Re: New worm / port 1434?'

[David G. Andersen]

On Sat, Jan 25, 2003 at 10:49:01AM -0500, Eric Gauthier mooed:
> 
> Ok,
> 
> I'm not sure if this helps at all.  Our campus has two primary connections - 
> the main Internet and something called Internet2.  Internet2 has a routing
> table of order 10,000 routes and includes most top-tier research instituations
> in the US (and a few other places).  By 1am this morning (Eastern US time),
> all of our Internet links saturated outbound but we didn't appear to see any 
> noticable increase in our Internet2 bandwidth.  I'm throwing this out there 
> because it may indicate that the destinations for the traffic - though large - 
> aren't completely random.
> 
> Has anyone else seen this?

  It's actually fairly rational.  If you look at the size of the
I2 routing table in terms of how much of the IP space it covers,
it's a fair bit smaller than the full Internet routing table.  And
most institutions have _more_ I2 bandwidth than commodity internet
connectivity.  If the probing's roughly random, you'd expect the
I2 connection to fare better.
 
  MIT's I2 connectivity was better off than its commercial Internet
connection as well.  Our private peering link to AT&T/mediaone was
actually in great shape (DS3, very small address space).

  -Dave

-- 
work: [EMAIL PROTECTED]  me:  [EMAIL PROTECTED]
  MIT Laboratory for Computer Science   http://www.angio.net/
  I do not accept unsolicited commercial email.  Do not spam me.

Re: New worm / port 1434?

[Curtis Maurand]

http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.wor
m.html
- Original Message -
From: "Simon Lockhart" <[EMAIL PROTECTED]>
To: "Mike Tancsa" <[EMAIL PROTECTED]>
Cc: "Avleen Vig" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Saturday, January 25, 2003 3:48 AM
Subject: Re: New worm / port 1434?


>
> On Sat Jan 25, 2003 at 02:19:04AM -0500, Mike Tancsa wrote:
> > Yes, I am seeing this big time.  Are you sure its SQL server ?
Thats
> > normally 1433 no ?  Are there any other details somewhere about
this ?
>
> This URL seems to explain the exploit:
>
> http://www.nextgenss.com/advisories/mssql-udp.txt
>
> Simon
> --
> Simon Lockhart |   Tel: +44 (0)1628 407720  (BBC ext
37720)
> Technology Manager |   Fax: +44 (0)1628 407701  (BBC ext
37701)
> BBC Internet Services  | Email: [EMAIL PROTECTED]
> BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK
>

Re: New worm / port 1434?

[Adam \"Tauvix\" Debus]

I'm betting they are saying that Code Red was worse because anyone who had
e-mail could recieve a copy. Only a select number of IP Addresses out there
are going to be running MSSQL. Personally, I agree with you, this is much
worse the Code Red...

Thanks,

Adam Debus
Network Administrator, ReachONE Internet
[EMAIL PROTECTED]

- Original Message -
From: "Jack Bates" <[EMAIL PROTECTED]>
To: "Eric Gauthier" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Saturday, January 25, 2003 9:35 AM
Subject: Re: New worm / port 1434?


>
> From: "Eric Gauthier"
>
> > Woot!
> >
> > We made the front page of CNN.com:
> >
> > Electronic attack slows Internet
> > http://www.cnn.com/2003/TECH/internet/01/25/internet.attack/index.html
> >
> > Guess that USD10 goes to some unnamed reporter at CNN
> >
> And please tell me how CodeRed was worse? I'm sorry, this just created a
lot
> of Internet traffic hurting performance? That's a little underrated. But
> then again, it's a port that could be blocked and not cause severe damage.
> Block tcp/80 and people would through a fit.
>
> *mental note: Block port 80 anytime another port must be blocked just to
be
> sure.
>
> Jack Bates
> Network Engineer
> BrightNet Oklahoma
>
>

RE: New worm / port 1434?

[Marc Maiffret]

Codered was worse by the sheer number of hosts that were infected and in the
end having a lot more impact than what the SQL Sapphire worm has shown. Now
that is not to say this worm does not surpass CodeRed... however it still
has its work cut out for it.

Last I heard the number of infections ranges from 40k to 200k depending on
who you ask. Now if its 200k thats definitely getting close to a CodeRed
level however even then it has another few hundred thousand infections to
go.

