MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

To: nylug-talk@xxxxxxxxx, wwwac@xxxxxxxxxxxxxxx, linux-elitists@xxxxxxx
Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
From: Michael Bacarella <mbac@xxxxxxxxxxxx>
Date: Sat, 25 Jan 2003 02:11:41 -0500

Hi all,

There appears to be a major DDoS attack going on since last
night, which is causing some pretty significant problems on
the Internet all over the globe.  In terms of the Unidata feeds,
we have been seeing some problems feeding from a few sites.

The problem appears to be a worm that is hitting unpatched
MS SQL server machines.

Even NCEP is being hit, as we can see from the latest message
from the SDM desk:

NCEP IS EXPERIENCING INTERNAL AND EXTERNAL WEB ACCESS
PROBLEMS AND NCEP ACCESS TO SUITLAND WHERE MUCH OF
THE SATELLITE PRODUCTS ORIGINATE A FOR OUR MODEL RUNS.
SUPPORT PERSONNEL SAY THAT ANOTHER HOUR MAYBE NEEDED
TO FULLY RECOVER THE COMMS SYSTEM...SORRY FOR THE
DELAY...

I've attached below the first account of this attack from
the Bugtraq list . . .

--Kevin

______________________________________________________________________
Kevin Tyle, Systems Administrator               **********************
Dept. of Earth & Atmospheric Sciences           ktyle@xxxxxxxxxxxxxxxx
University at Albany, ES-235                    518-442-4571 (voice)
1400 Washington Avenue                          518-442-5825 (fax)
Albany, NY 12222                                **********************
______________________________________________________________________

---------- Forwarded message ----------
Resent-Date: Sat, 25 Jan 2003 02:12:54 -0500
Resent-From: mbac@xxxxxxxxxxxx
Resent-To: bugtraq@xxxxxxxxxxxxxxxxx

I'm getting massive packet loss to various points on the globe.
I am seeing a lot of these in my tcpdump output on each
host.

02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m:  udp 376
02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp port 
ms-sql-m unreachable [tos 0xc0

It looks like there's a worm affecting MS SQL Server which is
pingflooding addresses at some random sequence.

All admins with access to routers should block port 1434 (ms-sql-m)!

Everyone running MS SQL Server shut it the hell down or make
sure it can't access the internet proper!

I make no guarantees that this information is correct, test it
out for yourself!

-- 
Michael Bacarella                  24/7 phone: 646 641-8662
Netgraft Corporation                   http://netgraft.com/
      "unique technologies to empower your business"

Finger email address for public key.  Key fingerprint:
  C40C CB1E D2F6 7628 6308  F554 7A68 A5CF 0BD8 C055

Follow-Ups:
- Re: Major Internet Disruptions since last night
  - From: Gerry Creager

2003 messages navigation, sorted by:
1. Thread
2. Subject
3. Author
4. Date
5. ↑ Table Of Contents
Search the ldm-users archives: