MS SQL Server Worm Wreaking Havoc

defile writes "Since about midnight EST almost every host on the internet has been receiving a 376 byte UDP payload on port ms-sql-m (1434) from a random infected server. Reports of some hosts receiving 10 per minute or more. internetpulse.net is reporting UUNet and Internap are being hit very hard. This is the cause of major connectivity problems being experienced worldwide. It is believed this worm leverages a vulnerability published in June 2002. Several core routers have taken to blocking port 1434 outright. If you run Microsoft SQL Server, make sure the public internet can't access it. If you manage a gateway, consider dropping UDP packets sent to port 1434." bani adds "This has effectively disabled 5 of the 13 root nameservers."

Terrorism, must be

[isorox (205688)]

In South Korea internet services were shut down nationwide for hours on Saturday, the country's Yonhap news agency reported.

It said the shutdown was triggered by "apparent cyber terror committed by hackers".

http://news.bbc.co.uk/1/hi/technology/2693925.stm [bbc.co.uk]

Re:Terrorism, must be

[weave (48069)]

Terrorism? Bill Gates better be detained indefinitely as an enemy combatent then. Finally, some good may come out of this terrorism paranoia!

billg has no uniform; therefore illegal combatant

[Swordfish (86310)]

billg cannot be an enemy combatant because he
does not wear a military uniform.
So he must be an _illegal_ combatant.
Therefore, if guilty, he will have to go to
Guantanamo Bay for a few years to "help with
investigations".
Of course, proof cannot be given for his guilt
because that might jeopardize national security.
Therefore no trial until terrorism is defeated.
Can't afford to take chances with them terrorists!

As I said in a previous post...

[caluml (551744)]

I find it lucky that the worm writer didn't make the worm fire out random traffic on random udp ports with spoofed addresses.

It's only the fact the traffic is all destined for a certain destination port that makes it easy to filter.
You are filtering it out on your firewalls, aren't you?
/sbin/iptables -I FORWARD -p udp --dport 1434 -j DROP

This could have been a lot lot harder to filter out. I expect we'll see ThisWorm v2 soon.

I dread the day someone finds a hole in Apache, Sendmail or something really popular and writes a worm like this...

Re:As I said in a previous post...

[bwalling (195998)]

It's only the fact the traffic is all destined for a certain destination port that makes it easy to filter.
You are filtering it out on your firewalls, aren't you? /sbin/iptables -I FORWARD -p udp --dport 1434 -j DROP

Exactly. From the MS Security bulletin:

The risk posed by the vulnerability could be mitigated by, if feasible, blocking port 1434 at the firewall.

What the heck was it doing open in the first place?

Re:As I said in a previous post...

[caluml (551744)]

Wouldn't it be nicer if the owners of these machines bother patching the fucking things though?

As far as I'm concerned, boxes SHOULD be able to stand on their own without firewalls. A firewall just adds another layer.

Sounds like you're advocating armadillo security to me - hard on the outside, soft on the inside.

Re:As I said in a previous post...

[caluml (551744)]

Firewalls promote softer security.

"Oh, it's OK because it's behind the firewall..."

I think firewalls make people lazy. Imagine if we didn't have firewalls. We'd have to keep our passwords good, our services minimal, and make sure we were running the latest, most secure daemons.

Re:As I said in a previous post...

[Zeinfeld (263942)]

Firewalls promote softer security.

I have argued for many years that people tend to get the idea that a firewall is some kind of +8 amulet of protection they just strap on which will protect them from pretty much anything.

However there are real benefits to using firewalls and NAT boxes. Unfortunately there are some members of the IESG who are confused on this point but thats because they are blinkered by the end-to-end dogma. I'll note here that Steve Bellovin, the new security AD knows a thing or two about firewalls.

There are actually two end-to-end principles. Applied to networking it meant put the intelligence at the ends, not in the middle of a communication. This was applied to security to mean the same thing.

End-to-end is appropriate to the design of network protocols, it is inappropriate as a guide to operational security. Many protocols are not designed securely, most protocol implementations have flaws.

