Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MS SQL Server Worm Wreaking Havoc

pudge posted more than 11 years ago | from the no-man-will-know-the-day-or-the-hour dept.

Microsoft 964

defile writes "Since about midnight EST almost every host on the internet has been receiving a 376 byte UDP payload on port ms-sql-m (1434) from a random infected server. Reports of some hosts receiving 10 per minute or more. internetpulse.net is reporting UUNet and Internap are being hit very hard. This is the cause of major connectivity problems being experienced worldwide. It is believed this worm leverages a vulnerability published in June 2002. Several core routers have taken to blocking port 1434 outright. If you run Microsoft SQL Server, make sure the public internet can't access it. If you manage a gateway, consider dropping UDP packets sent to port 1434." bani adds "This has effectively disabled 5 of the 13 root nameservers."

Sorry! There are no comments related to the filter you selected.

Who did this I wonder????? (4, Funny)

amigaluvr (644269) | more than 11 years ago | (#5156231)

Kevin Mitnick is allowed back on the net and the net goes fubar

1st (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5156232)

not last.

Terrorism, must be (4, Interesting)

isorox (205688) | more than 11 years ago | (#5156233)

In South Korea internet services were shut down nationwide for hours on Saturday, the country's Yonhap news agency reported.

It said the shutdown was triggered by "apparent cyber terror committed by hackers".


http://news.bbc.co.uk/1/hi/technology/2693925.stm [bbc.co.uk]

Re:Terrorism, must be (5, Funny)

weave (48069) | more than 11 years ago | (#5156258)

Terrorism? Bill Gates better be detained indefinitely as an enemy combatent then. Finally, some good may come out of this terrorism paranoia!

As I said in a previous post... (4, Informative)

caluml (551744) | more than 11 years ago | (#5156237)

I find it lucky that the worm writer didn't make the worm fire out random traffic on random udp ports with spoofed addresses.

It's only the fact the traffic is all destined for a certain destination port that makes it easy to filter.
You are filtering it out on your firewalls, aren't you?
/sbin/iptables -I FORWARD -p udp --dport 1434 -j DROP

This could have been a lot lot harder to filter out. I expect we'll see ThisWorm v2 soon.

I dread the day someone finds a hole in Apache, Sendmail or something really popular and writes a worm like this...

Re:As I said in a previous post... (5, Informative)

bwalling (195998) | more than 11 years ago | (#5156261)

It's only the fact the traffic is all destined for a certain destination port that makes it easy to filter.
You are filtering it out on your firewalls, aren't you? /sbin/iptables -I FORWARD -p udp --dport 1434 -j DROP


Exactly. From the MS Security bulletin:

The risk posed by the vulnerability could be mitigated by, if feasible, blocking port 1434 at the firewall.

What the heck was it doing open in the first place?

Re:As I said in a previous post... (5, Insightful)

caluml (551744) | more than 11 years ago | (#5156289)

Wouldn't it be nicer if the owners of these machines bother patching the fucking things though?

As far as I'm concerned, boxes SHOULD be able to stand on their own without firewalls. A firewall just adds another layer.

Sounds like you're advocating armadillo security to me - hard on the outside, soft on the inside.

Re:As I said in a previous post... (0)

Anonymous Coward | more than 11 years ago | (#5156350)

But single hull security is no good either. The firewall should be in place, just like the server should be patched.

Re:As I said in a previous post... (2, Informative)

blowdart (31458) | more than 11 years ago | (#5156293)

What the heck was it doing open in the first place?

Because sometimes you need to connect to SQL from somewhere outside the local LAN? For example, we have SQL passed logging services running in Sydney that connect back to a SQL server in London. Of course, inbound connections are limited to the correct address range.

Re:As I said in a previous post... (2, Informative)

bwalling (195998) | more than 11 years ago | (#5156316)

Because sometimes you need to connect to SQL from somewhere outside the local LAN? For example, we have SQL passed logging services running in Sydney that connect back to a SQL server in London. Of course, inbound connections are limited to the correct address range.

If you limited the IP address range, then you don't have it open. You have controlled access to the resource.

Re:As I said in a previous post... (5, Insightful)

tom.allender (217176) | more than 11 years ago | (#5156321)

Consider a VPN dude.

Re:As I said in a previous post... (1)

cyb97 (520582) | more than 11 years ago | (#5156324)

Of course, inbound connections are limited to the correct address range.

Then your firewall isn't "open"...
(however UDP is fairly easy to spoof ;-)

Re:As I said in a previous post... (5, Informative)

Anonymous Coward | more than 11 years ago | (#5156319)

What the heck was it doing open in the first place?

