Printable View
HAHA yeah, lucky me my microsoft box is just for the testing of some servering things and etc. My openBSD and gentoo boxes don't have anything exposed exept the things people really are allowed to touch. Setting up yer firewall the right way could have fixed this for some part before it begun. I put the loggin of for ports 1433 and 1434, wich is a bit stupid, but that way I can be lazy and secure at the same time :o
305 hits to 1434 since 12:30AM here in Toronto. Averaging 20 hits/hour for now.
Jan 13th took 330 hits to port 445. This new one should surpass that.
I haven't noticed a drop in net speed here though.
Does this SQLping.c have anything to do with this?
Recent Exploits Scripts/Techniques (starting bottom of page 7 into page 8 (middle of table under date March 15th, 2001))
It's just a description of some packet tool but, it's listed under exploits, so it caught my attention.
http://www.nipc.gov/cybernotes/2001/...sue2001-06.pdf
I am at Tennessee Tech University and their routers got hit hard enough it knocked us offline for a few hours this morning. Even now not all of the campus is back up yet. It's crazy. We have been in the Comp. lab all day and stuff is now a little bit better.
Internet Security System (ISS) was the first to discover and name a new worm it is tracking - “SQL Slammer” - that is rapidly spreading across the Internet via Microsoft SQL servers.
The worm is responsible for large amounts of Internet traffic as well as millions of UDP/IP probes causing the Internet and online service to be inaccessible.
•Reports of major Internet Service Providers (ISPs), banking services and telecommunications worldwide have been affected
•Severe latency in domain name service (DNS) causing Web sites to be completely unreachable
•Other nations affected include South Korea’s Internet infrastructure which has come to a stand still
This worm exploits MS/SQL servers vulnerable to the SQL Server Resolution service buffer overflow (CVE CAN-2002-0649). Once a vulnerable computer is compromised, the worm will infect that target, randomly select a new target, and resend the exploit and propagation code to that host.
ISS X-Force team responsible for the discovery and naming of this worm are available to provide help at: https://gtoc.iss.net/issEn/delivery/gtoc/index.jsp
Impact:
The Slammer is generating a damaging level of network traffic when it scans for targets that are vulnerable. Billions of attacks have been detected in the last 12 hours from ISS Global Threat Operations Center (GTOC).
Affect Versions:
Microsoft SQL Server 2000
Microsoft Desktop Engine (MSDE) 2000
Note: Unpatched or base installations older than SP3 are vulnerable.
Description:
The Slammer worm propagates via Microsoft SQL installations without patches from Microsoft Security Bulletin MS02-039 or higher. The main function of the Slammer worm is to continue propagation. No Denial of Service or backdoor functionality is incorporated into the worm. Infection can be removed with a reboot, however without protection in place, it is likely that vulnerable servers will be quickly re-infected.
The Slammer worm seeks to replicate itself and does not try to compromise servers or retain access to compromised hosts. The Slammer worm does not infect or modify files, it only exists in memory.
Warning: Anti-virus programs do not detect nor stop this worm.
Recommendations:
The ISS Dynamic Threat Protection platform has protected ISS customers for this major vulnerability for 6 months.
Protection mechanisms have been available in RealSecure Network Sensor XPU 20.4 and XPU 5.3 and Internet Scanner XPU 6.15 (available as of 7/25/02).
ISS X-Force recommends that system administrators immediately take steps to protect their networks. To remove the infection, apply the necessary patches listed below and restart the server. This action will remove the worm from memory.
The following ISS updates address the issues described in this alert.
These updates are available from the ISS Download center
(http://www.iss.net/download)
Additionally ISS X-Force recommends blocking UDP port 1433 and 1434 traffic to protect SQL Server databases with a firewall or packet filter.
Microsoft SQL Server customers should refer to the following address for
information and securing Microsoft SQL Server against this buffer
overflow: http://www.microsoft.com/technet/sec.../MS02-039.asp.
Additional Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the Name CAN-2002-0649 to this issue. This is a candidate for inclusion in the CVE list http://cve.mitre.org), which standardizes names for security problems.