The flooding aspect of this worm (it tries to re-infect so fast), it DOES
NOT have a ddos engine built into it as some people have mislead, is
interesting and is causing a lot of problems for networks. However, its also
its downfall as it saturates bandwidth to the point of even it not being
able to spread anymore.

I could go into other technical details if you like... like how codered
properly handled its data manipulation on the stack so that it could keep
running whereas Sapphire is going to end up crapping out on itself
anyways... and also it does not keep any sort of global flag to thwart off
re-infection, therefore once again hindering its ability to spread whereas
codered did keep a global atom allowing it to last longer, and infect more.
and bla bla bla.

You can read both of eEye's analysis of CodeRed and Sapphire here:
CodeRed: http://www.eeye.com/html/Research/Advisories/AL20010717.html
Sapphire: http://www.eeye.com/html/Research/Flash/AL20030125.html

First after soda then after liquor... damn alcoholics.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

P.S. Jack and Eric you might be the only ones to get this as I was having
trouble earlier posting to NANOG... feel free to forward if you think it
matters.

| -Original Message-
| From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
| Jack Bates
| Sent: Saturday, January 25, 2003 9:36 AM
| To: Eric Gauthier; [EMAIL PROTECTED]
| Subject: Re: New worm / port 1434?
|
|
|
| From: "Eric Gauthier"
|
| > Woot!
| >
| > We made the front page of CNN.com:
| >
| > Electronic attack slows Internet
| > http://www.cnn.com/2003/TECH/internet/01/25/internet.attack/index.html
| >
| > Guess that USD10 goes to some unnamed reporter at CNN
| >
| And please tell me how CodeRed was worse? I'm sorry, this just
| created a lot
| of Internet traffic hurting performance? That's a little underrated. But
| then again, it's a port that could be blocked and not cause severe damage.
| Block tcp/80 and people would through a fit.
|
| *mental note: Block port 80 anytime another port must be blocked
| just to be
| sure.
|
| Jack Bates
| Network Engineer
| BrightNet Oklahoma
|
|

Re: New worm / port 1434?

[Jack Bates]

From: "Eric Gauthier"

> Woot!
>
> We made the front page of CNN.com:
>
> Electronic attack slows Internet
> http://www.cnn.com/2003/TECH/internet/01/25/internet.attack/index.html
>
> Guess that USD10 goes to some unnamed reporter at CNN
>
And please tell me how CodeRed was worse? I'm sorry, this just created a lot
of Internet traffic hurting performance? That's a little underrated. But
then again, it's a port that could be blocked and not cause severe damage.
Block tcp/80 and people would through a fit.

*mental note: Block port 80 anytime another port must be blocked just to be
sure.

Jack Bates
Network Engineer
BrightNet Oklahoma

Re: New worm / port 1434?

[Len Rose]

http://lists.netsys.com/pipermail/full-disclosure/2003-January/003718.html

Re: New worm / port 1434?

[Marshall Eubanks]

Dear Eric;

On Saturday, January 25, 2003, at 10:49  AM, Eric Gauthier wrote:



Ok,

I'm not sure if this helps at all.  Our campus has two primary 
connections -
the main Internet and something called Internet2.  Internet2 has a 
routing
table of order 10,000 routes and includes most top-tier research 
instituations

I would concur.  worm is not attacking multicasting in general, but 
seems to be  generating multicast traffic.
For these two statements to make sense, the IP address scanning must be 
very non random. This does not appear
to be the sort of consecutive address block scanning that the RAMEN worm 
did.

(BTW, This AM we have 11052 I2 routes vs 116983 in all, or about 9.4% of 
the total.)

Marshall

in the US (and a few other places).  By 1am this morning (Eastern US 
time),
all of our Internet links saturated outbound but we didn't appear to 
see any
noticable increase in our Internet2 bandwidth.  I'm throwing this out 
there
because it may indicate that the destinations for the traffic - though 
large -
aren't completely random.

Has anyone else seen this?

Eric :)

PS: Yep - we're a university and we're a source - big surprise 
there...  I
just filtered out our 200Mbps contribution to this problem in case 
you're
curious...

 Regards
 Marshall Eubanks

This e-mail may contain confidential and proprietary information of
Multicast Technologies, Inc, subject to Non-Disclosure Agreements

T.M. Eubanks
Multicast Technologies, Inc.
10301 Democracy Lane, Suite 410
Fairfax, Virginia 22030
Phone : 703-293-9624   Fax : 703-293-9609
e-mail : [EMAIL PROTECTED]
http://www.multicasttech.com

Test your network for multicast :
http://www.multicasttech.com/mt/
 Status of Multicast on the Web  :
 http://www.multicasttech.com/status/index.html

Re: New worm / port 1434?

