[sambar] OffTopic: New Round of UDP Port 1434 Scans {05}

Sat, 25 Jan 2003 21:31:27 -0800 

Naughty Naughty analysis :)

You should be ok if an infected SQL server is not on your subnet.

We saw internal and border routers today hitting 80 and 100% utilization. In addition 
to firewalls taking a massive beating.. 

As I stated before, although your are not infected yourself, you still have to deny 
all of those packets heading your way. 

Danny


On 25/Jan/2003 14:45:11, Vital Touch DJs wrote:
> You will be alright if you are using MySQL.  MySQL uses Port 3306 for all
> communication, unlike the port 1434 that MS SQL uses, and the port that was
> meant to be attacked.
> 
> -----Original Message-----
> From: [EMAIL PROTECTED] [<A 
>HREF="mailto:[EMAIL PROTECTED]";>mailto:[EMAIL PROTECTED]</a>]On Behalf
> Of Rodney Richison
> Sent: Saturday, January 25, 2003 2:32 PM
> To: sambar List Member
> Subject: [sambar] OffTopic: New Round of UDP Port 1434 Scans {03}
> 
> 
> Striving for clarity. If your running mysql and not M$ sql, you should be
> ok?
> 
> 
> Highest Regards
> Rodney Richison
> 918-358-1111
> <A HREF="http://www.rcrnet.net";>www.rcrnet.net</a>
> ----- Original Message -----
> From: "Danny Mallory" <[EMAIL PROTECTED]>
> To: "sambar List Member" <[EMAIL PROTECTED]>
> Sent: Saturday, January 25, 2003 1:23 PM
> Subject: [sambar] OffTopic: New Round of UDP Port 1434 Scans {02}
> 
> 
> > We have already been involved in this ourselves.. It appears that any SQL
> server 2k missing at least MS02-061 (cumulative) does not contain patches
> for MS02-039 (serveral vulnerabilities).. This specific hole exploits the
> vulnerability with the keep alive mechanism.
> >
> > Although all of our SQL instances are in good shape, be prepared for some
> network saturation... Not as ugly as Nimda but it is already known to have
> created denial of services for other boxes in that subnet.
> >
> > Danny
> >
> > On 25/Jan/2003 09:56:36, Jeff Adams  wrote:
> > > This morning I woke up to find hundreds and hundreds of UDP port scans
> for
> > > port 1434 (all blocked, of course).  I thought that was odd so I looked
> up
> > > what runs on port 1434 and found that's what Microsoft's SQL server
> > > uses.  A couple minutes later I browsed to Yahoo! and saw a news story
> > > (below) that explained my scans.
> > >
> > > -Jeff
> > >
> > >
> > > <A TARGET="_blank"
> HREF="http://story.news.yahoo.com/news?tmpl=story&amp;u=/ap/20030125/ap_wo_e
> n_po/na_gen_internet_attack_2">http://story.news.yahoo.com/news?tmpl=story&u
> =/ap/20030125/ap_wo_en_po/na_gen_internet_attack_2</a>
> > >
> > > Internet traffic broadly affected by electronic attack
> > > Sat Jan 25, 6:07 AM ET
> > >
> > > By TED BRIDIS, Associated Press Writer
> > >
> > > WASHINGTON - Traffic on the many parts of the Internet slowed
> dramatically
> > > early Saturday, the apparent effects of a fast-spreading, virus-like
> > > infection in the world's digital pipelines and interfering with Web
> > > browsing and delivery of e-mail.
> > >
> > > Sites monitoring the health of the Internet reported significant
> slowdowns
> > > globally. Experts said the latest electronic attack bore remarkable
> > > similarities to "Code Red" virus during the summer of 2001 which also
> > > ground traffic to a halt on much of the Internet.
> > >
> > > "It's not debilitating," said Howard Schmidt, one of President George W.
> > > Bush (news - web sites)'s top cyber-security advisers. "Everybody seems
> to
> > > be getting it under control." Schmidt said the FBI (news - web sites)'s
> > > National Infrastructure Protection Center and private experts at the
> CERT
> > > Coordination Center (news - web sites) were monitoring the attacks.
> > >
> > > The virus-like attack sought out vulnerable computers to infect on the
> > > Internet using a known flaw in popular database software from Microsoft
> > > Corp., called "SQL Server." But the attacking software code was scanning
> > > for victim computers so randomly and so aggressively sending out
> thousands
> > > of probes each second that it overwhelmed many Internet data pipelines.
> > >
> > > "This is like Code Red all over again," said Marc Maiffret, an executive
> > > with eEye Digital Security, whose engineers were among the earliest to
> > > study samples of the attack software. "The sheer number of attacks is
> > > eating up so much bandwidth that normal operations can't take place."
> > >
> > > The attack sought to take advantage of a software flaw discovered in
> July
> > > 2002 that permits hackers to infect corporate database servers.
> Microsoft
> > > deemed the problem "critical" and offered a free repairing patch, but it
> > > was impossible to know how many computer administrators applied the fix.
> > >
> > > "People need to do a better job about fixing vulnerabilities," Schmidt
> said.
> > > -------------------------------------------------------
> > > To unsubscribe please go to <A TARGET="_blank"
> HREF="http://www.sambar.ch/list/";>http://www.sambar.ch/list/</a>
> > >
> > >
> > >
> > -------------------------------------------------------
> > To unsubscribe please go to <A TARGET="_blank" 
>HREF="http://www.sambar.ch/list/";>http://www.sambar.ch/list/</a>
> >
> >
> >
> -------------------------------------------------------
> To unsubscribe please go to <A TARGET="_blank" 
>HREF="http://www.sambar.ch/list/";>http://www.sambar.ch/list/</a>
> -------------------------------------------------------
> To unsubscribe please go to <A TARGET="_blank" 
>HREF="http://www.sambar.ch/list/";>http://www.sambar.ch/list/</a>
> 
> 
> 
-------------------------------------------------------
To unsubscribe please go to http://www.sambar.ch/list/

Reply via email to