[sambar] OffTopic: New Round of UDP Port 1434 Scans {02}

Sat, 25 Jan 2003 11:24:40 -0800 

We have already been involved in this ourselves.. It appears that any SQL server 2k 
missing at least MS02-061 (cumulative) does not contain patches for MS02-039 (serveral 
vulnerabilities).. This specific hole exploits the vulnerability with the keep alive 
mechanism. 

Although all of our SQL instances are in good shape, be prepared for some network 
saturation... Not as ugly as Nimda but it is already known to have created denial of 
services for other boxes in that subnet.

Danny

On 25/Jan/2003 09:56:36, Jeff Adams  wrote:
> This morning I woke up to find hundreds and hundreds of UDP port scans for 
> port 1434 (all blocked, of course).  I thought that was odd so I looked up 
> what runs on port 1434 and found that's what Microsoft's SQL server 
> uses.  A couple minutes later I browsed to Yahoo! and saw a news story 
> (below) that explained my scans.
> 
> -Jeff
> 
> 
> <A TARGET="_blank" 
>HREF="http://story.news.yahoo.com/news?tmpl=story&amp;u=/ap/20030125/ap_wo_en_po/na_gen_internet_attack_2";>http://story.news.yahoo.com/news?tmpl=story&u=/ap/20030125/ap_wo_en_po/na_gen_internet_attack_2</a>
> 
> Internet traffic broadly affected by electronic attack
> Sat Jan 25, 6:07 AM ET
> 
> By TED BRIDIS, Associated Press Writer
> 
> WASHINGTON - Traffic on the many parts of the Internet slowed dramatically 
> early Saturday, the apparent effects of a fast-spreading, virus-like 
> infection in the world's digital pipelines and interfering with Web 
> browsing and delivery of e-mail.
> 
> Sites monitoring the health of the Internet reported significant slowdowns 
> globally. Experts said the latest electronic attack bore remarkable 
> similarities to "Code Red" virus during the summer of 2001 which also 
> ground traffic to a halt on much of the Internet.
> 
> "It's not debilitating," said Howard Schmidt, one of President George W. 
> Bush (news - web sites)'s top cyber-security advisers. "Everybody seems to 
> be getting it under control." Schmidt said the FBI (news - web sites)'s 
> National Infrastructure Protection Center and private experts at the CERT 
> Coordination Center (news - web sites) were monitoring the attacks.
> 
> The virus-like attack sought out vulnerable computers to infect on the 
> Internet using a known flaw in popular database software from Microsoft 
> Corp., called "SQL Server." But the attacking software code was scanning 
> for victim computers so randomly and so aggressively sending out thousands 
> of probes each second that it overwhelmed many Internet data pipelines.
> 
> "This is like Code Red all over again," said Marc Maiffret, an executive 
> with eEye Digital Security, whose engineers were among the earliest to 
> study samples of the attack software. "The sheer number of attacks is 
> eating up so much bandwidth that normal operations can't take place."
> 
> The attack sought to take advantage of a software flaw discovered in July 
> 2002 that permits hackers to infect corporate database servers. Microsoft 
> deemed the problem "critical" and offered a free repairing patch, but it 
> was impossible to know how many computer administrators applied the fix.
> 
> "People need to do a better job about fixing vulnerabilities," Schmidt said. 
> -------------------------------------------------------
> To unsubscribe please go to <A TARGET="_blank" 
>HREF="http://www.sambar.ch/list/";>http://www.sambar.ch/list/</a>
> 
> 
> 
-------------------------------------------------------
To unsubscribe please go to http://www.sambar.ch/list/

Reply via email to