When the SQL Server 2000 client Net-Libraries connect to an instance of SQL Server
2000, only the network name of the computer running the instance and the instance
name are required. When an application requests a connection to a remote computer,
Dbnetlib.dll opens a connection to UDP port 1434 on the computer network name
specified in the connection. All computers running an instance of SQL Server 2000
listen on this port. When a client Dbnetlib.dll connects to this port, the server
returns a packet listing all the instances running on the server. For each instance,
the packet reports the server Net-Libraries and network addresses the instance is
listening on. After the Dbnetlib.dll on the application computer receives this
packet, it chooses a Net-Library that is enabled on both the application computer and
on the instance of SQL Server, and makes a connection to the address listed for that
Net-Library in the packet.

So the UDP 1434 port is open when the SQL Server is started to listen all the clients
with any IP address on this port. SQL Server only receives the packet from the client
on this port to determine which instance the client attempts to access and return the
related information of the SQL Server to the clients. Then, the clients can create
the connection to the SQL Server with the protocol enabled on the server side.

leaving that port open... (2, Interesting)

smartfart (215944) | more than 11 years ago | (#5156338)

I agree, it ought to be closed. However, our beloved MySQL also leaves its port open, listening on all NICs in a box.

Gr.... All the more reason to run a host firewall on every machine.

re: "a hole in something really popular..." (1)

ites (600337) | more than 11 years ago | (#5156265)

Like Kazaa. Oh.

Re:As I said in a previous post... (5, Informative)

sql*kitten (1359) | more than 11 years ago | (#5156271)

You are filtering it out on your firewalls, aren't you? /sbin/iptables -I FORWARD -p udp --dport 1434 -j DROP

I bloody hope no-one is specifically blocking this port. That's not how firewalls are supposed to be used. First you block everything then only open the specific ports you need. In most cases, these are 80 and 22 and maybe 25. There's no reason a database server's protocol port should ever be exposed to the public Internet!

Re:As I said in a previous post... (5, Insightful)

Anonymous Coward | more than 11 years ago | (#5156303)

Depends. If you're protecting your network, you are right: "allow required traffic, block everything else". If you're providing network services to others, they probably don't want to beg you everytime they need to open a port. In that case it's "filter bad traffic, allow everything else".

Re:As I said in a previous post... (4, Interesting)

caluml (551744) | more than 11 years ago | (#5156305)

No, firewalls are for use as your needs require.
I, for instance allow no incoming, but don't restrict outgoing. It's not a huge corporation, it's a R + D lab, where the overhead and hassle I'd cause by restricting outbound traffic would stiffle the lab users productivity. Still, I added the block to that specfic port in the slim chance that an internal box was infected (lord knows how) that it would be a localised problem, not contributing.

I don't think you should tell people what firewall rules they should be running.

Re:As I said in a previous post... (3, Interesting)

blowdart (31458) | more than 11 years ago | (#5156307)

There's no reason a database server's protocol port should ever be exposed to the public Internet!

No reason? Really? What about distributed servers taking to a central database? Desktop software that queries a remote database? Remote administration of a remote database? All legitimate reasons.

Re:As I said in a previous post... (0)

Anonymous Coward | more than 11 years ago | (#5156346)

In order: VPN. Maybe VPN would be inconvenient, but possible for the client. VPN.

Re:As I said in a previous post... (1)

Psiren (6145) | more than 11 years ago | (#5156339)

I log all my dropped connections, as most do. But I do have some specific rules that block and don't log anything, simply because I get so many of them and it makes looking for other important information difficult. Ports 137-139 (netbios) and now this one. But you're right, if you are blocking specific ports as the problems come along then you're doing something wrong.

Re:As I said in a previous post... (3, Insightful)

Anonymous Coward | more than 11 years ago | (#5156287)

I dread the day someone finds a hole in Apache, Sendmail or something really popular and writes a worm like this...

The point isn't finding the hole, it's people not patching their servers. I mean FFS this was discovered and patched over six months ago. SQL Server is not consumer software - you can't blame Joe Public for not being up-to-speed on net security issues - this is professionals not doing their jobs properly.

Re:As I said in a previous post... (0)

Anonymous Coward | more than 11 years ago | (#5156334)

No, the point is, Apache is really popular. Who uses MS SQL Server? An aggressive worm like this for Apache would be catastrophic: There are many more targets (and thus attack zombies) and you can't just "block port 80/tcp".

bah (1)

vicviper (140480) | more than 11 years ago | (#5156238)

An SQL worm is nothing compared to the POWER of the forc^W slashdotting.