Additional Links:
ISS: Security Center: X-Force Threat Forecast
https://gtoc.iss.net/issEn/delivery/gtoc/index.jsp
Microsoft SQL Slammer Worm Propagation
http://bvlive01.iss.net/issEn/delive....jsp?oid=21824
ISS Advisor community feedback
http://www.issadvisor.com
______
About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems, Inc. (ISS) is a world leader in Dynamic Threat Protection software and services that protect critical information assets from an ever-changing spectrum of threats and misuse.Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East.
I live in Australia and am thus far unaffected from this virus like worm. anyway,
hope you peoples find out who's doing it and getting through it safely
VIRUS WARNING ISSUED BY CENTRALCOMMAND®
on January 25, 2003
for W32/SQLSlammer
VIRUS WARNING The Central Command® Emergency Virus Response Team™ (EVRT™) has received thousands of virus infection reports for the new Internet W32/SQLSlammer. Due to increased customer inquires and infection reports the EVRT is issuing a VIRUS WARNING.
Help us defeat viruses, forward this newsletter to your friends.
You are receiving this news letter because you are a subscriber to the Central Command Virus News mailing list.
[ EVRT™ Virus Warning issued for W32/SQLSlammer ]
Complete description can be read online by clicking here
Details:
Name: W32/SQLSlammer
Alias: SQL.Slammer
Type: Worm
Discovered: January 25, 2003
Home users: LOW RISK
Corporate users: HIGH RISK
Description:
W32/SQLSlammer is a fileless worm that targets Microsoft SQL 2000 servers. If a vulnerable server is found, W32/Slammer installs itself into memory and does not write a file to the hard disk. An exploited server will then create traffic on UDP port 1434. To correct and fix an affected server an administrator will have to apply the necessary patch to avoid re-infection and reboot the server.
This worm can generate massive IP traffic to effect the quality of service of the network.
Microsoft has issued a patch which protects users against this vulnerability. It can be downloaded from here:
Microsoft patch and information
[ Vexira Antivirus Solutions ]
- Vexira Antivirus for Windows workstations/desktops
- Vexira Antivirus for Windows Server
- Vexira Antivirus for Linux Server
- Vexira Antivirus for Linux Workstation
- Vexira Antivirus for FreeBSD
- Vexira Antivirus for OpenBSD
- Vexira Antivirus for Sendmail
- Vexira Antivirus for Sendmail + Milter
- Vexira Antivirus for Qmail
- Vexira Antivirus for Postfix
- Vexira Antivirus for SuSE
- Vexira Antivirus for Exim
More information: http://www.centralcommand.com
[
This new attack would of been no big whoop if frigging sys admins would apply the damn patches that they are supposed to. This is expoiting something that M$ reported on last
year for crying out loud.
taken from: http://www.unerror.com/
Quote:
Well, today has proven how many lazy or unaware webadmins this world has. A worm who exploits an exploit in MS SQL. The point is: there already was a patch for the vulnerability and it's just a fact MS flaws get patched less fast then linux. That means very many admins don't track mailinglists, who have been talking about this problem and as many of them also don't track patches etc. for the software they use.
Because of this "lack" of interest in security the worm was able to spread very widely. Because the worm work with datagrams (via udp), it spreads much faster then worms traveling by tcp. Udp doesn't require to wait for a acknowledge responce or a message that says the packet has arrived proparly. The danger with that is, because of the "lazyness" (how would you call it) of many admins and other people the worms olso threaths dns servers routers etc. with their extreme bandwith consumeing activities (that's what a worm does).
Every sql server does get some interference with this, because it still get's targetted at port 1433 and 1434, so firewall logs may grow large... that means if your firewall was setup correctly... you guessed it, that's often NOT the case. Those server will still have a little slow down because of the incoming packets. Nothing would be harmed if the worm hadn't been able to spread.
this is a classic example of admins not doing their job properly .. this would never have happened if the admin could keep uptodate with their OS patches. pretty much everything these days is a result of poorly educated (or well educated but lacking in certain areas) administrators