Re: New worm / port 1434?
* Avleen Vig [EMAIL PROTECTED] [20030124 22:44]:
It seems we have a new worm hitting Microsoft SQL server servers on port
1434.
A preliminary look at some of our NetFlow data shows a suspect ICMP payload
delivered to one of our downstream colo customer boxes followed by a
70 Mbit/s burst from them. The burst consisted of traffic to seemingly random
destinations on 1434/udp. This customer typically does about 0.250 Mbit/s
so this was a bit out of their profile. :-) Needless to say, we shut them
down per a suspected security incident. The ICMP came from 66.214.194.31
though that could quite easily be forged or just another compromised box.
We're seeing red to many networks all over the world though our network seems
to have quieted down a bit. Sounds like a DDoS in the works.
Anyone else able to corroborate/compare notes?
-jr
Josh Richards jrichard@{ geekresearch.com, cubicle.net, digitalwest.net }
Geek Research, LLC - Digital West Networks, Inc - San Luis Obispo, CA
KG6CYK - IP/Unix/telecom/knowledge/coffee/security/crypto/business/geek
Re: New worm / port 1434?
We were hit hard by this as well. It appears to be a buffer overflow exploit, as blocking the ports on my router and restarting MS SQL put a stop to it. Thanks, Adam Debus Network Administrator, ReachONE Internet [EMAIL PROTECTED] - Original Message - From: Avleen Vig [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 24, 2003 10:32 PM Subject: New worm / port 1434? It seems we have a new worm hitting Microsoft SQL server servers on port 1434.
Re: New worm / port 1434?
At 02:45 AM 1/25/2003 -0600, Jack Bates wrote: From: Mike Tancsa Yes, I am seeing this big time. Are you sure its SQL server ? Thats normally 1433 no ? Are there any other details somewhere about this ? snip All MS SQL servers listen to 1434 reguardless of the other ports they listen on. Depending on configuration depends on what other ports it uses (due to various security models), but 1434 is a constant in all configurations according to a quick search and a read on the last MS SQL vulnerability found in 7/2002. Thanks, I have blocked the infected hosts in my customer colo space. Its an eye opener how much traffic they generate on the local collision domain they are on :-( ---Mike Mike Tancsa, tel +1 519 651 3400 Sentex Communications, [EMAIL PROTECTED] Providing Internet since 1994www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike
Re: New worm / port 1434?
Duplicated info.. But this is an old worm ;-( http://www.cert.org/advisories/CA-1996-01.html Pete Ashdown wrote: * Avleen Vig ([EMAIL PROTECTED]) [030124 23:50] writeth: It seems we have a new worm hitting Microsoft SQL server servers on port 1434. Affirmative. Be sure to block 1434 UDP on both the inbound and the outbound. Infected servers are VERY NOISY. -- Message scanned for viruses and dangerous content by http://www.newnet.co.uk/av/ and believed to be clean
Re: New worm / port 1434?
On Sat, Jan 25, 2003 at 12:12:37AM -0800, Mike Leber wrote: We are seeing this too. We are seeing the gige interfaces on multiple customer aggregation switches at multiple locations add several hundred Mbps each. All the traffic is destined for udp port 1434 with a randomized source address. We are doing ip verify unicast source reachable-via any which stops most of the random addresses. We've temporarily had to block udp port 1434. USD10 to the first person who spots a CNN reporter speculating to Saddam's involvement.
Re: New worm / port 1434?
1434 is the SQL Server Resolution Service. Unfortunately, this appears to be a whole new thing, I was unable to find anything more recent then May of 2002 about security issues with this port. Thanks, Adam Debus Network Administrator, ReachONE Internet [EMAIL PROTECTED] - Original Message - From: Mike Tancsa [EMAIL PROTECTED] To: Avleen Vig [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, January 24, 2003 11:19 PM Subject: Re: New worm / port 1434? Yes, I am seeing this big time. Are you sure its SQL server ? Thats normally 1433 no ? Are there any other details somewhere about this ? At 10:32 PM 1/24/2003 -0800, Avleen Vig wrote: It seems we have a new worm hitting Microsoft SQL server servers on port 1434. Mike Tancsa,tel +1 519 651 3400 Sentex Communications, [EMAIL PROTECTED] Providing Internet since 1994www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike
Re: New worm / port 1434?