SQL like a pig (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5156239)

Dear Apple,

I am a homosexual. I bought an Apple computer because of its well earned reputation for being "the" gay computer. Since I have become an Apple owner, I have been exposed to a whole new world of gay friends. It is really a pleasure to meet and compute with other homos such as myself. I plan on using my new Apple computer as a way to entice and recruit young schoolboys into the homosexual lifestyle; it would be so helpful if you could produce more software which would appeal to young boys. Thanks in advance.

with much gayness,

Father Randy "Pudge" O'Day, S.J.

been watching this all night (4, Informative)

h2odragon (6908) | more than 11 years ago | (#5156240)

the fun's almost over now

Collected a packet disasembly and some urls here [freedom.org] .

Everyone seems to be assuming this is a new use of an old (July) hole; I'm not certain of that. Any facts welcomed, see above url.

Re:been watching this all night (1)

Dynamic Drive (636263) | more than 11 years ago | (#5156275)

I wouldn't say it's over yet. A site of ours is still down. And it's not even hosted on Windows :)

The old joke (0)

Anonymous Coward | more than 11 years ago | (#5156242)

mysql will postegresql yoursql

Patch (4, Informative)

sql*kitten (1359) | more than 11 years ago | (#5156243)

Microsoft released a patch [microsoft.com] for this 24th July, 2002.

wow yeah! (5, Interesting)

matth (22742) | more than 11 years ago | (#5156245)

Where I work we ended up with quiet the excitement. Around 1am I lost connectivity on my DSL modem at my house.. and I just figured something was up with the DSL so I fooled around with that for a while.... but then I realized the data light on the hub for the DSL modem was blinking a WHOLE lot and nothing else on the hub was (ie broadcasts were coming through)... I couldn't ping our core router, nothing... YIKES! So I hiked into work... only to find that 3 machines had been compromised. A co-lo we have, and some other ones. Nothing bad mind you.. easy to fix.. install Service Pack, and then firewall the ports out.. but still.... it was interesting.. I walked into the server room and was greated with a ton of orange lights (that are normally just blinking!) That thing can really cook out the damage!

Someone really has carefully crafted this worm to try to bring down the net.. and what better time then on a Saturday morning when all admins are away and not planing to work the next day!

Re:wow yeah! (0)

Anonymous Coward | more than 11 years ago | (#5156263)

you're call yourself an admin? Most admin's don't get Saturdays off....

Re:wow yeah! (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#5156310)

yeah, you call yourself an admin and then brag how easy it is to fix the holes with some service pack and firewall up ?
the nerve,
your compromised servers surely helped spread the worm further, they hindered normal services, yet it was soooo easy to fix and firewall up. now here is a clue for you MSCE boy, you have to fix the boxen BEFORE A DAMN MSSQL WORM HITS THEM.
i hope for the day where a worm just kills the systems and trash all data, so incompetent "admins" like you have to check in at wellfare stations the day after.

Ok now tell me (4, Funny)

vicviper (140480) | more than 11 years ago | (#5156246)

how many quries at the root level are unnecessary. :)

First hand report (4, Interesting)

AirLace (86148) | more than 11 years ago | (#5156247)

Waking up at 2AM after falling asleep at work on a Friday evening, to be greeted by a wall full of router racks lit up like a wall-shaped christmas tree is a sobering experience indeed. Needless to say I've been working since then to apply appropriate firewall rules accross our network to block port 1434. Once this blows over, it's time to start some real PostgreSQL advocacy..

Re:First hand report (2, Informative)

bwalling (195998) | more than 11 years ago | (#5156294)

Needless to say I've been working since then to apply appropriate firewall rules accross our network to block port 1434.

What you really need to do is to assess which ports you need to leave open, and to which hosts they correspond. You need to block everything, and then set rules to enable only the ports/hosts that are necessary (open ports 80/443 to webserver, etc).

Otherwise, you'll be doing the same thing for the next worm.

Re:Why would anyone use anything else? (1)

occamboy (583175) | more than 11 years ago | (#5156317)

Having used Orcle, SQL Server, and PostgreSQL, I'm wondering... why use anything other than PostgreSQL? This attack just further reinforces my belief that 95% of folks using Oracle and SQL Server should switch.

Re:First hand report (-1, Flamebait)

The AtomicPunk (450829) | more than 11 years ago | (#5156329)

You deserve even worse for not blocking everything to begin with.

One at our site cut itself off from the net... (1)

weave (48069) | more than 11 years ago | (#5156248)

A server at one of our campuses (a college, campuses all over the state) got infected around 0900 UT and started hammering the hell out of our WAN and their local LAN, sending 10.4MB/sec through the router and then 1.2MB/sec out our internet line (bytes not bits). It stopped about an hour later. Turns out it flooded the router so hard it looks like that router has shut down. I can't ping a darn thing inside that campus now.... Fitting justice.