Another dogma that is inappropriate to operational security is the 'security through obscurity' trope. A design that relies on security through obscurity is broken. This does not mean that operators should divulge all the details of their operations to attackers in the hope this will improve security, it will not. Argument of this type was used to block the introduction of shadow passwords on UNIX for years after the vulnerability to dictionary attacks was widely known and being exploited by attackers.

A firewall and NAT box provides a significant degree of security at low cost. NAT provides a means of concealing the internal structure of the network. This does not eliminate the possibility of attack but raises the bar significantly. If you are running a site that is considered attractive to hackers a technology that weeds out the knob turners and dimmer script kiddies has value.

What we need to move to is security in depth, recognizing that design security and operational security are different and that both are important.

Re:As I said in a previous post...

[Dudio (529949)]

I wouldn't say firewalls make people lazy; it's more a problem of people not understanding security.

These people are just as likely to say things like "I'm 3DES encrypting my data, so there's no way anybody can read it", because they fail to understand the meaning of statements like "cracking 3DES is computationally infeasible". When you try to explain to them that their webserver and applications are much more likely to be their weakness than their encryption algorithm, they give you blank looks and mutter about the Computerworld article that said 3DES is "unbreakable encryption". It's not a problem with 3DES (or any strong algorithm); it's a problem with people not understanding that any security measure can be negated by poor design in other parts of their architecture.

It's the same thing with firewalls. Only the unknowledgable would drop in a firewall and then go off to the bar to celebrate their newly "secure" network. That doesn't mean that the firewall is useless; it is still a crucial tool for securing one's network. The problem is the people who have no idea how to use the tool properly, and no concept of what a real-world attack actually looks like.

Re:As I said in a previous post...

[DarkZero (516460)]

Imagine if we didn't have firewalls. We'd have to keep our passwords good, our services minimal, and make sure we were running the latest, most secure daemons.

Locks promote softer security.

"Oh, I'm OK because I have locked doors and windows..."

I think door locks make people lazy. Imagine if we didn't have deadbolts, or doors for that matter. We'd have to sit in front of the front door, with a shotgun, never sleeping for more than a few moments.

Re:As I said in a previous post...

[by Anonymous Coward]

What the heck was it doing open in the first place?

When the SQL Server 2000 client Net-Libraries connect to an instance of SQL Server
2000, only the network name of the computer running the instance and the instance
name are required. When an application requests a connection to a remote computer,
Dbnetlib.dll opens a connection to UDP port 1434 on the computer network name
specified in the connection. All computers running an instance of SQL Server 2000
listen on this port. When a client Dbnetlib.dll connects to this port, the server
returns a packet listing all the instances running on the server. For each instance,
the packet reports the server Net-Libraries and network addresses the instance is
listening on. After the Dbnetlib.dll on the application computer receives this
packet, it chooses a Net-Library that is enabled on both the application computer and
on the instance of SQL Server, and makes a connection to the address listed for that
Net-Library in the packet.

So the UDP 1434 port is open when the SQL Server is started to listen all the clients
with any IP address on this port. SQL Server only receives the packet from the client
on this port to determine which instance the client attempts to access and return the
related information of the SQL Server to the clients. Then, the clients can create
the connection to the SQL Server with the protocol enabled on the server side.

Re:As I said in a previous post...

[bwalling (195998)]

So the UDP 1434 port is open when the SQL Server is started to listen all the clients
with any IP address on this port. SQL Server only receives the packet from the client
on this port to determine which instance the client attempts to access and return the
related information of the SQL Server to the clients. Then, the clients can create
the connection to the SQL Server with the protocol enabled on the server side.

There is a difference between a port being open on the machine the service is on and the port being open to the world. You should not leave this port open to the world. If people outside your firewall need access to your internal MSSQL server, you leave TCP 1433 open to selective hosts.

Re:As I said in a previous post...

[tom.allender (217176)]

Consider a VPN dude.

Re:As I said in a previous post...

