In-Reply-To: <20030125021141.A23211@romulus.netgraft.com> This is indeed happening widely tonight. Some of the client machines here have been hit as their boxes were not patched up properly. We have firewalled access and have brought our core switches online again after a brief interruption where the traffic here got up to a little over 110Mbits/s. The switches simply went into failover. The good news is that it is not autonomous, so you can control access through port filtering until the patches are applied. The UDP D.O.S. attack: (Random snippets from logs) PROTO=UDP SPT=1518 DPT=1434 PROTO=UDP SPT=1032 DPT=1434 PROTO=UDP SPT=1077 DPT=1434 PROTO=UDP SPT=4319 DPT=1434 /b >Received: (qmail 1867 invoked from network); 25 Jan 2003 08:39:23 -0000 >Received: from outgoing3.securityfocus.com (205.206.231.27) > by mail.securityfocus.com with SMTP; 25 Jan 2003 08:39:23 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing3.securityfocus.com (Postfix) with QMQP > id A5DACA30A5; Sat, 25 Jan 2003 00:59:36 -0700 (MST) >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@securityfocus.com> >List-Help: <mailto:bugtraq-help@securityfocus.com> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> >List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Received: (qmail 28308 invoked from network); 25 Jan 2003 07:06:20 -0000 >Date: Sat, 25 Jan 2003 02:11:41 -0500 >From: Michael Bacarella <mbac@netgraft.com> >To: nylug-talk@nylug.org, wwwac@lists.wwwac.org, > linux-elitists@zgp.org >Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! >Message-ID: <20030125021141.A23211@romulus.netgraft.com> >Mime-Version: 1.0 >Content-Type: text/plain; charset=us-ascii >Content-Disposition: inline >User-Agent: Mutt/1.2.5i >Resent-From: mbac@romulus.netgraft.com >Resent-Date: Sat, 25 Jan 2003 02:12:54 -0500 >Resent-To: bugtraq@securityfocus.com >Resent-Message-Id: <20030125071254.1B3F7681AD@romulus.netgraft.com> > >I'm getting massive packet loss to various points on the globe. >I am seeing a lot of these in my tcpdump output on each >host. > >02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376 >02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0 > >It looks like there's a worm affecting MS SQL Server which is >pingflooding addresses at some random sequence. > >All admins with access to routers should block port 1434 (ms-sql-m)! > >Everyone running MS SQL Server shut it the hell down or make >sure it can't access the internet proper! > >I make no guarantees that this information is correct, test it >out for yourself! > >-- >Michael Bacarella 24/7 phone: 646 641-8662 >Netgraft Corporation http://netgraft.com/ > "unique technologies to empower your business" > >Finger email address for public key. Key fingerprint: > C40C CB1E D2F6 7628 6308 F554 7A68 A5CF 0BD8 C055 >
