MS SQL Server Worm Wreaking Havoc 964
defile writes "Since about midnight EST almost every host on the internet has been receiving a 376 byte UDP payload on port ms-sql-m (1434) from a random infected server. Reports of some hosts receiving 10 per minute or more. internetpulse.net is reporting UUNet and Internap are being hit very hard. This is the cause of major connectivity problems being experienced worldwide. It is believed this worm leverages a vulnerability published
in June 2002. Several core routers have taken to blocking port 1434 outright.
If you run Microsoft SQL Server, make sure the public internet can't access it. If you manage a gateway, consider dropping UDP packets sent to port 1434." bani adds "This has effectively disabled 5 of the 13 root nameservers."
As I said in a previous post... (Score:5, Informative)
It's only the fact the traffic is all destined for a certain destination port that makes it easy to filter.
You are filtering it out on your firewalls, aren't you?
This could have been a lot lot harder to filter out. I expect we'll see ThisWorm v2 soon.
I dread the day someone finds a hole in Apache, Sendmail or something really popular and writes a worm like this...
been watching this all night (Score:5, Informative)
Collected a packet disasembly and some urls here [freedom.org].
Everyone seems to be assuming this is a new use of an old (July) hole; I'm not certain of that. Any facts welcomed, see above url.
Patch (Score:5, Informative)
ZDNet and Yahoo stories (Score:3, Informative)
Re:As I said in a previous post... (Score:5, Informative)
You are filtering it out on your firewalls, aren't you?
Exactly. From the MS Security bulletin:
The risk posed by the vulnerability could be mitigated by, if feasible, blocking port 1434 at the firewall.
What the heck was it doing open in the first place?
Information about the worm (Score:5, Informative)
Re:As I said in a previous post... (Score:5, Informative)
I bloody hope no-one is specifically blocking this port. That's not how firewalls are supposed to be used. First you block everything then only open the specific ports you need. In most cases, these are 80 and 22 and maybe 25. There's no reason a database server's protocol port should ever be exposed to the public Internet!
Turn your SQL server off? (Score:2, Informative)
If you run Microsoft SQL Server, make sure the public internet can't access it.
What a pathetic overkill response. If you're running SQL server, make sure it's patched. When the last set of bind exploits came out no-one said "Unplug all your DNS servers", why is this any different?
SQL is easy to secure, and the guidelines are well known
And of course, patch it when patches appear
Another look at the worm (Score:3, Informative)
best writeup (Score:5, Informative)
Some Links (Score:5, Informative)
http://average.matrixnetsystems.com/Daily/markR.h
http://mrtg.nac.net/switch9.oct.nac.net/3865/swit
The advisory announcing the flaws:m / [digitaloffense.net]
http://www.boredom.org/~cstone/worm-annotated.txt [boredom.org]
http://www.nextgenss.com/advisories/mssql-udp.txt [nextgenss.com] Various disassemblies and discussions: http://www.snafu.freedom.org/tmp/1434-probe.txt [freedom.org] http://www.digitaloffense.net/worms/mssql_udp_wor
Writeups:n et.attack.ap/index.html [cnn.com] / 20030125/ap_wo_en_po/na_gen_internet_attack_2 [yahoo.com] r tdetail.jsp?oid=21824 [iss.net]
http://www.cnn.com/2003/TECH/internet/01/25/inter
http://news.bbc.co.uk/2/hi/technology/2693925.stm [bbc.co.uk]
http://story.news.yahoo.com/news?tmpl=story&u=/ap
http://bvlive01.iss.net/issEn/delivery/xforce/ale
Re:As I said in a previous post... (Score:3, Informative)
Because sometimes you need to connect to SQL from somewhere outside the local LAN? For example, we have SQL passed logging services running in Sydney that connect back to a SQL server in London. Of course, inbound connections are limited to the correct address range.
Re:First hand report (Score:3, Informative)
What you really need to do is to assess which ports you need to leave open, and to which hosts they correspond. You need to block everything, and then set rules to enable only the ports/hosts that are necessary (open ports 80/443 to webserver, etc).
Otherwise, you'll be doing the same thing for the next worm.
