In-Reply-To: <20030125021141.A23211@romulus.netgraft.com> Michael, I feel your pain. I've seen the same thing starting at 12:46 AM EST 01-25- 2003 at one of our colocation facilities. I haven't had time to analyze things as of yet - I discovered three machines, all with activity that started at this same time, all running windows 2000 and SQL Server 2000. It crippled internal connectivity - basically, any machine that actively had this going on, if we would plug it into a port on an HP4000 switch it would freeze the switch instantly and then anything on the local network would suffer. I'm working on isolating these machines to a local segment and then putting them back online so that I may see what type of traffic is generated or received at brief intervals. I don't know what it is, but it's certainly detrimental to network performance! Mike Tindor FIRST Internet >Received: (qmail 1867 invoked from network); 25 Jan 2003 08:39:23 -0000 >Received: from outgoing3.securityfocus.com (205.206.231.27) > by mail.securityfocus.com with SMTP; 25 Jan 2003 08:39:23 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing3.securityfocus.com (Postfix) with QMQP > id A5DACA30A5; Sat, 25 Jan 2003 00:59:36 -0700 (MST) >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@securityfocus.com> >List-Help: <mailto:bugtraq-help@securityfocus.com> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> >List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Received: (qmail 28308 invoked from network); 25 Jan 2003 07:06:20 -0000 >Date: Sat, 25 Jan 2003 02:11:41 -0500 >From: Michael Bacarella <mbac@netgraft.com> >To: nylug-talk@nylug.org, wwwac@lists.wwwac.org, > linux-elitists@zgp.org >Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! >Message-ID: <20030125021141.A23211@romulus.netgraft.com> >Mime-Version: 1.0 >Content-Type: text/plain; charset=us-ascii >Content-Disposition: inline >User-Agent: Mutt/1.2.5i >Resent-From: mbac@romulus.netgraft.com >Resent-Date: Sat, 25 Jan 2003 02:12:54 -0500 >Resent-To: bugtraq@securityfocus.com >Resent-Message-Id: <20030125071254.1B3F7681AD@romulus.netgraft.com> > >I'm getting massive packet loss to various points on the globe. >I am seeing a lot of these in my tcpdump output on each >host. > >02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376 >02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0 > >It looks like there's a worm affecting MS SQL Server which is >pingflooding addresses at some random sequence. > >All admins with access to routers should block port 1434 (ms-sql-m)! > >Everyone running MS SQL Server shut it the hell down or make >sure it can't access the internet proper! > >I make no guarantees that this information is correct, test it >out for yourself! > >-- >Michael Bacarella 24/7 phone: 646 641-8662 >Netgraft Corporation http://netgraft.com/ > "unique technologies to empower your business" > >Finger email address for public key. Key fingerprint: > C40C CB1E D2F6 7628 6308 F554 7A68 A5CF 0BD8 C055 >