[Marshall Eubanks]

Can you give me any information about which multicast group addresses 
were being attacked ?

I have seen very little sign of this worm in interdomain multicast; it 
does not seem
to be causing MSDP havoc the way that the RAMEN worm did.

 Regards
 Marshall Eubanks


On Saturday, January 25, 2003, at 06:00  AM, [EMAIL PROTECTED] wrote:


This one seemed to be particularly nasty as it was generating traffic to
multicast addresses too. It caused a nice flood on the switched ethernet
segment I had a vulnerable box on.  (And took out a router in the 
process.
Great fun.)

William Astle
finger [EMAIL PROTECTED] for further information

Geek Code V3.12: GCS/M/S d- s+:+ !a C++ UL$ P++ L+++ !E W++ !N 
w--- !O
!M PS PE V-- Y+ PGP t+@ 5++ X !R tv+@ b+++@ !DI D? G e++ h+ y?



T.M. Eubanks
Multicast Technologies, Inc.
10301 Democracy Lane, Suite 410
Fairfax, Virginia 22030
Phone : 703-293-9624   Fax : 703-293-9609
e-mail : [EMAIL PROTECTED]
http://www.multicasttech.com

Test your network for multicast :
http://www.multicasttech.com/mt/
 Status of Multicast on the Web  :
 http://www.multicasttech.com/status/index.html

Re: New worm / port 1434?

[Eric Gauthier]

Woot!

We made the front page of CNN.com:

Electronic attack slows Internet
http://www.cnn.com/2003/TECH/internet/01/25/internet.attack/index.html

Guess that USD10 goes to some unnamed reporter at CNN

Eric :)

Re: New worm / port 1434?

[Stephen J. Wilcox]

On Sat, 25 Jan 2003, Eric Gauthier wrote:

> 
> Ok,
> 
> I'm not sure if this helps at all.  Our campus has two primary connections - 
> the main Internet and something called Internet2.  Internet2 has a routing
> table of order 10,000 routes and includes most top-tier research instituations
> in the US (and a few other places).  By 1am this morning (Eastern US time),
> all of our Internet links saturated outbound but we didn't appear to see any 
> noticable increase in our Internet2 bandwidth.  I'm throwing this out there 
> because it may indicate that the destinations for the traffic - though large - 
> aren't completely random.
> 
> Has anyone else seen this?


Sources from our customers are in pockets so not a good spread of source but the
destination is -very- random.. I'm not seeing that many packets duplicating the
same destination


Now having said that there is some algorith at work perhaps the same one that
was used in the Codered worm

There is many more hits to the same /16 and same /8 as source with a general
spread over the rest of the IP space

There appears to be significantly more over 128/1 than 0/1 which is odd altho
certain /8s appear to be popular (32, 81, 53, 35, 38)

Steve


> 
> Eric :)
> 
> PS: Yep - we're a university and we're a source - big surprise there...  I 
> just filtered out our 200Mbps contribution to this problem in case you're 
> curious...
> 

Re: New worm / port 1434?

[Stephen J. Wilcox]

Dont panic, its all ok

"Howard Schmidt, one of President George W Bush's top cyber-security advisers,
said the FBI's National Infrastructure Protection Center and private experts at
the CERT Co-ordination Center were monitoring the attacks. "

;)

I'm monitoring too, hope you all feel better!

Steve



On Sat, 25 Jan 2003 [EMAIL PROTECTED] wrote:

> 
> This one seemed to be particularly nasty as it was generating traffic to
> multicast addresses too. It caused a nice flood on the switched ethernet
> segment I had a vulnerable box on.  (And took out a router in the process.
> Great fun.)
> 
> William Astle
> finger [EMAIL PROTECTED] for further information
> 
> Geek Code V3.12: GCS/M/S d- s+:+ !a C++ UL$ P++ L+++ !E W++ !N w--- !O
> !M PS PE V-- Y+ PGP t+@ 5++ X !R tv+@ b+++@ !DI D? G e++ h+ y?
> 

RE: New worm / port 1434?

