holes like this are inevitable, but it's just a question of "how much is too much?" Microsoft consistently releases vulnerable products. And if you're going to pay so much more to run an M$ platform, there should at least be some payoff in the area of so-called "trustworthy computing".
... I wonder if evil-doers might be mining the Microsoft patch libraries, looking for exploits that already have fixes, but depending upon the cluelessness of Microsoft site admins to fail to implement them...
Why go to all the trouble to invent a problem, when there is a large population of targets and a database of vulnerabilities?
I think not. There were three simple things that would have saved your ass, first apply the patch, second don't allow everyone in the world to connect to your database server, and last turn off the box if you don't know how to secure it. I also work for a company that uses SQL Server for the backend of our web apps, but I don't have any interesting stories for you. I think our admin was asleep in bed when this all when down, but that is because he did all the hard work ahead of time.
The bad assumption people are making here is that there's "no reason to break this rule." Well, unfortunately, this is just not so.
In my case, a project involved upsizing a client's access database, and then transferring it from my dev machine to an ISP's SQL Server instance. The client has a dynamic IP address, and they would never even consider the cost of using a VPN. My SQL Server ports were open for only 3 weeks, during the transition period, and would have been shut down next week.
I kept up on service packs (I was up to SP2), and had installed every SQL Server security patch I could find. I had a non-guessable sa password. I got it anyway.
So why is that? I'm not sure. But I have some observations about the manner in which you're supposed to keep SQL Server (and other MS applications for that matter) current which bear seriously on the issue:
Anywhere? I can't find it today. Maybe it exists and I just didn't notice it. That would be atrocious site design. Or maybe a simple, centralized "MS SQL Server 2000 Security Page" with ordered patch list and instructions doesn't even exist. That's just atrocious.
All I can find is top-level references to service packs and an unqualified link to an all-microsoft download search page. When you select SQL Server 2000 in it, you get everything, not in order, patches thrown together with samples, evaluation downloads, etc.
And I'm supposed to check here... every week? Sounds sensible on the surface, but if they really wanted to prevent trouble:
IT'S SO BLOODY SIMPLE. Yet they didn't bother.
Compare this to redhat, where there's one tool, up2date, and it works for everything. And you are trivially notified by email when there's an update.
At any rate, we can at least tell people a convenient fix - go install SQL Server 2000 SP3.
What's the bottom line? I had a reason to have the port open. And I had a not-for-nothing false sense of security that I was protected against this vulnerability. And most of all, if this was RedHat (for instance) I would never have had this problem - because I would have been notified the moment the patch was available, and would have installed it in a heartbeat, through their single, consistent, easy-to-use interface; and so would tens of thousands of others.
Want to Know How to Cheat the GPL? Read On!
last time I checked the root-servers weren't running Windows and they went down like a date on prom night.
Actually NONE of the root nameservers went down, either during this worm incident, or during the Oct 21 incident. The network nameservers are generally highly overprovisioned, and do a very good job of responding to every request they receive, even under abnormal load.
What happened is that the increase in network traffic staturated some of the feeds to the root name servers making it impossible for requests to reach the name servers. This is the real danger of these attacks.
And as far as blaming negligent sysadmins for not patching their servers, well, sure. But sysadmins are not the only players in this game. Companies often have policies regarding software patches and validation that restrain what a sysadmin can do. And the fact is that the sysadmin did not put the vulnerability in the software, nor is this the first time a Microsoft product has servered as the vector for something like this.
Starting around the same time, www.whitehouse.net began receiving about 100 times the normal requests for the home page and its associated graphics. Most of the offending hosts are in China thought at least a few aren't. So far, there are at least 1000 distinct addresses spread accross their entire IP space that reloaded the page at least 30 times.
I have no direct evidence this is related to the worm, but it begs coincidence.
www.whitehouse.net is a privately-owned parody of the US White House web site.