Collected info: (Score:5, Informative)
Some snippets from there:
Re:As I said in a previous post... (Score:3, Informative)
If you limited the IP address range, then you don't have it open. You have controlled access to the resource.
Re:As I said in a previous post... (Score:5, Informative)
When the SQL Server 2000 client Net-Libraries connect to an instance of SQL Server
2000, only the network name of the computer running the instance and the instance
name are required. When an application requests a connection to a remote computer,
Dbnetlib.dll opens a connection to UDP port 1434 on the computer network name
specified in the connection. All computers running an instance of SQL Server 2000
listen on this port. When a client Dbnetlib.dll connects to this port, the server
returns a packet listing all the instances running on the server. For each instance,
the packet reports the server Net-Libraries and network addresses the instance is
listening on. After the Dbnetlib.dll on the application computer receives this
packet, it chooses a Net-Library that is enabled on both the application computer and
on the instance of SQL Server, and makes a connection to the address listed for that
Net-Library in the packet.
So the UDP 1434 port is open when the SQL Server is started to listen all the clients
with any IP address on this port. SQL Server only receives the packet from the client
on this port to determine which instance the client attempts to access and return the
related information of the SQL Server to the clients. Then, the clients can create
the connection to the SQL Server with the protocol enabled on the server side.
How to get control of your box again (Score:2, Informative)
Alchemy Support
Alchemy Communications
Who said anything about turning it off? (Score:3, Informative)
Dissassembled & annotated (Score:3, Informative)
Kudos to cstone@boredom. Interesting & educational, with a nutty crunchy flavor.
Re:What's inside ? (Score:5, Informative)
Re:CNN & AP Beat Slashdot (Score:3, Informative)
If you want an non-editor-controlled story queue, with story selection subject to user moderation, try submitting/reading here [slashdot.org]; the capability is now possible on Slashdot. It's not as simple as it could be, and it's only a week old, but it works without you having to leave Slashdot.
--LP
Re:What's inside ? (Score:1, Informative)
This is inside... (Score:3, Informative)
Disassembly of the 404 bytes being sent by affected systems [freedom.org]
Re:been watching this all night (Score:1, Informative)
Re:Why would anyone use anything else? (Score:3, Informative)
Re:As I said in a previous post... (Score:5, Informative)
Re:been watching this all night (Score:4, Informative)
It starts off with 04 (the same hex byte as in my IDS signature for the Server resolution service buffer overflow everyone thinks this is) and then a bunch of padding with 0101. I myself am skeptical based on volume alone how this could be an old vulnerability, but remember, Code Red and Nimda were old too, and they didn't have any problem finding lots of new hosts very quickly.
What end of the world ? (Score:1, Informative)
Take a look at the LINX traffic statistics at
https://stats.linx.net/cgi-pub/combined?log=combi
and
https://stats.linx.net/cgi-pub/combined?log=combi
and you won't even see a glitch.
End of the world? I don't think so.
A bug in CISCO routers is helping to control this! (Score:5, Informative)
"...the volume from this triggers the Cisco netflow switching bug and is causing routers to lock up at places, etc."
not quite free (Score:2, Informative)
For that, a school can install any and every MS product where ever they please. Not only that, MS supplies training and testing materials and answer keys with that. So the classes are pre-written, too, and a GTA or undergrad can run them.
So yes, MS SQL is all over the place, and they've got lab assistants and volunteers admining them.
Re:this reason (Score:2, Informative)
Re:As I said in a previous post... (Score:5, Informative)
Re:As I said in a previous post... (Score:5, Informative)
with any IP address on this port. SQL Server only receives the packet from the client
on this port to determine which instance the client attempts to access and return the
related information of the SQL Server to the clients. Then, the clients can create
the connection to the SQL Server with the protocol enabled on the server side.
There is a difference between a port being open on the machine the service is on and the port being open to the world. You should not leave this port open to the world. If people outside your firewall need access to your internal MSSQL server, you leave TCP 1433 open to selective hosts.
It can get inside a firewall (Score:4, Informative)
Ironic timing... (Score:5, Informative)
Gates acknowledged that the technology industry must make significant improvements, adding that, "Microsoft has a responsibility to help its customers address these concerns, so they no longer have to choose between security and usability."
