Go Back  DVD Talk Forum > General Discussions > Tech Talk
Reload this Page >

Not so cool anymore - new MS SQL Server internet worm

Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

Not so cool anymore - new MS SQL Server internet worm

Old 01-25-03, 12:32 PM
  #1  
X
Administrator
Thread Starter
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,763
Likes: 0
Received 4 Likes on 3 Posts
Not so cool anymore - new MS SQL Server internet worm

It's really messing up the internet today. This is why you keep up on patches and use a firewall. My firewall is getting slammed by these requests!

New worm exploiting Microsoft hole slows Internet

A new, Code Red-like DDoS worm that exploits a vulnerability in Microsoft Corporation's SQL Server slowed traffic on the Internet late Friday and early Saturday.

Dubbed "Sapphire," the worm makes use of a security hole discovered in SQL Server last July. It slowed traffic over much of the Internet, bringing some sites and services to a virtual halt.

"The worm is spreading using a buffer overflow to exploit a flaw in Microsoft SQL Server 2000," said a bulletin released by eEye Digital Security. "The SQL 2000 server flaw was discovered in July, 2002 by Next Generation Security Software Ltd. The buffer overflow exists because of the way SQL improperly handles data sent to its Microsoft SQL Monitor port. Attackers leveraging this vulnerability will be executing their code as SYSTEM, since Microsoft SQL Server 2000 runs with SYSTEM privileges.

"The worm works by generating pseudo-random IP addresses to try to infect with its payload. The worm payload does not contain any additional malicious content (in the form of backdoors etc.); however, because of the nature of the worm and the speed at which it attempts to re-infect systems, it can potentially create a denial-of-service attack against infected networks."

Microsoft has offered a patch since shortly after the vulnerability was discovered, though it is unknown how many system administrators have applied it.

Beginning at about midnight Eastern time, the bugtraq mailing list was full of reports of "MS SQL worm destroying Internet block port 1434," with information including these comments from subscribers:

"Whatever it is, it's EXTREMELY talkative," said one. "Filled up my PIX 535's memory with its connections. And that was two infected hosts. This is nasty, just nasty."

"We can confirm it here in Toronto, Canada," said another. "Even though the effect was minimal to us, we saw many major networks dissappear on the Internet."

"Lucky for us we block all MS-SQL 1434/udp traffic," said a third. "We have logged over 130,000 firewall blocked connections across 15 odd sites, and it's comming in from all over the world."

Its effects are severe, reported another. "Tier 1 backbones are reporting a bad night: routing instabilities, one major dropped most of its peering for a while, the volume from this triggers the Cisco netflow switching bug and is causing routers to lock up at places, etc."

Its denial-of service is extremely thorough, according to a California administrator. "We're seeing large network disruption here in Los Angeles. Right now, packet loss is running at roughly 95%. (This is not a typo. I do mean ninety-five percent packet loss.)"

Another administrator spoke for many. "Everyone running MS SQL Server shut it the hell down or make sure it can't access the internet proper!"

Perhaps most frightening: "There are still reports of the worm successfully exploiting patched systems as well, but I have not been able to verify that."

The source of the worm could not be immediately determined. It comes at a time when cyber-terrorism has been expected in light of international tensions.


More:

http://slashdot.org/articles/03/01/2....shtml?tid=109

http://www.washingtonpost.com/wp-dyn...2003Jan25.html
Old 01-25-03, 02:50 PM
  #2  
Moderator Emeritus
 
Join Date: Nov 1999
Posts: 8,205
Likes: 0
Received 0 Likes on 0 Posts
Probably put out by Oracle to keep people from jumping ship.
Old 01-25-03, 03:09 PM
  #3  
DVD Talk Legend
 
Join Date: Jan 2000
Location: Region 1
Posts: 16,291
Likes: 0
Received 0 Likes on 0 Posts
My friend just called and said his company is down. So far, no calls from work for me yet.
Old 01-25-03, 03:15 PM
  #4  
DVD Talk Hall of Fame
 
Join Date: Oct 1999
Location: not CT
Posts: 9,618
Likes: 0
Received 0 Likes on 0 Posts
I wonder if this is why pricewatch is toast...
Old 01-25-03, 03:20 PM
  #5  
X
Administrator
Thread Starter
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,763
Likes: 0
Received 4 Likes on 3 Posts
Try checking your orders at Dell.
Old 01-25-03, 03:29 PM
  #6  
DVD Talk Legend
 
Join Date: Apr 2002
Posts: 20,726
Likes: 0
Received 0 Likes on 0 Posts
Noticed a slowdown last night, I was unable to access off-campus sites like this one. Couldn't even access hotmail. It is working fine now. Guess I'll ask my friend at comp. services what's up and send these links.
Old 01-25-03, 03:32 PM
  #7  
DVD Talk Legend
 
Join Date: Oct 1999
Location: Second Star on the right, and straight on til' morning...
Posts: 14,804
Likes: 0
Received 0 Likes on 0 Posts
Sprint said they couldn't help me on a cell phone today because the entire company was down due to this.
Old 01-25-03, 04:34 PM
  #8  
DVD Talk Limited Edition
 
Join Date: Feb 2000
Location: College Station, TX
Posts: 6,223
Likes: 0
Received 0 Likes on 0 Posts
My university (Texas A&M) is getting hit pretty hard. The main website is up, but pretty much everything is down.