Source samples with counts include:
3302 61.171.37.209
2443 218.17.216.111
2037 218.4.128.50
1962 218.25.204.219
1527 61.187.169.160
1336 61.131.48.222
1183 218.58.69.26
1079 68.37.179.107
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
We were joking, but while the barrage of UDP traffic taxed our front-end, we figured it might a great time to take systems down for maintenance - WTF, we were up, nobody could hit our site, no explanation to management!
"Our site was down"
"It was the worm, sir."
"I like the new layout. Did the worm do that?"
"Uh... yes?"
A nice collection of data and NOTES.TXT here.
-- When you look to see how the system works, you usually find that it doesn't.
My funniest, I shit you not, is "isecureserver.smsu.edu". Apparently some "I" at Southwest Missouri State University did not secure their server as well as they thought. At first I actually wondered if it was a practical joke.
My network got hit hard this morning. The article claims 10 packets per minute. We were getting 10 packets in about 1 nano second. It sent our firewall to a load average of 10+ and brought our entire network (inbound and outbound traffic) to a halt. We found a single Windows host causing all the problems _behind_ our firewall. After disconnecting it all was well again. Thank you MS.
Buffer overflows as a security hole aren't only a Microsoft problem -- although you would think they could afford better code reviews -- they are an almost universal C/C++ problem.
First, using fixed-size buffers for strings (and other arrays) seem almost to be encouraged by the language design, or at least by common practice.
Second, strings (and other arrays) unfortunately do not have a size inherently associated with them in the language, and null-terminated strings can be slow to check for length.
Third, the stack layout of typical C/C++ implementations makes it *possible* to overwrite the return address. Some other programming languages I have used had implementations with the return address below the local variables, making it essentially impossible to overwrite.
But then, years ago, nobody ever seemed to think about security issues in language design.
Here is a program they have for the NT/2000/XP line that lists hotfixes that have not been applied. It certainly is more comprehensive than the windows update site.... Hotfix Checker at MS
Hotmail still has *nix at it's base, so it's still up.....
No
It
Doesn't.
The site www.hotmail.com is running Microsoft-IIS/5.0 on Windows 2000.
... is that our Corporate IT has *outsourced* all control of our firewalls (to a company which recently filed chapter 11, if I recall), and so can't update them on the fly...
And, on top of this, our "corporate IT security" just sent out an email that some of their *internal* machines were infected (so obviously *something* was accessable through the firewall) and now we who are connected to corporate via a T1 must apply the patches. So much for the firewall.
This also happened with Code Red two years ago. Big panic, everyone patching their systems, because corporate had holes in the firewall.
Yet, we have our own firewall to a customer site (which we've managed on our own for years, and which corporate now wants to take over) which we have *never* been infected via. Go figure.
Not saying that we shouldn't have been up on it, but we have noone dedicated to IT Security (funny, since we do DOD work) in our building, and we are all so swamped with other stuff we rarely have the time to keep up with it.
At my *last* job, however, we setup a new box and immediately port-scanned it... knew what every service was on the box, and if we didn't, closed it down. And that *wasn't* DOD... e-commerce. And we kept on top of patches.
So... you credit card number was *really* safe at my old job... but our nation's secrets may not be at the new job.
Go figure.
My intial thought on this was that this isn't MS's fault and we shouldn't be bashing them for this worm; almost every os and daemon out there has had it's holes and exploits and MS has already put out the fix so it's in the admins hands now.
But on second thought, when I look at the serious impact of the worms that have been created for MS products and their vulnerabilities the last few years, the obvious becomes apparent: admins of MS OS's and processes on them are a LOT slower to patch than any of their counterparts (read: stupider). And the thing is, MS knows this, they specifically market to the stupid/lazy admins. They're the "easy" OS, they sell their products by telling people that you just install them and never worry about them again. I've taken too many MS courses (I am an MSCE and MSCDBA if they haven't expired on me, but I couldn't care less) and not once was patching the operating systems or server processes ever mentioned during all those courses, which is amazing to me.