How about easier ways to apply hotfixes remotely to desktop computers? (There are ways apparently, but requires installing IIS and SQL ironically, to run something called SUS.) I'd prefer the hotfix to simply have an option like '-m\\machine' to apply to domain machines in a domain admin context so I can script the installs to my tastes and needs. No need to get overly complex. Besides, I'd rather not have an IIS server at my site if I can help it. Apache runs everything. Just another damn thing to learn for something that should be simple.
Also, the hotfixes themselves only have about 10 different ways of applying at the command line unattended. How about standardizing the hotfix installers too...
Example, this is what is run after an XP desktop install with SP1 at our location...
It doesn't include latest javavm fix, which for some reason won't install right during the guirunonce part of an install, so I have to script to reboot the machine TWICE before running... Think that's bad? Here's some pre sp1 hotfix command lines from an earlier script.. And the syntax to install unattended is never easy to find on their site. I usually have to use google to search microsoft.com to find what I need, their search engine really sucks. Others must feel the same way since there is a dedicated google page for this at http://www.google.com/microsoft [google.com]Attention! You must have SP3 or MS039!! (Score:3, Informative)
Report from Europe (Score:2, Informative)
A few things are down over here, like my university's network, but haven't noticed any major crashing.
Re:Attention! You must have SP3 or MS039!! (Score:4, Informative)
Need both MS02-034 and MS02-039 MS02-034 must be included on SP3.
Re:.org and postgress must be smiling today (Score:2, Informative)
IBM got hit hard... (Score:1, Informative)
Re:.org and postgress must be smiling today (Score:3, Informative)
Actually NONE of the root nameservers went down, either during this worm incident, or during the Oct 21 incident. The network nameservers are generally highly overprovisioned, and do a very good job of responding to every request they receive, even under abnormal load.
What happened is that the increase in network traffic staturated some of the feeds to the root name servers making it impossible for requests to reach the name servers. This is the real danger of these attacks.
And as far as blaming negligent sysadmins for not patching their servers, well, sure. But sysadmins are not the only players in this game. Companies often have policies regarding software patches and validation that restrain what a sysadmin can do. And the fact is that the sysadmin did not put the vulnerability in the software, nor is this the first time a Microsoft product has servered as the vector for something like this.
dissem and NOTES (Score:2, Informative)
Microsoft hotfix testing tool (Score:2, Informative)
No they don't... (Score:2, Informative)
No [zdnet.com.au]
It [watchingmi...eahawk.com]
Doesn't. [securityoffice.net]
The site www.hotmail.com is running Microsoft-IIS/5.0 on Windows 2000.
Re:No they don't... (Score:1, Informative)
The hotmail *website* is running W2K, the email backend is still run on BSD.
Re:PostgreSQL keeps .org up /MS-SQL brings down ne (Score:3, Informative)
remote root???? Just about EVERY postgresql system runs as a normal user, how the hell do you get root out of that?
By default postgresql does NOT even support IP connections, you have to turn it on by either the -i option to postmaster or in the config file.
I think your looking at the Mordred buffer overflows from about 5 months ago. ALL of these require a valid user account to exploit. NONE were remote. Please post the location/posting of a REMOTE for a recent release of PostgreSQL. Versions 6.X, 7.1.X and 7.2.0 do count.
BWP
!!!ATTENTION MS ADMINS!!! (Score:3, Informative)
You should be using the Microsoft Baseline Security Analyzer [microsoft.com] to ensure that ALL the machines on your network are properly patched and locked down. It's so easy to run there should be no excuse for attacks like this.
!!!ATTENTION MS ADMINS!!!
Mod parent up!!!! (Score:3, Informative)
I was just about to post the same thing! Moderators: mod this one up! People need to read this otherwise they'll think their cracked box is safe!
From securiteam.com [securiteam.com]: ..It can be configured such that clients can use named pipes over a NetBIOS session (TCP port 139/445) or sockets with clients connecting to TCP port 1433 or both. Whichever method is used the SQL Server will always listen on UDP port 1434. This port is designated as the Microsoft SQL Monitor port and clients will send a message to this port to dynamically discover how the client should connect to the Server.
Read further into the report. The exploits use the vulnerability in the code which listens to UDP port 1434. You can't turn this off!