[Marcos R. Della]

For those that are interested, here are a couple disassemblies of the
worm.
At least it was a non-persistant worm and didn't also damage the MSSQL
servers.
Could have been much worse... We could all not only be filtering routers
And cleaning up switches, we could also be explaining to customers why
their
Entire database of "stuff" disappeared or was stolen...


http://www.digitaloffense.net/worms/mssql_udp_worm/NOTES.TXT
http://www.boredom.org/~cstone/worm-annotated.txt
http://www.snafu.freedom.org/tmp/1434-probe.txt

Marcos
--
[EMAIL PROTECTED] | http://www.geekstyle.net



-Original Message-
From: Peter van Dijk [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, January 25, 2003 3:35 AM
To: Avleen Vig; [EMAIL PROTECTED]
Subject: Re: New worm / port 1434?



On Sat, Jan 25, 2003 at 08:05:33AM +, Gary Coates wrote:
> 
> Duplicated info.. But this is an old worm ;-(
> 
> http://www.cert.org/advisories/CA-1996-01.html

This is not the worm that's spreading now.

Greetz, Peter
-- 
[EMAIL PROTECTED]  |  http://www.dataloss.nl/  |  Undernet:#clue

Re: New worm / port 1434?

[lost]

On Sat, 25 Jan 2003, Marshall Eubanks wrote:

> Can you give me any information about which multicast group addresses
> were being attacked ?

I didn't have any logging turned on at the time so I don't have the
addresses laying around. I just remember I had a storm of traffic trying
to go to addresses between 224.x.x.x and 247.x.x.x - the addresses looked
fairly random though. It may have been just a result of whatever random
address algorithm was being used. Since I don't route multicast, it stayed
local to the network segment but every host on the segment saw the
traffic.

> I have seen very little sign of this worm in interdomain multicast; it
> does not seem
> to be causing MSDP havoc the way that the RAMEN worm did.
>
>   Regards
>   Marshall Eubanks
>
>
> On Saturday, January 25, 2003, at 06:00  AM, [EMAIL PROTECTED] wrote:
>
> >
> > This one seemed to be particularly nasty as it was generating traffic to
> > multicast addresses too. It caused a nice flood on the switched ethernet
> > segment I had a vulnerable box on.  (And took out a router in the
> > process.
> > Great fun.)
> >
> > William Astle
> > finger [EMAIL PROTECTED] for further information
> >
> > Geek Code V3.12: GCS/M/S d- s+:+ !a C++ UL$ P++ L+++ !E W++ !N
> > w--- !O
> > !M PS PE V-- Y+ PGP t+@ 5++ X !R tv+@ b+++@ !DI D? G e++ h+ y?
> >
>
>
> T.M. Eubanks
> Multicast Technologies, Inc.
> 10301 Democracy Lane, Suite 410
> Fairfax, Virginia 22030
> Phone : 703-293-9624   Fax : 703-293-9609
> e-mail : [EMAIL PROTECTED]
> http://www.multicasttech.com
>
> Test your network for multicast :
> http://www.multicasttech.com/mt/
>   Status of Multicast on the Web  :
>   http://www.multicasttech.com/status/index.html
>

William Astle
finger [EMAIL PROTECTED] for further information

Geek Code V3.12: GCS/M/S d- s+:+ !a C++ UL$ P++ L+++ !E W++ !N w--- !O
!M PS PE V-- Y+ PGP t+@ 5++ X !R tv+@ b+++@ !DI D? G e++ h+ y?

Re: New worm / port 1434?

[Stephen J. Wilcox]

On Sat, 25 Jan 2003, Avleen Vig wrote:

> 
> On Sat, Jan 25, 2003 at 12:12:37AM -0800, Mike Leber wrote:
> > 
> > We are seeing this too.
> > We are seeing the gige interfaces on multiple customer aggregation
> > switches at multiple locations add several hundred Mbps each.  All the
> > traffic is destined for udp port 1434 with a randomized source address. We
> > are doing "ip verify unicast source reachable-via any" which stops most of
> > the random addresses.  We've temporarily had to block udp port 1434.
> 
> USD10 to the first person who spots a CNN reporter speculating to Saddam's
> involvement.

I didnt realise he was such a computer expert!

Re: New worm / port 1434?

[Eric Gauthier]

Ok,

I'm not sure if this helps at all.  Our campus has two primary connections - 
the main Internet and something called Internet2.  Internet2 has a routing
table of order 10,000 routes and includes most top-tier research instituations
in the US (and a few other places).  By 1am this morning (Eastern US time),
all of our Internet links saturated outbound but we didn't appear to see any 
noticable increase in our Internet2 bandwidth.  I'm throwing this out there 
because it may indicate that the destinations for the traffic - though large - 
aren't completely random.

