On Sat, Jan 25, 2003 at 10:49:01AM -0500, Eric Gauthier mooed:
>
> Ok,
>
> I'm not sure if this helps at all. Our campus has two primary connections -
> the main Internet and something called Internet2. Internet2 has a routing
> table of order 10,000 routes and includes most top-tier research
]>
Sent: Saturday, January 25, 2003 3:48 AM
Subject: Re: New worm / port 1434?
>
> On Sat Jan 25, 2003 at 02:19:04AM -0500, Mike Tancsa wrote:
> > Yes, I am seeing this big time. Are you sure its SQL server ?
Thats
> > normally 1433 no ? Are there any other details so
rator, ReachONE Internet
[EMAIL PROTECTED]
- Original Message -
From: "Jack Bates" <[EMAIL PROTECTED]>
To: "Eric Gauthier" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Saturday, January 25, 2003 9:35 AM
Subject: Re: New worm / port 1434?
>
> From
| To: Eric Gauthier; [EMAIL PROTECTED]
| Subject: Re: New worm / port 1434?
|
|
|
| From: "Eric Gauthier"
|
| > Woot!
| >
| > We made the front page of CNN.com:
| >
| > Electronic attack slows Internet
| > http://www.cnn.com/2003/TECH/internet/01/25/internet.attack/in
From: "Eric Gauthier"
> Woot!
>
> We made the front page of CNN.com:
>
> Electronic attack slows Internet
> http://www.cnn.com/2003/TECH/internet/01/25/internet.attack/index.html
>
> Guess that USD10 goes to some unnamed reporter at CNN
>
And please tell me how CodeRed was worse? I'm sorry, this
http://lists.netsys.com/pipermail/full-disclosure/2003-January/003718.html
Dear Eric;
On Saturday, January 25, 2003, at 10:49 AM, Eric Gauthier wrote:
Ok,
I'm not sure if this helps at all. Our campus has two primary
connections -
the main Internet and something called Internet2. Internet2 has a
routing
table of order 10,000 routes and includes most top-tier re
Can you give me any information about which multicast group addresses
were being attacked ?
I have seen very little sign of this worm in interdomain multicast; it
does not seem
to be causing MSDP havoc the way that the RAMEN worm did.
Regards
Woot!
We made the front page of CNN.com:
Electronic attack slows Internet
http://www.cnn.com/2003/TECH/internet/01/25/internet.attack/index.html
Guess that USD10 goes to some unnamed reporter at CNN
Eric :)
On Sat, 25 Jan 2003, Eric Gauthier wrote:
>
> Ok,
>
> I'm not sure if this helps at all. Our campus has two primary connections -
> the main Internet and something called Internet2. Internet2 has a routing
> table of order 10,000 routes and includes most top-tier research instituations
> in
Dont panic, its all ok
"Howard Schmidt, one of President George W Bush's top cyber-security advisers,
said the FBI's National Infrastructure Protection Center and private experts at
the CERT Co-ordination Center were monitoring the attacks. "
;)
I'm monitoring too, hope you all feel better!
St
-Original Message-
From: Peter van Dijk [mailto:[EMAIL PROTECTED]]
Sent: Saturday, January 25, 2003 3:35 AM
To: Avleen Vig; [EMAIL PROTECTED]
Subject: Re: New worm / port 1434?
On Sat, Jan 25, 2003 at 08:05:33AM +, Gary Coates wrote:
>
> Duplicated info.. But this is an o
On Sat, 25 Jan 2003, Marshall Eubanks wrote:
> Can you give me any information about which multicast group addresses
> were being attacked ?
I didn't have any logging turned on at the time so I don't have the
addresses laying around. I just remember I had a storm of traffic trying
to go to addre
On Sat, 25 Jan 2003, Avleen Vig wrote:
>
> On Sat, Jan 25, 2003 at 12:12:37AM -0800, Mike Leber wrote:
> >
> > We are seeing this too.
> > We are seeing the gige interfaces on multiple customer aggregation
> > switches at multiple locations add several hundred Mbps each. All the
> > traffic i
Ok,
I'm not sure if this helps at all. Our campus has two primary connections -
the main Internet and something called Internet2. Internet2 has a routing
table of order 10,000 routes and includes most top-tier research instituations
in the US (and a few other places). By 1am this morning (Eas
> Anyone else dealing with this tonight? Its kind of nasty
Its very nasty, and it happened at the worse time after 17:00 GMT
so contacting customers hasn't been easy. We've deployed filters
on systems that are under attack and continue to monitor
the sitation, its caused lots of DNS issues with
On Sat, Jan 25, 2003 at 08:05:33AM +, Gary Coates wrote:
>
> Duplicated info.. But this is an old worm ;-(
>
> http://www.cert.org/advisories/CA-1996-01.html
This is not the worm that's spreading now.
Greetz, Peter
--
[EMAIL PROTECTED] | http://www.dataloss.nl/ | Undernet:#clue
This one seemed to be particularly nasty as it was generating traffic to
multicast addresses too. It caused a nice flood on the switched ethernet
segment I had a vulnerable box on. (And took out a router in the process.
Great fun.)