And hey, to each their own I guess... apparently there aren't enough intelligent or well read admins around so there is a demand for these products and this approach. But if that's the case, then I think it has to be said that MS has a greater responsibility to create products free from exploits than anyone else, if they're marketing and teaching the idea that you don't need to patch.
It's by creating that laissez faire attitude towards administration that MS is directly responsible for the proliferation of these worms.
----- sXe
Yes, but I know a lot of sites that wait on the full service packs. Testing every hotfix that comes out of MS is not time effective. The policies I generally see is that companies first wait a month after release to see if anything bad happens with the SP, then take a couple of weeks in a test configuration to make sure nothing site-specific should happen, then install SP if fine. The SP3 was only released recently.
The problem is that with MS, there are two levels of fixes, hotfixes and service packs. hotfixes could be anything from a slight cosmetic bug that isn't worth the time to worry about in a professional environment, to a critical vulnerability. There really isn't a huge sense of urgency at the word 'hotfix'. They really need a separate category of 'critically needed patch' for stuff that can cause problems of this scale if left unpatched.
XML is like violence. If it doesn't solve the problem, use more.
Funny how the site www.internettrafficreport.com is being slashdotted right now. In the last 5 min alone, the global traffic index went from 85 to 65, apparently a new wave of attacks as the worm discovers new ground. My 5-domain webserver hasnt received a packet yet, but Im keeping my eye on it. Glad to be using Postgres with its ports blocked from the Internet.
Holy cow! Israel is completely down according to the site.. all routers with 100% packet loss.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
SQL Slammer? A worm virus? Sounds more like a shooter at Hooters on geek night.
__ Someday, but not this morning, I'll finally learn to use the preview button.
... but it can't survive Microsoft's software
Does that mean that Redmond is in possession of somehthing *worse* than WOMD???
We demand IMMEDIATE soure code inspections!!!
Or there will be severe consequences.
someone want to start a petition?
"a powerful and unexpected ally..."
Uhm.. you're probably completely susceptible to this. You see, that little clicky thingie you clicked in the thingie was written by the same people that sent you that software with the bug that causes this problem.
You, and the rest of you non-engrossed, non-technical people who don't have $15.00 to put a NIC in a 486 firewall that you can pick up at the dump, but plenty of money to shell out system upgrades every few years... You're causing this problem. You, personally.
First, by buying and deployng a server OS by an untrustworthy organization, followed by not even complying with thier reccomendations of protecting, securing, and updating that server.
Then, by saying "Whew! Dodged that bullet" after you CLICKED ON A CHECK BOX is not quite the same as.. oh.. patching it, securing it behind a firewall and testing it for packet traffic... THESE are the "basics" of your box and the internet. Not what your manual, the context sensitive help, or what MS' Marketing department tell you.
Was that non-technical enough for you? Stop being smug, and stop being part of the problem.
Sounds like a damn good advice to me. Why the hell should either of those be exclusive?
It's very BAD advice! What happens when you blindly apply the patch and find out your mission critical app won't run anymore? A little QA testing would show you that on a test system instead of your live servers. If a firewall rule can protect you, use that, then QA the patch and apply if it is safe.
Consider that sometimes, the 'security patch' just disables a feature that 'nobody uses anyway' (except for your mission critical app, that is). Other times, it doesn't fix the hole, it just changes it's shape a little. In that case, you go from a hole you know about and can guard against at the firewall to one you don't know exists that has less information about it available.
It's not purely a dig at MS (though their track record for quality patches is spotty), any sudden change to widely deployed software runs the risk of causing a problem for sombody's configuration.A link to this thread has hit drudgereport.com, 2nd link from the top. I think this is the first time I've ever seen that!
Heh, looks like it took out a big portion of Bank of America's ATM (cash) machines! Link
If you haven't patched PostgreSQL within the last 6 months you are vulnerable to multiple buffer overflow/remote root exploits.
remote root???? Just about EVERY postgresql system runs as a normal user, how the hell do you get root out of that?
By default postgresql does NOT even support IP connections, you have to turn it on by either the -i option to postmaster or in the config file.