I just might wander in later to see how my servers are doing. I have one with SQL Server 2000, but I'm pretty sure I'm up to date on patches. Well, not SP3, but anything before that.
Old 01-25-03, 04:36 PM
  #9  
X
Administrator
Thread Starter
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,763
Likes: 0
Received 4 Likes on 3 Posts
Originally posted by BigDave
I just might wander in later to see how my servers are doing. I have one with SQL Server 2000, but I'm pretty sure I'm up to date on patches. Well, not SP3, but anything before that.
You needed a particular hotfix after SP2. Sorry...
Old 01-25-03, 05:55 PM
  #10  
X
Administrator
Thread Starter
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,763
Likes: 0
Received 4 Likes on 3 Posts
Here's a good one...

Bank of America ATMs Disrupted by Virus

SEATTLE (Reuters) - Bank of America Corp. said on Saturday that customers at a majority of its 13,000 automatic teller machines were unable to process customer transactions after a malicious computer worm nearly froze Internet traffic worldwide.

Bank of America spokeswoman Lisa Gagnon said by phone from the company's headquarters in Charlotte, North Carolina, that many, if not a majority of the No. 3 U.S. bank's ATMs were back online and that their automated banking network would recover by late Saturday.

Web traffic slowed suddenly and dramatically worldwide for hours after a fast-spreading computer worm clogged pipelines of the global network carrying data, Web pages and e-mail, officials said.

"We have been impacted, and for a while customers could not use ATMs and customer services could not access customer information," Gagnon said.

Gagnon said that the worm, which slows down computer networks by replicating rapidly and spreading to other servers, did not cause any damage to customer information, but slowed down or blocked access to that sensitive information, making transactions difficult.
Old 01-25-03, 06:18 PM
  #11  
DVD Talk Limited Edition
 
Join Date: Feb 2000
Location: College Station, TX
Posts: 6,223
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by X
You needed a particular hotfix after SP2. Sorry...
Yeah, I just got back from work. It looks like my server was sending out a lot of packets (more than normal). Since I can't get onto Microsoft to download SP3, I'm just disabling my system until I can bring it in from home.

Most of campus won't get it fixed until Monday or Tuesday at the earliest. Then you have to deal with the various faculty that might have installed SQL Server 2000 on their systems for whatever reasons. Those are usually our biggest problems; ie. tracking down those systems.
Old 01-25-03, 06:18 PM
  #12  
DVD Talk Legend
 
Join Date: Jul 2000
Location: chokin' you out in less than 30 seconds
Posts: 10,634
Likes: 0
Received 0 Likes on 0 Posts
a lot of companies are hammered by this.

i know i've spent a good portion of my day at work and on conference calls. not a pretty sight.

the at&t pipeline is messed up in a lot of areas.....ugh.
Old 01-25-03, 07:58 PM
  #13  
DVD Talk God
 
Deftones's Avatar
 
Join Date: Oct 1999
Location: Arizona
Posts: 74,982
Likes: 0
Received 4 Likes on 3 Posts
a friend of a friend who works for IBM in AZ said they were told to shut off all computers.
Old 01-25-03, 08:02 PM
  #14  
DVD Talk Ultimate Edition
 
Join Date: Aug 2000
Location: Canada
Posts: 4,538
Likes: 0
Received 0 Likes on 0 Posts
I dont know how they can say this is a category 3... it's wreaking havoc all over. From the gamer's point of view, the army took down a lot of it's server for america's army and Asheron's Call 2 had an average of 50 people per server (lowest being 4) and the game servers are whacked, invisible walls, busted portals, caracters stuck everywhere. 3 of the major routers still show down and have been down all day.

http://mdr.ihr.daze.net/
AOL 152.163.136.1 RED 100% ???
CERFnet East 207.252.96.3 RED 100% ???
DataX 199.190.65.3 RED 100% ???
Old 01-25-03, 08:09 PM
  #15  
DVD Talk Ultimate Edition
 
Join Date: Feb 2000
Posts: 4,400
Likes: 0
Received 0 Likes on 0 Posts
MSN=DEAD
Old 01-25-03, 08:11 PM
  #16  
X
Administrator
Thread Starter
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,763
Likes: 0
Received 4 Likes on 3 Posts
It's funny. I can see just when this hit the SF Bay Area.