Has anyone else seen this?

Eric :)

PS: Yep - we're a university and we're a source - big surprise there...  I 
just filtered out our 200Mbps contribution to this problem in case you're 
curious...

Re: New worm / port 1434?

[Neil J. McRae]

> Anyone else dealing with this tonight?  Its kind of nasty

Its very nasty, and it happened at the worse time after 17:00 GMT
so contacting customers hasn't been easy. We've deployed filters
on systems that are under attack and continue to monitor
the sitation, its caused lots of DNS issues with people using 
MS SQL as a DNS backend.

Regards,
Neil

Re: New worm / port 1434?

[Peter van Dijk]

On Sat, Jan 25, 2003 at 08:05:33AM +, Gary Coates wrote:
> 
> Duplicated info.. But this is an old worm ;-(
> 
> http://www.cert.org/advisories/CA-1996-01.html

This is not the worm that's spreading now.

Greetz, Peter
-- 
[EMAIL PROTECTED]  |  http://www.dataloss.nl/  |  Undernet:#clue

Re: New worm / port 1434?

[lost]

This one seemed to be particularly nasty as it was generating traffic to
multicast addresses too. It caused a nice flood on the switched ethernet
segment I had a vulnerable box on.  (And took out a router in the process.
Great fun.)

William Astle
finger [EMAIL PROTECTED] for further information

Geek Code V3.12: GCS/M/S d- s+:+ !a C++ UL$ P++ L+++ !E W++ !N w--- !O
!M PS PE V-- Y+ PGP t+@ 5++ X !R tv+@ b+++@ !DI D? G e++ h+ y?

Re: New worm / port 1434?

[Josh Richards]

Note, further analysis makes me believe that the ICMP we saw immediately
beforehand was a coincidence and unrelated.  The origin of the ICMP has
been traced to a customer application.

-jr

* Josh Richards <[EMAIL PROTECTED]> [20030125 00:21]:
> 
> A preliminary look at some of our NetFlow data shows a suspect ICMP payload
> delivered to one of our downstream colo customer boxes followed by a
> 70 Mbit/s burst from them.  The burst consisted of traffic to seemingly random
> destinations on 1434/udp.  This customer typically does about 0.250 Mbit/s
> so this was a bit out of their profile. :-)  Needless to say, we shut them
> down per a suspected security incident.  The ICMP came from 66.214.194.31 
> though that could quite easily be forged or just another compromised box.  
> We're seeing red to many networks all over the world though our network seems 
> to have quieted down a bit.  Sounds like a DDoS in the works.  
> 
> Anyone else able to corroborate/compare notes? 


Josh Richards 
Geek Research, LLC - Digital West Networks, Inc - San Luis Obispo, CA 
KG6CYK - IP/Unix/telecom/knowledge/coffee/security/crypto/business/geek

Re: New worm / port 1434?

[Scott Call]

I'm seeing obscene amounts of 1434/udp traffic at my transit and peering
points.  I've filtered it out in both directions everywhere my network
touches the outside world.  It's almost 20% of my traffic at this point.

I think I've calmed the internal storm so far, but we'll see.

I saw refence to an ICMP "trigger" packet.  Is there any info on this and
is it possible to filter for it w/o killing all ICMP traffic?  It'd be
nice to know I won't have any more routers or switches fall over tonight.
Colo customers seem to be the worst off, the rate limiting kills the
router or the traffic kills the backbone.  decisions, decisions...

-S



-- 
Scott Call  Router Geek, ATGi, home of $6.95 Prime Rib
"Nothing is less productive than to make more efficient what should not be
 done at all." -Peter Drucker

Re: New worm / port 1434?

[Dr. Mosh]

We had to go through each VLAN to determine which boxes were compromised,
looks like W2K SQL.

This thing is spreading fast.

-D

 0.  Pete Ashdown <[EMAIL PROTECTED]> farted:
> 
> * Avleen Vig ([EMAIL PROTECTED]) [030124 23:50] writeth:
> >
> >It seems we have a new worm hitting Microsoft SQL server servers on port
> >1434.
> 
> Affirmative.  Be sure to block 1434 UDP on both the inbound and the
> outbound.  Infected servers are VERY NOISY.

