Hi I got the virus from comcast.net mail . I have also noticed that i have been getting hits on my site from others in michigian who are using comcast
Be warned if you are using MicroSoft SQL
Shot it down !!!
Off subject MS SQL Virus
-
Topic authorJohn Van Vliet - Posts: 2944
- Joined: 28.08.2002
- With us: 22 years 3 months
Off subject MS SQL Virus
Last edited by John Van Vliet on 28.01.2003, 07:35, edited 1 time in total.
I got this on bugtraq today:
My dedicated server was down for 5 hours because of this worm. It was linux based though ... thanx to all those stupid windows admins :(
A fix was available half a year ago already.
Code: Select all
Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
Von:
H D Moore <sflist@digitaloffense.net>
An:
bugtraq@securityfocus.com
Datum:
Sat, 25 Jan 2003 05:49:09 -0600
A worm which exploits a (new?) vulnerability in SQL Server is bringing
the core routers to a grinding halt. The speed of the propagation can be
attributed to the attack method and simplicity of the code. The worm
sends a 376-byte UDP packet to port 1434 of each random target, each
vulnerable system will immediately start propagating itself. Since UDP
is connection-less, the worm is able to spread much more quickly than
those using your standard TCP-based attack vectors (no connect
timeouts).
Some random screen shots, a copy of the worm as a perl script, and a
disassembly (sorry, no comments) can be found online at:
http://www.digitaloffense.net/worms/mssql_udp_worm/
-HD
On Saturday 25 January 2003 01:11, Michael Bacarella wrote:
> I'm getting massive packet loss to various points on the globe.
> I am seeing a lot of these in my tcpdump output on each
> host.
>
> 02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376
> 02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp
> port ms-sql-m unreachable [tos 0xc0
>
> It looks like there's a worm affecting MS SQL Server which is
> pingflooding addresses at some random sequence.
>
> All admins with access to routers should block port 1434 (ms-sql-m)!
>
> Everyone running MS SQL Server shut it the hell down or make
> sure it can't access the internet proper!
>
> I make no guarantees that this information is correct, test it
> out for yourself!
-------------------------------------------------------
My dedicated server was down for 5 hours because of this worm. It was linux based though ... thanx to all those stupid windows admins :(
A fix was available half a year ago already.
-
Topic authorJohn Van Vliet
- Posts: 2944
- Joined: 28.08.2002
- With us: 22 years 3 months
Bug gone
It's gone I havent been using MS SQL for mutch my site uses mysql and i like it a little better