Re:One at our site cut itself off from the net... (2, Interesting)

cyb97 (520582) | more than 11 years ago | (#5156333)

That router must be fairly undersized...
No point in having a router that can't sustain max-traffic on the network it's put on...
What if your campus get slashdotted ? Kinda boring if the router shutsdown because of legit traffic ;-)

My guess is that some MSCP caught panic when he saw the load on the mssql-server and pulled the plug...
It's happened to me... (and he wasn't even MSCP just vanilla dumb...)

ZDNet and Yahoo stories (3, Informative)

tigress (48157) | more than 11 years ago | (#5156250)

ZDNet [zdnet.co.uk] and Yahoo.

Re:ZDNet and Yahoo stories (1)

tigress (48157) | more than 11 years ago | (#5156254)

Yahoo [yahoo.com] even.

Re:ZDNet and Yahoo stories (1)

doug363 (256267) | more than 11 years ago | (#5156337)

That ZDNet story is a 2001 article. I just checked ZDNet, and they don't seem to have a story on this problem yet.

Re:ZDNet and Yahoo stories (0)

Anonymous Coward | more than 11 years ago | (#5156283)

from the zdnet article


Mark Read, security analyst at MIS Corporate Defence Solutions, said, "When you install SQL, at no point does it ask you for an administrator username and password -- this is installed as standard, and once it is up and running the password still remains blank." He added, "If the SQL server is accessible from the Internet, people can log in using a blank password and have full access to the database, as well as the underlying operating system."


That sounds so fucking retarded. Could it possibly be true?

Re:ZDNet and Yahoo stories (1)

blowdart (31458) | more than 11 years ago | (#5156325)

That sounds so fucking retarded. Could it possibly be true?

No, it's not. SQL2000 has always prompted for a password. SQL2k SP3 also checks for blank passwords. You can override it however.

SQL7 didn't force you to use a password, but from SP2 up you are warned that SA is blank.

Re:ZDNet and Yahoo stories (1)

fuzzywig (208937) | more than 11 years ago | (#5156352)

and here [bbc.co.uk] on the BBC

HAHA 3RD (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5156251)

THIRD post! this is the highest i've ever got hurray! Im Cool

Must... resist... temptation... to... OH NO!!! (-1, Troll)

ites (600337) | more than 11 years ago | (#5156252)

Imagine a Beowulf cluster of these worms... and VOILA! Internet, 2003/02/25.

Whoever puts their database server (5, Insightful)

cscx (541332) | more than 11 years ago | (#5156253)

Outside a firewall for no apparent reason is a tool. That being said, we live in a world of idiots. Why?

NGSSoftware alerted Microsoft to this problem on the 17th of May 2002 and
they have produced a patch that resolves these issues.


This is January 25 2003 if I'm not mistaken. Are these the same people that leave their cars unlocked with the keys in the ignition?

Re:Whoever puts their database server (1)

Xpilot (117961) | more than 11 years ago | (#5156281)

Outside a firewall for no apparent reason is a tool

You probably meant fool, but tool sort of makes sense too. An idiot like that is the perfect tool for evildoers everywhere to take advantage of! Heh.

Re:Whoever puts their database server (1)

BenjyD (316700) | more than 11 years ago | (#5156359)

I think he did mean tool. Check this dictionary [peevish.co.uk] and scroll down to tool.

Re:Whoever puts their database server (5, Funny)

cyb97 (520582) | more than 11 years ago | (#5156347)

Are these the same people that leave their cars unlocked with the keys in the ignition?
A real idiot would leave the car locked witht the keys in the ignition...
I guess they learn something at MSCE courses ;-)

Old news (0)

Anonymous Coward | more than 11 years ago | (#5156255)

This was being discussed in a previous article talking about XST. The fun is over by now...

Yet another reason (0)

Anonymous Coward | more than 11 years ago | (#5156256)

why government or at least major Internet bodies and ISP groups should be spending some amounts of money on scanning for vulnerabilities and notifying the owners of such systems. It's a bit like leaving a gun on a table around the house, or for that matter, when considering script kiddies, leaving a bazooka in the toy box at a pre-school.

Re:Yet another reason (0)

Anonymous Coward | more than 11 years ago | (#5156314)

oh BULLSHIT.. this is NOT a good idea.. give the US government MORE sweeping powers to waltz in and scan your servers for vulnerabilities ? might as well hand them your data on a silver platter. think government-ordered backdoors contracted by Microsoft

how bad is it? (3, Interesting)

chevelleSS (594683) | more than 11 years ago | (#5156257)

What does this worm rank compared to other DDOS in the past?

What's inside ? (1, Redundant)

koh (124962) | more than 11 years ago | (#5156259)

Has someone scanned the UDP packets and reported what's inside ?

I just want to see with my own eyes that the worm isn't quietly spitting out a SELECT * from a random table, record per record...