[sql*kitten (1359)]

You are filtering it out on your firewalls, aren't you? /sbin/iptables -I FORWARD -p udp --dport 1434 -j DROP

I bloody hope no-one is specifically blocking this port. That's not how firewalls are supposed to be used. First you block everything then only open the specific ports you need. In most cases, these are 80 and 22 and maybe 25. There's no reason a database server's protocol port should ever be exposed to the public Internet!

Re:As I said in a previous post...

[by Anonymous Coward]

Depends. If you're protecting your network, you are right: "allow required traffic, block everything else". If you're providing network services to others, they probably don't want to beg you everytime they need to open a port. In that case it's "filter bad traffic, allow everything else".

Re:As I said in a previous post...

[sporty (27564)]

Actually, then the firewall rules are screwed up. If there is an ISP with billions and billions of servers, the firewall should block all traffic to the servers while routing all traffic to specific subnets. Block first, allow through later.

Re:As I said in a previous post...

[silas_moeckel (234313)]

That depends on what sort of routers they are using. A lot of Cisco gear an others have overhead running ACL's (first Cisco that can do compiled is a 7200 I think) so you want to accept/deny your most common traffic first so your router dosent die when your throughput goes up.

Re:As I said in a previous post...

[caluml (551744)]

No, firewalls are for use as your needs require.
I, for instance allow no incoming, but don't restrict outgoing. It's not a huge corporation, it's a R + D lab, where the overhead and hassle I'd cause by restricting outbound traffic would stiffle the lab users productivity. Still, I added the block to that specfic port in the slim chance that an internal box was infected (lord knows how) that it would be a localised problem, not contributing.

I don't think you should tell people what firewall rules they should be running.

Re:As I said in a previous post...

[Fembot (442827)]

Actualy I suspect most ISP's probably operate a policy of blocking only problem ports. Imagine how annoying it would be if your ISP/coloc host blocked everything except http, telnet and smtp on the grounds that one day there might be a vunerability in some of the other services that run on other ports... I suspect they wouldnt be my coloc host for long at all

Re:As I said in a previous post...

[sql*kitten (1359)]

No reason? Really? What about distributed servers taking to a central database? Desktop software that queries a remote database? Remote administration of a remote database?

That's what VPNs are for, my friend.

Re:As I said in a previous post...

[giel (554962)]

I find it lucky that the worm writer didn't make the worm fire out random traffic on random udp ports with spoofed addresses.

As far as I can see that's nonsense. If he or she had the worm wouldn't work as well as it did.

• Using random ports it doesn't work. You need a specific port because that's the one you know how to exploit. A different port might be closed, safe or exploitable in a different way.
• I think spoofing the return address wouldn't work very well either because the traffic payload the worm generates is caused by packets travelling between two machines. A spoofed address would cause the effect to die.

Re:As I said in a previous post...

[davew (820)]

I dread the day someone finds a hole in Apache, Sendmail or something really popular and writes a worm like this...

Um, like the original Internet Worm [nasa.gov] which started all this trouble in the first place? :-)

This was the incident that sparked the creation of CERT/CC [cert.org]. Every time I see another worm, I wonder why we still haven't learned [mit.edu].

Dave

been watching this all night

[h2odragon (6908)]

the fun's almost over now

Collected a packet disasembly and some urls here [freedom.org].

Everyone seems to be assuming this is a new use of an old (July) hole; I'm not certain of that. Any facts welcomed, see above url.

Re:been watching this all night

[Graspee_Leemoor (302316)]

" been watching this all night...
the fun's almost over now"

I sincerely thank you, Sir or Madam. I previously thought that I was the most sad, laughable figure in the entire world, but now, having read your post, which conjures up images of someone sitting in front of their monitor, snacks in hand, gasping in amazement at the output of tail -f on their firewall log all night, I know that there is yet hope for me.

graspee

Patch

[sql*kitten (1359)]

Microsoft released a patch [microsoft.com] for this 24th July, 2002.