From: Mike Tancsa Yes, I am seeing this big time. Are you sure its SQL server ? Thats normally 1433 no ? Are there any other details somewhere about this ? snip All MS SQL servers listen to 1434 reguardless of the other ports they listen on. Depending on configuration depends on what other ports it uses (due to various security models), but 1434 is a constant in all configurations according to a quick search and a read on the last MS SQL vulnerability found in 7/2002. Jack Bates BrightNet Oklahoma
Re: New worm / port 1434?
We had to go through each VLAN to determine which boxes were compromised, looks like W2K SQL. This thing is spreading fast. -D 0. Pete Ashdown [EMAIL PROTECTED] farted: * Avleen Vig ([EMAIL PROTECTED]) [030124 23:50] writeth: It seems we have a new worm hitting Microsoft SQL server servers on port 1434. Affirmative. Be sure to block 1434 UDP on both the inbound and the outbound. Infected servers are VERY NOISY. -- -- http://www.zeromemory.com - metal for your ears.
Re: New worm / port 1434?
I'm seeing obscene amounts of 1434/udp traffic at my transit and peering points. I've filtered it out in both directions everywhere my network touches the outside world. It's almost 20% of my traffic at this point. I think I've calmed the internal storm so far, but we'll see. I saw refence to an ICMP trigger packet. Is there any info on this and is it possible to filter for it w/o killing all ICMP traffic? It'd be nice to know I won't have any more routers or switches fall over tonight. Colo customers seem to be the worst off, the rate limiting kills the router or the traffic kills the backbone. decisions, decisions... -S -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib Nothing is less productive than to make more efficient what should not be done at all. -Peter Drucker
Re: New worm / port 1434?
Note, further analysis makes me believe that the ICMP we saw immediately
beforehand was a coincidence and unrelated. The origin of the ICMP has
been traced to a customer application.
-jr
* Josh Richards [EMAIL PROTECTED] [20030125 00:21]:
A preliminary look at some of our NetFlow data shows a suspect ICMP payload
delivered to one of our downstream colo customer boxes followed by a
70 Mbit/s burst from them. The burst consisted of traffic to seemingly random
destinations on 1434/udp. This customer typically does about 0.250 Mbit/s
so this was a bit out of their profile. :-) Needless to say, we shut them
down per a suspected security incident. The ICMP came from 66.214.194.31
though that could quite easily be forged or just another compromised box.
We're seeing red to many networks all over the world though our network seems
to have quieted down a bit. Sounds like a DDoS in the works.
Anyone else able to corroborate/compare notes?
Josh Richards jrichard@{ geekresearch.com, cubicle.net, digitalwest.net }
Geek Research, LLC - Digital West Networks, Inc - San Luis Obispo, CA
KG6CYK - IP/Unix/telecom/knowledge/coffee/security/crypto/business/geek
Re: New worm / port 1434?
On Sat, Jan 25, 2003 at 08:05:33AM +, Gary Coates wrote: Duplicated info.. But this is an old worm ;-( http://www.cert.org/advisories/CA-1996-01.html This is not the worm that's spreading now. Greetz, Peter -- [EMAIL PROTECTED] | http://www.dataloss.nl/ | Undernet:#clue
Re: New worm / port 1434?
On Sat, 25 Jan 2003, Avleen Vig wrote: On Sat, Jan 25, 2003 at 12:12:37AM -0800, Mike Leber wrote: We are seeing this too. We are seeing the gige interfaces on multiple customer aggregation switches at multiple locations add several hundred Mbps each. All the traffic is destined for udp port 1434 with a randomized source address. We are doing ip verify unicast source reachable-via any which stops most of the random addresses. We've temporarily had to block udp port 1434. USD10 to the first person who spots a CNN reporter speculating to Saddam's involvement. I didnt realise he was such a computer expert!
Re: New worm / port 1434?
http://lists.netsys.com/pipermail/full-disclosure/2003-January/003718.html
Re: New worm / port 1434?
From: Eric Gauthier Woot! We made the front page of CNN.com: Electronic attack slows Internet http://www.cnn.com/2003/TECH/internet/01/25/internet.attack/index.html Guess that USD10 goes to some unnamed reporter at CNN And please tell me how CodeRed was worse? I'm sorry, this just created a lot of Internet traffic hurting performance? That's a little underrated. But then again, it's a port that could be blocked and not cause severe damage. Block tcp/80 and people would through a fit. *mental note: Block port 80 anytime another port must be blocked just to be sure. Jack Bates Network Engineer BrightNet Oklahoma
RE: New worm / port 1434?