CNN & AP Beat Slashdot (3, Interesting)

Anonynmous Cow (637479) | more than 11 years ago | (#5156260)

I was very surprised to discover both AP and CNN beat Slashdot to this story.

Very disappointing.

Timely is as important as accurate SlashEditors. Many of us look to you when big events occur...

Especially considering this all began about 8 hours ago!

Re:CNN & AP Beat Slashdot (1)

Zocalo (252965) | more than 11 years ago | (#5156279)

Never mind, it's still not on The Register [theregister.co.uk] !

Re:CNN & AP Beat Slashdot (0)

Anonymous Coward | more than 11 years ago | (#5156309)

They always take the weekends almost entirely off, so I'm not at all surprised by that one, anyway.

Re:CNN & AP Beat Slashdot (1)

cyb97 (520582) | more than 11 years ago | (#5156357)

But I bet they've got a biting remark prepared for monday morning!

give them a break (1)

chevelleSS (594683) | more than 11 years ago | (#5156301)

even /. editors have to sleep!

Information about the worm (5, Informative)

Anonymous Coward | more than 11 years ago | (#5156268)

This site has a disassembly with an explanation: http://www.boredom.org/~cstone/worm-annotated.txt [boredom.org]

What next? (1)

Big Mark (575945) | more than 11 years ago | (#5156270)

This is based on an exploit that has been known about for half a year, and it seems relatively innocuous - the articles linked to thus far imply that it could cause two servers to go into a race with each other, but nothing more - and look what's happening now.

There are a /lot/ of security holes and things listed, and (to the untrained laygeek that I am at least) some of them appear muchly more dangerous than this one. Surely it's common sense that all sysadmins should keep security holes plugged as they are announced?

And what will happen when some clever cracker manages to exploit apache or sendmail in such a way? We'll be, quite literally, fucked. Plug those holes, people!

-Mark

Juniper Filter (0)

Anonymous Coward | more than 11 years ago | (#5156272)

Anyone running a Juniper can easily this by putting this filter on all their network ingress/egress points:

> show configuration firewall filter filter-012503
term deny-dos {
from {
packet-length 404;
protocol udp;
destination-port 1434;
}
then {
count codered-4;
discard;
}
}
term allow-rest {
then accept;

Re:Juniper Filter (1)

WildThing (143539) | more than 11 years ago | (#5156296)

Hey This might be useful if you had the packet length right. It's 376 not 404.

Re:Juniper Filter (0)

Anonymous Coward | more than 11 years ago | (#5156356)

The ones we are seeing are 418 bytes

US Military Intelligence? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5156274)

Lol... You lot killed more Brits in the last Gulf War than the Iraqis did.

With friends like you, who needs enemies?

wimpy British Poodle (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#5156295)

If you can't fight with the Big Dogs, stay on the couch watching the Chicken Noodle News.

Re:wimpy British Poodle (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5156323)

Oh sure, it's easy to kill people that trust you, sure. What big men you are.

Try using more brains, and less gung-ho cowboy shooting-from-the-hip-and-killing-your-allies.

Re:US Military Intelligence? (0, Offtopic)

ecalkin (468811) | more than 11 years ago | (#5156358)

If it hadn't been for a last minute scud that hit a barracks and killed a bunch of US servicemen, the united states would have killed more of its own soldiers than iraq did. friendly fire may be an oxymoron, but it happens...

Patches Smatches (0)

Anonymous Coward | more than 11 years ago | (#5156276)

Come on, a lot of people will not patch their server, and thats the bite. Youve got to ship it secure in the FIRST PLACE, and very few servers can actaully hold that title.

So, regardless if the patch was released on 2002-07-24, people will not patch it because people are lazy.

The biggest security risk is humans, and not even tcpa/paddilum will solve this crap. Your password is 123456, your private key is abcdefghijklmnopqrstuvwxyz, and everyone knows your mothers maiden name.

Newbie question (0)

Anonymous Coward | more than 11 years ago | (#5156277)

If I don't have any instances of MS SQL Server on my network, is there any benefit to me or other people to block the affected port?

Thanks.

Turn your SQL server off? (2, Informative)

blowdart (31458) | more than 11 years ago | (#5156278)

If you run Microsoft SQL Server, make sure the public internet can't access it.

What a pathetic overkill response. If you're running SQL server, make sure it's patched. When the last set of bind exploits came out no-one said "Unplug all your DNS servers", why is this any different?