Re:Patch

[by Anonymous Coward]

I found it amusing that the two current headlines on the front page under the technology section at CNN are:

Gates pledges better software security
Electronic attack slows Net

Now if they would only address security before they released their products we might not see these issues.

wow yeah!

[matth (22742)]

Where I work we ended up with quiet the excitement. Around 1am I lost connectivity on my DSL modem at my house.. and I just figured something was up with the DSL so I fooled around with that for a while.... but then I realized the data light on the hub for the DSL modem was blinking a WHOLE lot and nothing else on the hub was (ie broadcasts were coming through)... I couldn't ping our core router, nothing... YIKES! So I hiked into work... only to find that 3 machines had been compromised. A co-lo we have, and some other ones. Nothing bad mind you.. easy to fix.. install Service Pack, and then firewall the ports out.. but still.... it was interesting.. I walked into the server room and was greated with a ton of orange lights (that are normally just blinking!) That thing can really cook out the damage!

Someone really has carefully crafted this worm to try to bring down the net.. and what better time then on a Saturday morning when all admins are away and not planing to work the next day!

Re:wow yeah!

[sporty (27564)]

Someone really has carefully crafted this worm to try to bring down the net.. and what better time then on a Saturday morning when all admins are away and not planing to work the next day!

AND verisign will be down for certain hours while .org transitions to PIR/Affilias.

Re:wow yeah!

[dangermouse (2242)]

and what better time then on a Saturday morning when all admins are away and not planing to work the next day

What's it matter? It's not like you people have gone to work since last July [microsoft.com] anyway.

Ok now tell me

[vicviper (140480)]

how many quries at the root level are unnecessary. :)

Re:Ok now tell me

[DarkZero (516460)]

More today than yesterday.

First hand report

[AirLace (86148)]

Waking up at 2AM after falling asleep at work on a Friday evening, to be greeted by a wall full of router racks lit up like a wall-shaped christmas tree is a sobering experience indeed. Needless to say I've been working since then to apply appropriate firewall rules accross our network to block port 1434. Once this blows over, it's time to start some real PostgreSQL advocacy..

Whoever puts their database server

[cscx (541332)]

Outside a firewall for no apparent reason is a tool. That being said, we live in a world of idiots. Why?

NGSSoftware alerted Microsoft to this problem on the 17th of May 2002 and
they have produced a patch that resolves these issues.

This is January 25 2003 if I'm not mistaken. Are these the same people that leave their cars unlocked with the keys in the ignition?

Re:Whoever puts their database server

[cyb97 (520582)]

Are these the same people that leave their cars unlocked with the keys in the ignition?
A real idiot would leave the car locked witht the keys in the ignition...
I guess they learn something at MSCE courses ;-)

Information about the worm

[by Anonymous Coward]

This site has a disassembly with an explanation: http://www.boredom.org/~cstone/worm-annotated.txt [boredom.org]

Whoever...

[wulffi (176311)]

Whoever puts a database outside a firewall? and then leave its external port open???

Sysadmins like that should be dragged into the street and shot.

Re:Whoever...

[radish (98371)]

I have three letters for you:

V P N

There is NO excuse for leaving BACKEND services like DBs, appservers, or whatever else visible on the public net. NONE WHATSOEVER. I work on a major website with multiple different data servers and backend applications, all distributed (and load balanced) over 4 physical sites on 2 continents. We use private circuits to handle the inter-site traffic, you could use VPN just as well. But everything vulnerable is buried from the internet behind several layers of firewall. Anything else is sheer lunacy.

Crappy admins bring this kind of attack on themselves, and alas, on the rest of us too.

best writeup

[numatrix (242325)]

Best writeup I've seen is over at iss.net [iss.net]. They were the first to update their internet status homepage alerting of the vulnerability as far as I can tell.