Codered was worse by the sheer number of hosts that were infected and in the end having a lot more impact than what the SQL Sapphire worm has shown. Now that is not to say this worm does not surpass CodeRed... however it still has its work cut out for it. Last I heard the number of infections ranges from 40k to 200k depending on who you ask. Now if its 200k thats definitely getting close to a CodeRed level however even then it has another few hundred thousand infections to go. The flooding aspect of this worm (it tries to re-infect so fast), it DOES NOT have a ddos engine built into it as some people have mislead, is interesting and is causing a lot of problems for networks. However, its also its downfall as it saturates bandwidth to the point of even it not being able to spread anymore. I could go into other technical details if you like... like how codered properly handled its data manipulation on the stack so that it could keep running whereas Sapphire is going to end up crapping out on itself anyways... and also it does not keep any sort of global flag to thwart off re-infection, therefore once again hindering its ability to spread whereas codered did keep a global atom allowing it to last longer, and infect more. and bla bla bla. You can read both of eEye's analysis of CodeRed and Sapphire here: CodeRed: http://www.eeye.com/html/Research/Advisories/AL20010717.html Sapphire: http://www.eeye.com/html/Research/Flash/AL20030125.html First after soda then after liquor... damn alcoholics. Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities P.S. Jack and Eric you might be the only ones to get this as I was having trouble earlier posting to NANOG... feel free to forward if you think it matters. | -Original Message- | From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of | Jack Bates | Sent: Saturday, January 25, 2003 9:36 AM | To: Eric Gauthier; [EMAIL PROTECTED] | Subject: Re: New worm / port 1434? | | | | From: Eric Gauthier | | Woot! | | We made the front page of CNN.com: | | Electronic attack slows Internet | http://www.cnn.com/2003/TECH/internet/01/25/internet.attack/index.html | | Guess that USD10 goes to some unnamed reporter at CNN | | And please tell me how CodeRed was worse? I'm sorry, this just | created a lot | of Internet traffic hurting performance? That's a little underrated. But | then again, it's a port that could be blocked and not cause severe damage. | Block tcp/80 and people would through a fit. | | *mental note: Block port 80 anytime another port must be blocked | just to be | sure. | | Jack Bates | Network Engineer | BrightNet Oklahoma | |
Re: New worm / port 1434?
http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.wor m.html - Original Message - From: Simon Lockhart [EMAIL PROTECTED] To: Mike Tancsa [EMAIL PROTECTED] Cc: Avleen Vig [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Saturday, January 25, 2003 3:48 AM Subject: Re: New worm / port 1434? On Sat Jan 25, 2003 at 02:19:04AM -0500, Mike Tancsa wrote: Yes, I am seeing this big time. Are you sure its SQL server ? Thats normally 1433 no ? Are there any other details somewhere about this ? This URL seems to explain the exploit: http://www.nextgenss.com/advisories/mssql-udp.txt Simon -- Simon Lockhart | Tel: +44 (0)1628 407720 (BBC ext 37720) Technology Manager | Fax: +44 (0)1628 407701 (BBC ext 37701) BBC Internet Services | Email: [EMAIL PROTECTED] BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK
Re: New worm / port 1434?'
On Sat, Jan 25, 2003 at 10:49:01AM -0500, Eric Gauthier mooed: Ok, I'm not sure if this helps at all. Our campus has two primary connections - the main Internet and something called Internet2. Internet2 has a routing table of order 10,000 routes and includes most top-tier research instituations in the US (and a few other places). By 1am this morning (Eastern US time), all of our Internet links saturated outbound but we didn't appear to see any noticable increase in our Internet2 bandwidth. I'm throwing this out there because it may indicate that the destinations for the traffic - though large - aren't completely random. Has anyone else seen this? It's actually fairly rational. If you look at the size of the I2 routing table in terms of how much of the IP space it covers, it's a fair bit smaller than the full Internet routing table. And most institutions have _more_ I2 bandwidth than commodity internet connectivity. If the probing's roughly random, you'd expect the I2 connection to fare better. MIT's I2 connectivity was better off than its commercial Internet connection as well. Our private peering link to ATT/mediaone was actually in great shape (DS3, very small address space). -Dave -- work: [EMAIL PROTECTED] me: [EMAIL PROTECTED] MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me.
