Some News: http://news.zdnet.co.uk/story/0,,t269-s2099780,00.html Advisory: http://www.nextgenss.com/advisories/mssql-udp.txt Microsoft Fix: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS02-039.asp MS SQL listens on port 1434/udp so that clients can figure out which method of communication to use (named pipes, tcp/ip et al) there are two problems that yield ability to execute code remotely while unauthenticated. ------------------------------------------------------- Jeremy Kister www.jeremykister.com PGP: http://www.jeremykister.com/jeremy/public_key.asc ------------------------------------------------------- -----Original Message----- From: Michael Bacarella [mailto:mbac@netgraft.com] Sent: Saturday, January 25, 2003 2:12 AM To: nylug-talk@nylug.org; wwwac@lists.wwwac.org; linux-elitists@zgp.org Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! > > I'm getting massive packet loss to various points on the globe. > I am seeing a lot of these in my tcpdump output on each > host. > > 02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376 > 02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp port > ms-sql-m unreachable [tos 0xc0 > > It looks like there's a worm affecting MS SQL Server which is > pingflooding addresses at some random sequence. > > All admins with access to routers should block port 1434 (ms-sql-m)! > > Everyone running MS SQL Server shut it the hell down or make > sure it can't access the internet proper! > > I make no guarantees that this information is correct, test it > out for yourself! > > -- > Michael Bacarella 24/7 phone: 646 641-8662 > Netgraft Corporation http://netgraft.com/ > "unique technologies to empower your business" > > Finger email address for public key. Key fingerprint: > C40C CB1E D2F6 7628 6308 F554 7A68 A5CF 0BD8 C055 > >