Some Links

[Isomer (48061)]

Reachability issues caused by the worm:
http://average.matrixnetsystems.com/Daily/markR.ht ml [matrixnetsystems.com]
http://mrtg.nac.net/switch9.oct.nac.net/3865/switc h9.oct.nac.net-3865.html [nac.net]

The advisory announcing the flaws:
http://www.nextgenss.com/advisories/mssql-udp.txt [nextgenss.com] Various disassemblies and discussions: http://www.snafu.freedom.org/tmp/1434-probe.txt [freedom.org] http://www.digitaloffense.net/worms/mssql_udp_worm / [digitaloffense.net] http://www.boredom.org/~cstone/worm-annotated.txt [boredom.org]

Writeups:
http://www.cnn.com/2003/TECH/internet/01/25/intern et.attack.ap/index.html [cnn.com]
http://news.bbc.co.uk/2/hi/technology/2693925.stm [bbc.co.uk]
http://story.news.yahoo.com/news?tmpl=story&u=/ap/ 20030125/ap_wo_en_po/na_gen_internet_attack_2 [yahoo.com]
http://bvlive01.iss.net/issEn/delivery/xforce/aler tdetail.jsp?oid=21824 [iss.net]

Collected info:

[by Anonymous Coward]

There's a stream of related info in the comments of Slashdot's Cross-Site TRACE [slashdot.org] story.

Some snippets from there:

Mabu's message says: Here's what we've been able to learn, at 4:30am Central time.

We have reason to believe that something called the "SQL Worm" is in play. Some sort of DDOS attack which creates overwhelming traffic on port 1434. This is all preliminary stuff, so take it as such but I have one link up and 3 others down.

I don't have confirmation or details on what systems are affected but we have information to indicate that the following networks are currently affected: Quest, Cable & Wireless, Broadwing, Sprint (partially). My Worldcom link seems to be unaffected (which is why I can post). Note that the connectivity interruptions may be regional but that's what we are dealing with in the South Central area of the US. This has been going on now for about 4-5 hours.

What we are seeing is a major outage due to DDOS on port 1434, on portions of the Internet backbone. At this point, the exact pattern of the outage has not been clarified.

Expect the problem to potentially be addressed when the backbone providers start filtering port 1434. However, it's taken them at least four hours to figure this out.

We just got notice (a few moments ago) that Quest finally started filtering port 1434 and everything went back up. So now we need to figure out what vulnerability this was. My information indicates that port 1434 is MS SQL server resolution service (see related CERT advisory [cert.org]. My initial impression is that while this vulnerability was discovered awhile back, someone just recently figured out a very effective exploit using the vulnerability. I am looking forward to hearing more about what people find out.

The issue currently happening, from what anyone can tell at any rate is that a flaw in MSSQL has been found, due to everyone noticing a lot of traffic on 1434.. MSSQL port anyhow, I was running MSSQL earlier and my dns crapped out ctrl+alt+del'd and saw 85% cpu used by mssql server, killed it and boom everything was okay, possibly a worm traveling around, http://internethealthreport.com/ UUnet seems absolutely destroyed ;)

I'm watching my firewall logs fill up even as I type, and all the 1434 hits are coming from different IPs... no dupes yet that I can see (maybe there are... but I'm not planning on sitting here all night reading logs).

http://www.nextgenss.com/advisories/mssql-udp.txt [nextgenss.com] is an advisory about port 1434

http://average.matrix.net/Daily/markR.html [matrix.net] shows a vivid picture of overall net health due to this

SQLServer listens to 1434 to accept incomming connections. SQLServer 7 would then normally transfer these connections to 1433 by default. SQLServer 2000 would transfer the connection to a random port.

It's best to 'hide' the SQLServer from the internet, and/or disable TCP/IP listening for SQLServer totally when it's connected to the Internet. MS also suggests SQLServer should never be exposed to the Internet directly. You can hide SQLServer (2000) directly, using the Server network utility, shipped with SQLServer. You can there first deselect TCP/IP as a protocol that's active, and if you need it, you can select 'hide' to hide the server on the internet, however it's better to disable TCP/IP totally, since you do not need it when you work with SQLServer from the same box (f.e. a website running on the same box accessing the SQLServer).