SQL is easy to secure, and the guidelines are well known

  • Make sure you do not have a blank SA password. You can either run SQL in NT authentication mode (preferred) or mixed mode. Mixed mode exposes you to password attacks.
  • MSDE (The desktop edition) is installed, by default with a few pieces of software, including Visio Enterprise, MacAfee's centralised virus admin thingy (hey, I've only just woken up, I can't remember the name ), FlipFactory (an automated video encoding system) and others. There is no user interface to MSDE, you'd have to install SQL tools from a "grown up" installation, then add it as a new server, then set the SA password.
  • Consider dropping built in stored procedures like xp_cmdshell, xp_regwrite.
  • Run SQL as a limited service account, not as localsystem

And of course, patch it when patches appear

Who said anything about turning it off? (2, Informative)

Chuck Chunder (21021) | more than 11 years ago | (#5156342)

Any server that doesn't need to be accessed from the public internet in the course of it's normal use should be firewalled off from it. That's just common sense.

Re:Turn your SQL server off? (0, Flamebait)

The AtomicPunk (450829) | more than 11 years ago | (#5156353)

What a pathetic overkill response.If you're running SQL server, make sure it's patched. When the last set of bind exploits came out no-one said "Unplug all your DNS servers", why is this any different?

I guess we should expect this kind of general cluelessness from an MS SQL admin.

June 2002? (1)

drfrogsplat (644587) | more than 11 years ago | (#5156280)

It is believed this worm leverages a vulnerability published in June 2002.
While I don't want to support any attacks on servers, whatever their choice of software, this (once again) brings to the fore the problem of admins who don't look after their systems/networks (read: regularly check for security updates/patches, let alone set it up securely in the first place). From the linked article [nextgenss.com] :
It is strongly recommended that a rule be added to each organization's firewall such that any packet destined for UDP port 1434 on the 'clean' side of the firewall be dropped and logged. No host, even DNS Servers, should be allowed to send traffic to this port.
And of course a patch was released by MS to remove the problem... All this 8 months ago and still it manages to have a fairly crippling effect on the InternetAsWeKnowIt(tm)? I don't care what OS or software you use (I won't even say what I use to let this become a flame war about UNIX being better than win32) but pleeeeease care about your network and check for updates and announcements... though i spose i'm preaching to the converted around here...

Another look at the worm (3, Informative)

valdezjuan (83925) | more than 11 years ago | (#5156282)

From digitaloffense: A new worm which exploits a vulnerability in MS SQL Server is bringing the core routers to a grinding halt. The speed of the propagation can be attributed to the attack method and simplicity of the code. The worm sends a 376-byte UDP packet to port 1434 of each random target, each vulnerable system will immediately start propagating itself. Since UDP is connection-less, the worm is able to spread much more quickly than those using your standard TCP-based attack vectors (no connect timeouts). Some random screen shots and information about the worm can be found HERE. [digitaloffense.net]

Whoever... (5, Insightful)

wulffi (176311) | more than 11 years ago | (#5156284)

Whoever puts a database outside a firewall? and then leave its external port open???

Sysadmins like that should be dragged into the street and shot.

Been waiting for this (3, Funny)

tigress (48157) | more than 11 years ago | (#5156285)

...the Slashdot article, that is. I've been watching this since I got up this morning (about five hours ago, local time). There's been plenty of discussions about this on various mailinglists, including NANOG [nanog.org] and NordNOG [nordnog.org] , as well as several IRC channels I frequent. I'm surprised it took this long for Slashdot to post anything about it.

According to unconfirmed sources on NANOG, the worm seems to eat up bandwidth at line rate (even at GigE links), is rumored to amplify itself via Cisco routers, and is the creation of Saddam Hussein.

My journal [slashdot.org] on the worm.

Oh really? (0)

Anonymous Coward | more than 11 years ago | (#5156336)

Care to offer up one particle of evidence that this was Saddam's doing? Or are you just beating the Bush war drum like a good little puppet?

best writeup (4, Informative)

numatrix (242325) | more than 11 years ago | (#5156286)

Best writeup I've seen is over at iss.net [iss.net] . They were the first to update their internet status homepage alerting of the vulnerability as far as I can tell.

Some Links (5, Informative)

Isomer (48061) | more than 11 years ago | (#5156290)

Re:Some Links (0)

Anonymous Coward | more than 11 years ago | (#5156330)

Pechy. If the worm weren't bad enough, now those poor unreachable servers (either below average or unfortunate -- you decide) have to deal with the /. effect too.

WARNING ONE LINK IS GOATSE REDIRECT ! (0)

Anonymous Coward | more than 11 years ago | (#5156351)

Want will they think of next ?

So this proves... (0)

Anonymous Coward | more than 11 years ago | (#5156297)

that there are still way to many slack-assed admins out there. Not that getting nailed by something of this nature is a sign of bad administration, but it had to start with stupidity and laziness at some level. INSTALL THE PATCHES. INSTALL THE SERVICE PACKS. KEEP EVERYTHING UP TO DATE. It's your job, do it. Everyone's internet connection will thank you.

problem still around (3, Interesting)

Dynamic Drive (636263) | more than 11 years ago | (#5156302)

I've been watching this havoc unfold all night as well. I wonder how long it's going to take for the entire problem to clear. Most sites that were previously unaccessible are for me are now, except some of our own. Makes me wonder if something else is going on in these datacenters.