-- 
--
http://www.zeromemory.com - metal for your ears.

Re: New worm / port 1434?

[Jack Bates]

From: "Mike Tancsa"

>
>
> Yes, I am seeing this big time.  Are you sure its SQL server ?  Thats
> normally 1433 no ?  Are there any other details somewhere about this ?
>


All MS SQL servers listen to 1434 reguardless of the other ports they listen
on. Depending on configuration depends on what other ports it uses (due to
various security models), but 1434 is a constant in all configurations
according to a quick search and a read on the last MS SQL vulnerability
found in 7/2002.

Jack Bates
BrightNet Oklahoma

Re: New worm / port 1434?

[Mike Leber]

We are seeing this too.

We are seeing the gige interfaces on multiple customer aggregation
switches at multiple locations add several hundred Mbps each.  All the
traffic is destined for udp port 1434 with a randomized source address. We
are doing "ip verify unicast source reachable-via any" which stops most of
the random addresses.  We've temporarily had to block udp port 1434.

On Fri, 24 Jan 2003, Avleen Vig wrote:

> 
> It seems we have a new worm hitting Microsoft SQL server servers on port
> 1434.
> 

+- H U R R I C A N E - E L E C T R I C -+
| Mike Leber   Direct Internet Connections   Voice 510 580 4100 |
| Hurricane Electric Web Hosting  Colocation   Fax 510 580 4151 |
| [EMAIL PROTECTED]   http://www.he.net |
+---+

Re: New worm / port 1434?

[Adam \"Tauvix\" Debus]

1434 is the SQL Server Resolution Service.

Unfortunately, this appears to be a whole new thing, I was unable to find
anything more recent then May of 2002 about security issues with this port.

Thanks,

Adam Debus
Network Administrator, ReachONE Internet
[EMAIL PROTECTED]

- Original Message -
From: "Mike Tancsa" <[EMAIL PROTECTED]>
To: "Avleen Vig" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, January 24, 2003 11:19 PM
Subject: Re: New worm / port 1434?


>
>
> Yes, I am seeing this big time.  Are you sure its SQL server ?  Thats
> normally 1433 no ?  Are there any other details somewhere about this ?
>
> At 10:32 PM 1/24/2003 -0800, Avleen Vig wrote:
>
> >It seems we have a new worm hitting Microsoft SQL server servers on port
> >1434.
>
> 
> Mike Tancsa,tel +1 519 651 3400
> Sentex Communications,   [EMAIL PROTECTED]
> Providing Internet since 1994www.sentex.net
> Cambridge, Ontario Canada   www.sentex.net/mike
>
>

Re: New worm / port 1434?

[Avleen Vig]

On Sat, Jan 25, 2003 at 12:12:37AM -0800, Mike Leber wrote:
> 
> We are seeing this too.
> We are seeing the gige interfaces on multiple customer aggregation
> switches at multiple locations add several hundred Mbps each.  All the
> traffic is destined for udp port 1434 with a randomized source address. We
> are doing "ip verify unicast source reachable-via any" which stops most of
> the random addresses.  We've temporarily had to block udp port 1434.

USD10 to the first person who spots a CNN reporter speculating to Saddam's
involvement.

Re: New worm / port 1434?

[K. Scott Bethke]

Anyone else dealing with this tonight?  Its kind of nasty

-Scotty

- Original Message - 
From: "Avleen Vig" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, January 25, 2003 1:32 AM
Subject: New worm / port 1434?


> 
> It seems we have a new worm hitting Microsoft SQL server servers on port
> 1434.
> 

Re: New worm / port 1434?

[Simon Lockhart]

On Sat Jan 25, 2003 at 02:19:04AM -0500, Mike Tancsa wrote:
> Yes, I am seeing this big time.  Are you sure its SQL server ?  Thats 
> normally 1433 no ?  Are there any other details somewhere about this ?

This URL seems to explain the exploit:

http://www.nextgenss.com/advisories/mssql-udp.txt

Simon
-- 
Simon Lockhart |   Tel: +44 (0)1628 407720  (BBC ext 37720)
Technology Manager |   Fax: +44 (0)1628 407701  (BBC ext 37701)
BBC Internet Services  | Email: [EMAIL PROTECTED] 
BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK

Re: New worm / port 1434?