Oh, of course it should be mentioned, there is a patch for this available at MS' technet site.

http://www.kb.cert.org/vuls/id/370308 [cert.org] may be the CERT article related to this vuln.

Resent-From: mbac@romulus.netgraft.com
From: Michael Bacarella Date: Fri Jan 24, 2003 11:11:41 PM America/Los_Angeles
Resent-To: bugtraq@securityfocus.com
To: nylug- talk@nylug.org, wwwac@lists.wwwac.org, linux-elitists@zgp.org
Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

I'm getting massive packet loss to various points on the globe. I am seeing a lot of these in my tcpdump output on each host.
02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376
02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0

It looks like there's a worm affecting MS SQL Server which is pingflooding addresses at some random sequence. All admins with access to routers should block port 1434 (ms-sql-m)!

Everyone running MS SQL Server shut it the hell down or make sure it can't access the internet proper! I make no guarantees that this information is correct, test it out for yourself!

-- Michael Bacarella 24/7
phone: 646 641-8662
Netgraft Corporation http://netgraft.com/
"unique technologies to empower your business"
Finger email address for public key. Key fingerprint: C40C CB1E D2F6 7628 6308 F554 7A68 A5CF 0BD8 C055

Yow! Good call /.

[JasonUCF (601670)]

I groggily stumble up to my computer, it being a normal enough sort of Saturday AM, and as I sit down I cast a lazy eye at my firewall counter.

Woah! What's.. uh.. 150 inbound requests.. doing.. today.. worm?

I start to fire up /. -- a lengthy process due to my dumbass ISP not having reverse DNS entries -- so I sniff around my logs.

*clickity click*

1434? The hell is 1434. Worm?

*slashdot shows*

Ah ha! Ve haf comprehension.

*groggily shuffle off to get coffee, oooo black gold*

For what it's worth, a majority of the packets so far have been mostly US servers -- .edu's with cute names like 'staging3', 'testing1', and, no joke, 'snoogans'.

Re:Yow! Good call /.

[caluml (551744)]

This one has surprised me most so far:
tybclbsqla02.listbuilder.com

Hmm. Lists equal large databases.
Large databases usually mean a DBA.
DBAs should know better.

whois listbuilder.com

Technical Contact:
Microsoft (EJSEHEQUAO)
msnhst@MICROSOFT.COM
Microsoft
One Microsoft Way
Redmond, WA 98052
US
425-882-8080

Fox News

[avalys (221114)]

Heh...on the Fox News Channel's ticker, they had the following tidbit of information:

"The virus spreads using a Microsoft vulnerability known as "SQL Server""

50% from Colleges???

[Gothmolly (148874)]

About half of the sources I've seen have been either .edu sites or sites in other countries which belong to colleges (ualberta.ca, etc.). Is there some sinister corellation here? Perhaps colleges get free MS-ware, and let the students run the networks?

A bug in CISCO routers is helping to control this!

[weave (48069)]

A post to bugtraq by George William Herbert, notes that the floods caused by this worm is causing many cisco routers to shut down, which helps contain the damage ironically enough. I've seen this happen at one of my work sites that is admined by someone else. The infected box, according to MRTG, was nailing its closest router at 100 megabits/sec for about an hour, then the router itself went down. Sweet...

"...the volume from this triggers the Cisco netflow switching bug and is causing routers to lock up at places, etc."

This will continue

[NineNine (235196)]

Worms that do this sort of thing will continue ad infinitum. The reason is that there's no financial detriment to having one of your own boxes act as a zombie and send out tons and tons of packets. None whatsoever. There's no central accountability. That's the way the Net is set up. I don't see any way around it.

Ironic timing...

[weave (48069)]

Gates pledges better software security [cnn.com] (btw, isn't this basically a repeat of what he spammed out last July?)

Gates acknowledged that the technology industry must make significant improvements, adding that, "Microsoft has a responsibility to help its customers address these concerns, so they no longer have to choose between security and usability."