What is being sent... (0)

Anonymous Coward | more than 11 years ago | (#5156304)

Found this about what's being sent in those packets. [freedom.org]

Collected info: (5, Informative)

Anonymous Coward | more than 11 years ago | (#5156306)

There's a stream of related info in the comments of Slashdot's Cross-Site TRACE [slashdot.org] story.

Some snippets from there:

Mabu's message says: Here's what we've been able to learn, at 4:30am Central time.

We have reason to believe that something called the "SQL Worm" is in play. Some sort of DDOS attack which creates overwhelming traffic on port 1434. This is all preliminary stuff, so take it as such but I have one link up and 3 others down.

I don't have confirmation or details on what systems are affected but we have information to indicate that the following networks are currently affected: Quest, Cable & Wireless, Broadwing, Sprint (partially). My Worldcom link seems to be unaffected (which is why I can post). Note that the connectivity interruptions may be regional but that's what we are dealing with in the South Central area of the US. This has been going on now for about 4-5 hours.

What we are seeing is a major outage due to DDOS on port 1434, on portions of the Internet backbone. At this point, the exact pattern of the outage has not been clarified.

Expect the problem to potentially be addressed when the backbone providers start filtering port 1434. However, it's taken them at least four hours to figure this out.

We just got notice (a few moments ago) that Quest finally started filtering port 1434 and everything went back up. So now we need to figure out what vulnerability this was. My information indicates that port 1434 is MS SQL server resolution service (see related CERT advisory [cert.org]. My initial impression is that while this vulnerability was discovered awhile back, someone just recently figured out a very effective exploit using the vulnerability. I am looking forward to hearing more about what people find out.

The issue currently happening, from what anyone can tell at any rate is that a flaw in MSSQL has been found, due to everyone noticing a lot of traffic on 1434.. MSSQL port anyhow, I was running MSSQL earlier and my dns crapped out ctrl+alt+del'd and saw 85% cpu used by mssql server, killed it and boom everything was okay, possibly a worm traveling around, http://internethealthreport.com/ UUnet seems absolutely destroyed ;)

I'm watching my firewall logs fill up even as I type, and all the 1434 hits are coming from different IPs... no dupes yet that I can see (maybe there are... but I'm not planning on sitting here all night reading logs).

http://www.nextgenss.com/advisories/mssql-udp.txt [nextgenss.com] is an advisory about port 1434

http://average.matrix.net/Daily/markR.html [matrix.net] shows a vivid picture of overall net health due to this

SQLServer listens to 1434 to accept incomming connections. SQLServer 7 would then normally transfer these connections to 1433 by default. SQLServer 2000 would transfer the connection to a random port.

It's best to 'hide' the SQLServer from the internet, and/or disable TCP/IP listening for SQLServer totally when it's connected to the Internet. MS also suggests SQLServer should never be exposed to the Internet directly. You can hide SQLServer (2000) directly, using the Server network utility, shipped with SQLServer. You can there first deselect TCP/IP as a protocol that's active, and if you need it, you can select 'hide' to hide the server on the internet, however it's better to disable TCP/IP totally, since you do not need it when you work with SQLServer from the same box (f.e. a website running on the same box accessing the SQLServer).

Oh, of course it should be mentioned, there is a patch for this available at MS' technet site.

http://www.kb.cert.org/vuls/id/370308 [cert.org] may be the CERT article related to this vuln.

Resent-From: mbac@romulus.netgraft.com
From: Michael Bacarella Date: Fri Jan 24, 2003 11:11:41 PM America/Los_Angeles
Resent-To: bugtraq@securityfocus.com
To: nylug- talk@nylug.org, wwwac@lists.wwwac.org, linux-elitists@zgp.org
Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

I'm getting massive packet loss to various points on the globe. I am seeing a lot of these in my tcpdump output on each host.
02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376
02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0

It looks like there's a worm affecting MS SQL Server which is pingflooding addresses at some random sequence. All admins with access to routers should block port 1434 (ms-sql-m)!

Everyone running MS SQL Server shut it the hell down or make sure it can't access the internet proper! I make no guarantees that this information is correct, test it out for yourself!

-- Michael Bacarella 24/7
phone: 646 641-8662
Netgraft Corporation http://netgraft.com/
"unique technologies to empower your business"
Finger email address for public key. Key fingerprint: C40C CB1E D2F6 7628 6308 F554 7A68 A5CF 0BD8 C055

The Fix? (0, Troll)

Lord Prox (521892) | more than 11 years ago | (#5156308)

So wil it be this year that MicroSquash will sell us the fix for this, or will the release date slip.