Several firewalls I got logs from had the attacks start at 11:30 PM PST Friday night. I guess each of the IPs that sent the blocked packets have a badly protected SQL Server behind them. Hmm...
Old 01-25-03, 08:16 PM
  #17  
DVD Talk Ultimate Edition
 
Join Date: Feb 2000
Posts: 4,400
Likes: 0
Received 0 Likes on 0 Posts
Nothing personal to any one, but my guesstimation is that most network administrators are not worthy of the post. I used to love getting emails in tech support from people claiming to be network administrators that gauranteed they didn't have a computer brain in their head. Theyre just much better liars then me in interviews.
[and better spellers)
Old 01-25-03, 08:17 PM
  #18  
DVD Talk Legend
 
Join Date: Oct 1999
Location: Second Star on the right, and straight on til' morning...
Posts: 14,804
Likes: 0
Received 0 Likes on 0 Posts
This has been interesting to observe.
Old 01-25-03, 08:37 PM
  #19  
DVD Talk Legend
 
gcribbs's Avatar
 
Join Date: Aug 1999
Location: Sacramento,Ca,USA member #2634
Posts: 11,967
Likes: 0
Received 0 Likes on 0 Posts
I was talking to my brother last night and he was telling me about this. He was sure it was a worm but told me it was hitting him right and left. he servers on campus were also being hit. I guess his firewalls were working fine since he did not seem to be concerned.

I guess he was right.

he forwarded me this email

Oh, that was a new worm last night. You can read about it here:
http://www.eeye.com/html/Research/Flash/AL20030125.html
Old 01-25-03, 09:06 PM
  #20  
DVD Talk Hero
 
Join Date: Aug 2000
Location: Bartertown due to it having a better economy than where I really live, Buffalo NY
Posts: 29,706
Likes: 0
Received 0 Likes on 0 Posts
took down our link at work to the main Sony systems
no troubleshooting programs would run all day

one of our product specialists said Sony didn't need to totally take their stuff offline, all they needed was to block the one port the worm attacks
Old 01-25-03, 09:09 PM
  #21  
X
Administrator
Thread Starter
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,763
Likes: 0
Received 4 Likes on 3 Posts
He's exactly right. And you can block the port outbound too if you want to make sure you're not part of the problem if it gets in somehow. Like from e-mail.
Originally posted by mikehunt
one of our product specialists said Sony didn't need to totally take their stuff offline, all they needed was to block the one port the worm attacks
Old 01-25-03, 09:11 PM
  #22  
DVD Talk Legend
 
Join Date: Jan 2000
Posts: 16,173
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by gcribbs

Oh, that was a new worm last night. You can read about it here:
http://www.eeye.com/html/Research/Flash/AL20030125.html
From the article

Once again this worm is taking advantage of a known vulnerability that has had a patch available for many months. Microsoft has also released a recent service pack for SQL (Service Pack 3) that includes a fix for this vulnerability.


Originally posted by conkie
Nothing personal to any one, but my guesstimation is that most network administrators are not worthy of the post.


I agree a thousand percent. Anyone that did not believe my comments in the Mac thread, here is a classic example. Only an ignorant admin would be affected by such an attack. It appears many out there are not worthy of the post
Old 01-25-03, 09:24 PM
  #23  
X
Administrator
Thread Starter
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,763
Likes: 0
Received 4 Likes on 3 Posts
Yeah, I think the patch was posted around July of last year.

There is a tendency for people not to want to mess around with working production database servers though. So I understand it taking some time, but this is a lot of time.

SP3 just came out a week or so ago I believe. And that's even less apt to be installed on a db server than just a patch. Not enough feedback and experience with it yet. Nobody with a memory wants to bet their business on a MS patch.
Old 01-25-03, 09:26 PM
  #24  
DVD Talk Hero
 
das Monkey's Avatar
 
Join Date: May 1999
Location: Atlanta, GA
Posts: 35,881
Likes: 0
Received 0 Likes on 0 Posts
It's almost like they issue patches and service packs for a reason. It boggles the mind how many admins don't know what the hell they're doing.

das
Old 01-25-03, 10:32 PM
  #25  
DVD Talk Hall of Fame
 
Join Date: Jan 2000
Location: US
Posts: 9,631
Likes: 0
Received 0 Likes on 0 Posts
Yep, or those that would rather not mess with a system that is working fine. I don't fall into that class, but those above me might. Of course, that's why it's likely I'll be taking that job before long.
Dave
Originally posted by 4KRG
I agree a thousand percent. Anyone that did not believe my comments in the Mac thread, here is a classic example. Only an ignorant admin would be affected by such an attack. It appears many out there are not worthy of the post

Thread Tools
Search this Thread

Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.