[Jake Khuon]

### On Fri, 24 Jan 2003 22:59:17 -0800, Josh Richards <[EMAIL PROTECTED]>
### casually decided to expound upon [EMAIL PROTECTED] the following thoughts
### about "Re: New worm / port 1434?":

JR> * Avleen Vig <[EMAIL PROTECTED]> [20030124 22:44]:
JR> > 
JR> > It seems we have a new worm hitting Microsoft SQL server servers on port
JR> > 1434.
JR> 
JR> A preliminary look at some of our NetFlow data shows a suspect ICMP payload
JR> delivered to one of our downstream colo customer boxes followed by a
JR> 70 Mbit/s burst from them.  The burst consisted of traffic to seemingly random
JR> destinations on 1434/udp.  This customer typically does about 0.250 Mbit/s
JR> so this was a bit out of their profile. :-)  Needless to say, we shut them
JR> down per a suspected security incident.  The ICMP came from 66.214.194.31 
JR> though that could quite easily be forged or just another compromised box.  
JR> We're seeing red to many networks all over the world though our network seems 
JR> to have quieted down a bit.  Sounds like a DDoS in the works.  
JR> 
JR> Anyone else able to corroborate/compare notes? 

First attack packet came in around 2130PST.  A tcpdump reveals this:

Jan 25 00:05:49.880553 64.159.86.99.2321 > 66.166.158.240.1434:  [udp sum
ok] udp 376 (ttl 120, id 53207)
  : 4500 0194 cfd7  7811 f8e8 409f 5663  E...Ï×..x.øè@.Vc
  0010: 42a6 9ef0 0911 059a 0180 b3a1 0401 0101  B¦.ð..³¡
  0020: 0101 0101 0101 0101 0101 0101 0101 0101  
  0030: 0101 0101 0101 0101 0101 0101 0101 0101  
  0040: 0101 0101 0101 0101 0101 0101 0101 0101  
  0050: 0101 0101 0101 0101 0101 0101 0101 0101  
  0060: 0101 0101 0101 0101 0101 0101 0101 0101  
  0070: 0101 0101 0101 0101 0101 0101 01dc c9b0  .ÜÉ°
  0080: 42eb 0e01 0101 0101 0101 70ae 4201 70ae  Bëp®B.p®
  0090: 4290 9090 9090 9090 9068 dcc9 b042 b801  BhÜÉ°B¸.
  00a0: 0101 0131 c9b1 1850 e2fd 3501 0101 0550  ...1ɱ.Pâý5P
  00b0: 89e5 5168 2e64 6c6c 6865 6c33 3268 6b65  .åQh.dllhel32hke
  00c0: 726e 5168 6f75 6e74 6869 636b 4368 4765  rnQhounthickChGe
  00d0: 7454 66b9 6c6c 5168 3332 2e64 6877 7332  tTf¹llQh32.dhws2
  00e0: 5f66 b965 7451 6873 6f63 6b66 b974 6f51  _f¹etQhsockf¹toQ
  00f0: 6873 656e 64be 1810 ae42 8d45 d450 ff16  hsend¾..®B.EÔPÿ.
  0100: 508d 45e0 508d 45f0 50ff 1650 be10 10ae  P.EàP.EðPÿ.P¾..®
  0110: 428b 1e8b 033d 558b ec51 7405 be1c 10ae  B=U.ìQt.¾..®
  0120: 42ff 16ff d031 c951 5150 81f1 0301 049b  Bÿ.ÿÐ1ÉQQP.ñ
  0130: 81f1 0101 0101 518d 45cc 508b 45c0 50ff  .ñQ.EÌP.EÀPÿ
  0140: 166a 116a 026a 02ff d050 8d45 c450 8b45  .j.j.j.ÿÐP.EÄP.E
  0150: c050 ff16 89c6 09db 81f3 3c61 d9ff 8b45  ÀPÿ..Æ.Û.ó ]==+
 | Packet Plumber, Network Engineers /| / [~ [~ |) | | --- |
 | for Effective Bandwidth Utilisation  / |/  [_ [_ |) |_| N E T W O R K S |
 +=*/

Re: New worm / port 1434?

[Gary Coates]

Duplicated info.. But this is an old worm ;-(

http://www.cert.org/advisories/CA-1996-01.html

Pete Ashdown wrote:

* Avleen Vig ([EMAIL PROTECTED]) [030124 23:50] writeth:


It seems we have a new worm hitting Microsoft SQL server servers on port
1434.



Affirmative.  Be sure to block 1434 UDP on both the inbound and the
outbound.  Infected servers are VERY NOISY.