Ya know... On a more serious note, one of these days one of these little worms will have a really mean and nasty payload attached. Instead of just swamping us with annoying packets it could do some major harm. Remember Code Red? something like 90% of infectable hosts infected in 26 hours... the thing could have destroyed the server's OS/file system/whatever. It was the kindness of the coder that he/she spared us from that. We should not let the world economy's security be handeled by the kindness of these worm/virii coders!!!

I say we should shoot l4m3r windows sysadmins on sight... for the sake of the world... and our beloved Internet.

Re:The Fix? (1)

NineNine (235196) | more than 11 years ago | (#5156349)

What exactly does a Net worm have to do with the "world's economy"?

Al-Qaeda (2, Funny)

tigress (48157) | more than 11 years ago | (#5156313)

It's those darn Al-Quaeda, I tell you! Them and Saddam Hussein! Damn them for retaliating against our Righteous Attacks [slashdot.org] !

Every Server, eh? (1, Flamebait)

thefluxster (541597) | more than 11 years ago | (#5156318)

"Since about midnight EST almost every host on the internet has been receiving a 376 byte UDP payload on port ms-sql-m (1434) from a random infected server."

Is anyone else offended that this user thinks that EVERY server runs MS SQL or even Microsoft Anything? Our servers haven't been affected at all by this, FYI.

Re:Every Server, eh? (1, Insightful)

Anonymous Coward | more than 11 years ago | (#5156331)

Well, if you actually read it you would see that it says "almost every host on the internet has been receiving" not asking for or sending, like it or not you are getting it, does not imply at all that you are running MS-SQL.

Such floods can be easily stopped. (2, Funny)

Krapangor (533950) | more than 11 years ago | (#5156322)

The only problem is that most of responsible people are computer scientists and sometimes even only with a BS in CS and therefore have no clue of harmonic analysis and advanced probability theory.
If you project your network system in the C^n- space of markovian probability measures and with to the frequency domain, you can easily see that our system represents a compact manifold of superharmonic measures. And malign overflow is just a upper bound in this set, therefore harmonic. It's well known that the only harmonic functions on compact manifolds are constant. So going back into the time domain this means that you must just analyze the frequency of the packets. All packet streams with a constant frequency are malicious by the above calculation and therefore should be dropped. Of course there are some minor points with the frequency reflection on edges etc. but this is very basic stuff and can be easily solved.
If think there was a paper of Lorgajev and Starniktov in the 80ies about this, but I'm not really sure.

the problem is monoculture again (2, Insightful)

g4dget (579145) | more than 11 years ago | (#5156326)

While part of the problem is that Microsoft software sucks particularly badly when it comes to security, something like this can happen with other software as well. The real problem is that we have a software monoculture: we need many more, different, independently implemented software systems. They will all have bugs, but as long as they all have different bugs, we are mostly OK. And that's the real reason why Microsoft's market dominance, in particular on large numbers of small machines run by non-experts, is a problem.

Open the gates... (3, Insightful)

Tyreth (523822) | more than 11 years ago | (#5156327)

...let the mandatory "this wouldn't happen if sysadmins upgraded" comments begin!

Seriously though, you should have upgraded!

How to get control of your box again (2, Informative)

rolandbm (620159) | more than 11 years ago | (#5156335)

It looks like if you stop the proccess sqlservr.exe it will take all of the CPU proccess back down to normal. Obviously you dont want to delete this file, but with it stopped you can at least get the box on the network to trouble shoot this stuff. So far from what we can tell, when you restart SQL the load stays down, but that could also just be that its sitting there idle waiting to be activated again. Hope this helps.

Alchemy Support
Alchemy Communications

Mitnick... (1)

Zibu (200971) | more than 11 years ago | (#5156341)

Mitnick just received his Alubook from Woz, and here's the result... ;)

No mention in media? (1, Insightful)

Anonymous Coward | more than 11 years ago | (#5156345)

I think it's funny that all of the media outlets are talking about "a worm like Code Red has infected the internet and is causing worldwide slowing of the internet" but they don't mention at all that it has to do with a Microsoft product or that it was a known bug that MS has ignored for almost a year.

Is anyone seeing a change? (1)

caluml (551744) | more than 11 years ago | (#5156354)

I am now seeing connections from the HTTP ports?

14:18:44.018023 64.4.30.24.http > 193.128.xxx.xxx.ms-sql-m: FP 537:706(169) ack 334 win 16983
14:18:44.019965 64.4.30.24.http > 193.128.xxx.xxx.ms-sql-m: . 1:537(536) ack 334 win 16983

Is this a new variant already?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?