How about easier ways to apply hotfixes remotely to desktop computers? (There are ways apparently, but requires installing IIS and SQL ironically, to run something called SUS.) I'd prefer the hotfix to simply have an option like '-m\\machine' to apply to domain machines in a domain admin context so I can script the installs to my tastes and needs. No need to get overly complex. Besides, I'd rather not have an IIS server at my site if I can help it. Apache runs everything. Just another damn thing to learn for something that should be simple.

Also, the hotfixes themselves only have about 10 different ways of applying at the command line unattended. How about standardizing the hotfix installers too...

Example, this is what is run after an XP desktop install with SP1 at our location...

q329834 -u -n -z
q323255 -u -n -z
q329048 -u -n -z
start /wait q328310 -u -n -z
start /wait vm-sfix3 /q /r:n
start /wait q324929 /q /r:n
q329115 -u -n -z
q329390 -u -n -z
q810565 -u -n -z

It doesn't include latest javavm fix, which for some reason won't install right during the guirunonce part of an install, so I have to script to reboot the machine TWICE before running...

start /wait msjavwu.exe /q /r:n

Think that's bad? Here's some pre sp1 hotfix command lines from an earlier script..

Msjavx86.exe /c:"javatrig.exe /exe_install /l /qq" /q:a /r:n
vbs56nen /q /r:n
msxm /q /r:n
start /wait q318202 /q /c:"dahotfix /q /n"

And the syntax to install unattended is never easy to find on their site. I usually have to use google to search microsoft.com to find what I need, their search engine really sucks. Others must feel the same way since there is a dedicated google page for this at http://www.google.com/microsoft [google.com]

Re:Who did this I wonder?????

[by Anonymous Coward]

It was not Mitnick.

I investigated into this matter, and came up with the following theory.

Port 1434 = 1+4+3+4 = 12

12 is the number of the month when Steve Gibson got hired as a consultant [grc.com]. Coincidence? I think not!

SQL (alphabet numbered) = S(19) + Q(17) + L(12) = 48

48 is the number of states which are connected together on US map. That means that attack came either from Hawaii or Alaska.

Using the search on a popular site called Google, I was able to track down [google.com] the perpetrator.

So at the end we are left with one answer: Steve Gibson is just hax0ring back, in an elaborate revenge plan to outlaw port 1434 and raw sockets.

Re:What's inside ?

[AirLace (86148)]

There are no SQL commands in the worm. It just initiates a bouncing ping between two MS SQL servers that continues until the network or one of the servers is brought down. An annotated dissection of the worm is provided here [boredom.org].

Re:Turn your SQL server off?

[Zocalo (252965)]

What a pathetic overkill response.

No, it's a very reasonable one. Yes, you still need to patch, use non-blank SA passwords and the other things you suggest, but if you have an SQL server (any SQL server) directly visible to the Internet then you are either a fscking moron or have a very abnormal circumstance. A database server is a backend server, and should be completely hidden from the Internet by not one but two layers of firewalls.

Basically, in this day and age, your setup from the Internet in to your internal LAN, should be (as a minimum):

Internet router(s) => Firewall(s) => Web servers (HTTP, mail relays, proxies, VPN termination, etc.) => Firewall(s) => backend servers (SQL, internal mail etc..) => Internal network.

Some of these networks can quite easily be different ports on the same physical firewall, but I'm limited by ASCII. Alternatively, if you have no backend servers, that segment can obviously be omitted altogether.

Firewall rulesets can, and should, apply to outbound as well as inbound traffic and allowing traffic to flow cleanly accross multiple firewalls should be limited as much as possible. At a pinch, you could put your backend servers (if any) directly on the internal LAN, and get by with a single, three port firewall, but this should be the absolute minimum setup if you are hosting connections from the Internet. Sticking a two port firewall between your network and the Internet is simply not good enough anymore.

With resonable DMZ capable firewalls available for less than $500, either as a dedicated box, or old PC running the open source apps of your choice, there is no fiscal reason for even the smallest of companies not to be secure. As ever, the real reason is lack of a clue when it comes to matters of security.