--

Message scanned for viruses and dangerous content by
 and believed to be clean

Re: New worm / port 1434?

[Mike Tancsa]

At 02:45 AM 1/25/2003 -0600, Jack Bates wrote:

From: "Mike Tancsa"

>
>
> Yes, I am seeing this big time.  Are you sure its SQL server ?  Thats
> normally 1433 no ?  Are there any other details somewhere about this ?
>


All MS SQL servers listen to 1434 reguardless of the other ports they listen
on. Depending on configuration depends on what other ports it uses (due to
various security models), but 1434 is a constant in all configurations
according to a quick search and a read on the last MS SQL vulnerability
found in 7/2002.


Thanks, I have blocked the infected hosts in my customer colo space.  Its 
an eye opener how much traffic they generate on the local collision domain 
they are on :-(

---Mike

Mike Tancsa,  	  tel +1 519 651 3400
Sentex Communications, 			  [EMAIL PROTECTED]
Providing Internet since 1994www.sentex.net
Cambridge, Ontario Canada			  www.sentex.net/mike

Re: New worm / port 1434?

[Adam \"Tauvix\" Debus]

We were hit hard by this as well. It appears to be a buffer overflow
exploit, as blocking the ports on my router and restarting MS SQL put a stop
to it.

Thanks,

Adam Debus
Network Administrator, ReachONE Internet
[EMAIL PROTECTED]

- Original Message -
From: "Avleen Vig" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, January 24, 2003 10:32 PM
Subject: New worm / port 1434?


>
> It seems we have a new worm hitting Microsoft SQL server servers on port
> 1434.
>

Re: New worm / port 1434?

[Mark Radabaugh]

Yep - we are seeing 3 compromised SQL boxes right now.

Mark Radabaugh
Amplex
(419) 720-3635

- Original Message -
From: "Avleen Vig" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, January 25, 2003 1:32 AM
Subject: New worm / port 1434?


>
> It seems we have a new worm hitting Microsoft SQL server servers on port
> 1434.
>

Re: New worm / port 1434?

[Lloyd Taylor]

This may well be the exploit being used:

http://www.nextgenss.com/advisories/mssql-udp.txt

--Lloyd


On Sat, 25 Jan 2003, Dave Stewart wrote:

> Date: Sat, 25 Jan 2003 01:50:03 -0500
> From: Dave Stewart <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: New worm / port 1434?
> 
> 
> At 01:32 AM 1/25/2003, you wrote:
> 
> >It seems we have a new worm hitting Microsoft SQL server servers on port
> >1434.
> 
> Agreed... shutting down MSSQL stopped the flood here now to find it and 
> remove it
> 

Re: New worm / port 1434?

[Josh Richards]

* Avleen Vig <[EMAIL PROTECTED]> [20030124 22:44]:
> 
> It seems we have a new worm hitting Microsoft SQL server servers on port
> 1434.

A preliminary look at some of our NetFlow data shows a suspect ICMP payload
delivered to one of our downstream colo customer boxes followed by a
70 Mbit/s burst from them.  The burst consisted of traffic to seemingly random
destinations on 1434/udp.  This customer typically does about 0.250 Mbit/s
so this was a bit out of their profile. :-)  Needless to say, we shut them
down per a suspected security incident.  The ICMP came from 66.214.194.31 
though that could quite easily be forged or just another compromised box.  
We're seeing red to many networks all over the world though our network seems 
to have quieted down a bit.  Sounds like a DDoS in the works.  

Anyone else able to corroborate/compare notes? 

-jr



Josh Richards 
Geek Research, LLC - Digital West Networks, Inc - San Luis Obispo, CA 
KG6CYK - IP/Unix/telecom/knowledge/coffee/security/crypto/business/geek

Re: New worm / port 1434?

[Pete Ashdown]

* Avleen Vig ([EMAIL PROTECTED]) [030124 23:50] writeth:
>
>It seems we have a new worm hitting Microsoft SQL server servers on port
>1434.

Affirmative.  Be sure to block 1434 UDP on both the inbound and the
outbound.  Infected servers are VERY NOISY.

Re: New worm / port 1434?

[Dave Stewart]

At 01:32 AM 1/25/2003, you wrote:


It seems we have a new worm hitting Microsoft SQL server servers on port
1434.


Agreed... shutting down MSSQL stopped the flood here now to find it and 
remove it