I think your looking at the Mordred buffer overflows from about 5 months ago. ALL of these require a valid user account to exploit. NONE were remote. Please post the location/posting of a REMOTE for a recent release of PostgreSQL. Versions 6.X, 7.1.X and 7.2.0 do count.
BWP
I think that the reason that a lot of these patches do not get applied is due to the "If it isn't broken, don't fix it" mentality. I know that many Microsoft Security patches in the past have caused say 1 out of 10 small volume custom applications to fail in some way after they were applied. The business being conducted by the application may have justified say a 50K dollar initial investment to have it written by a developer. However, the month-to month return does not justify paying a Maintenance fee in order to keep a developer up to speed on your code base. Microsoft has been releasing patches for either IIS, or SQL Server, or OS on roughly a schedule of 2-4 a month. Your average 10-50 man company that had an application written for their specific need is not going to be willing to pay you $4000.00 a month to maintain a secondary system with their application installed, 10-20 hours to test every single function, etc every time Microsoft releases a batch of patches. In their minds it's built, it works, and it's done and they are not going to pay a dime more. If you are lucky, they might do that when something like today's situation comes up. That is why most systems (I will even say Linux/Apache/XSQL systems) don't get every single patch that comes down the pipe applied. In a perfect world you would not accept the work unless there was a good maintenance fee included, but in the real world you take the work that people will give you and deal with the ongoing maintenance on a case-by-case basis. The only contracts where you get that kind of commitment is when there is EXTREMELY good revenue involved and the companies business absolutely relies on the application.
You should be using the Microsoft Baseline Security Analyzer to ensure that ALL the machines on your network are properly patched and locked down. It's so easy to run there should be no excuse for attacks like this.
!!!ATTENTION MS ADMINS!!!
The current DDOS attack caused by a worm that exploits a known vulnerability (for which a patch was already available) raises the following questions :
a. Is this a test or preparatory exercise carried out before a serious of massive attacks due during the time US invades Iraq ?
b. Is there another vulnerability(ies) (probably bigger gaping holes) in the patch available for the current vulnerability which the group is hoping to exploit, during their second phase of attacks ?
These are just questions. I think administrators should be doubly sure about this patch before they apply it.
A Massive DDOS attack during the gulf war could cause:
a. Less or no information
b. With DNS servers down (5 down this time around) a massive disinformation campaign can be launched (Say the CNN site giving false information for a couple of hours)
These are just possibilities. So was September 11th.
I was just about to post the same thing! Moderators: mod this one up! People need to read this otherwise they'll think their cracked box is safe!
From securiteam.com: ..It can be configured such that clients can use named pipes over a NetBIOS session (TCP port 139/445) or sockets with clients connecting to TCP port 1433 or both. Whichever method is used the SQL Server will always listen on UDP port 1434. This port is designated as the Microsoft SQL Monitor port and clients will send a message to this port to dynamically discover how the client should connect to the Server.
Read further into the report. The exploits use the vulnerability in the code which listens to UDP port 1434. You can't turn this off!
OK.... so at least half of the problem is the sys admins, though some of you seem to think it's all their fault for not patching the systems... You must all have nice cushy jobs where they pay you to stay on top of things! The problem is, not every sys admin gets paid to do what he'd like, and not every one of those ppl have been with a company long enough to FIND everything that needs fixing, never mind FIX it all. They don't get paid enough or else told "no overtime" and things just don't get done... Sure blame the admins, the guy who just took over the mess that was left for him when the last guy quit two weeks ago is surely to blame, especially since he's so digusted with the task he's found himself mired in (not to mention the low salary for 24/7 service or else a NO OVERTIME policy) that he's pondering his next resume and cover letter... And no, I'm not a sys admin, I'm a physics student, a self taught computer junkie and a former construction worker, disabled from being a grunt. i just know scapegoating when I see it, and it's all too easy to blame "the man" when in fact, he's getting screwed just like the rest of us.