William Astle
finger [EMAIL PROTECTED] for further information
Note, further analysis makes me believe that the ICMP we saw immediately
beforehand was a coincidence and unrelated. The origin of the ICMP has
been traced to a customer application.
-jr
* Josh Richards <[EMAIL PROTECTED]> [20030125 00:21]:
>
> A preliminary look at some of our NetFlow data sh
I'm seeing obscene amounts of 1434/udp traffic at my transit and peering
points. I've filtered it out in both directions everywhere my network
touches the outside world. It's almost 20% of my traffic at this point.
I think I've calmed the internal storm so far, but we'll see.
I saw refence to
We had to go through each VLAN to determine which boxes were compromised,
looks like W2K SQL.
This thing is spreading fast.
-D
0. Pete Ashdown <[EMAIL PROTECTED]> farted:
>
> * Avleen Vig ([EMAIL PROTECTED]) [030124 23:50] writeth:
> >
> >It seems we have a new worm hitting Microsoft SQL ser
From: "Mike Tancsa"
>
>
> Yes, I am seeing this big time. Are you sure its SQL server ? Thats
> normally 1433 no ? Are there any other details somewhere about this ?
>
All MS SQL servers listen to 1434 reguardless of the other ports they listen
on. Depending on configuration depends on what
We are seeing this too.
We are seeing the gige interfaces on multiple customer aggregation
switches at multiple locations add several hundred Mbps each. All the
traffic is destined for udp port 1434 with a randomized source address. We
are doing "ip verify unicast source reachable-via any" whic
-
From: "Mike Tancsa" <[EMAIL PROTECTED]>
To: "Avleen Vig" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, January 24, 2003 11:19 PM
Subject: Re: New worm / port 1434?
>
>
> Yes, I am seeing this big time. Are you sure its SQL serv
On Sat, Jan 25, 2003 at 12:12:37AM -0800, Mike Leber wrote:
>
> We are seeing this too.
> We are seeing the gige interfaces on multiple customer aggregation
> switches at multiple locations add several hundred Mbps each. All the
> traffic is destined for udp port 1434 with a randomized source ad
Anyone else dealing with this tonight? Its kind of nasty
-Scotty
- Original Message -
From: "Avleen Vig" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, January 25, 2003 1:32 AM
Subject: New worm / port 1434?
>
> It seems we have a new worm hitting Microsoft SQL server s
On Sat Jan 25, 2003 at 02:19:04AM -0500, Mike Tancsa wrote:
> Yes, I am seeing this big time. Are you sure its SQL server ? Thats
> normally 1433 no ? Are there any other details somewhere about this ?
This URL seems to explain the exploit:
http://www.nextgenss.com/advisories/mssql-u
### On Fri, 24 Jan 2003 22:59:17 -0800, Josh Richards <[EMAIL PROTECTED]>
### casually decided to expound upon [EMAIL PROTECTED] the following thoughts
### about "Re: New worm / port 1434?":
JR> * Avleen Vig <[EMAIL PROTECTED]> [20030124 22:44]:
JR> >
JR> >
Duplicated info.. But this is an old worm ;-(
http://www.cert.org/advisories/CA-1996-01.html
Pete Ashdown wrote:
* Avleen Vig ([EMAIL PROTECTED]) [030124 23:50] writeth:
It seems we have a new worm hitting Microsoft SQL server servers on port
1434.
Affirmative. Be sure to block 1434 UDP o
At 02:45 AM 1/25/2003 -0600, Jack Bates wrote:
From: "Mike Tancsa"
>
>
> Yes, I am seeing this big time. Are you sure its SQL server ? Thats
> normally 1433 no ? Are there any other details somewhere about this ?
>
All MS SQL servers listen to 1434 reguardless of the other ports they listen
We were hit hard by this as well. It appears to be a buffer overflow
exploit, as blocking the ports on my router and restarting MS SQL put a stop
to it.
Thanks,
Adam Debus
Network Administrator, ReachONE Internet
[EMAIL PROTECTED]
- Original Message -
From: "Avleen Vig" <[EMAIL PROTECTE
Yep - we are seeing 3 compromised SQL boxes right now.
Mark Radabaugh
Amplex
(419) 720-3635
- Original Message -
From: "Avleen Vig" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, January 25, 2003 1:32 AM
Subject: New worm / port 1434?
>
> It seems we have a new worm hittin
This may well be the exploit being used:
http://www.nextgenss.com/advisories/mssql-udp.txt
--Lloyd
On Sat, 25 Jan 2003, Dave Stewart wrote:
> Date: Sat, 25 Jan 2003 01:50:03 -0500
> From: Dave Stewart <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: New worm / por
* Avleen Vig <[EMAIL PROTECTED]> [20030124 22:44]:
>
> It seems we have a new worm hitting Microsoft SQL server servers on port
> 1434.
A preliminary look at some of our NetFlow data shows a suspect ICMP payload
delivered to one of our downstream colo customer boxes followed by a
70 Mbit/s burst
* Avleen Vig ([EMAIL PROTECTED]) [030124 23:50] writeth:
>
>It seems we have a new worm hitting Microsoft SQL server servers on port
>1434.
Affirmative. Be sure to block 1434 UDP on both the inbound and the
outbound. Infected servers are VERY NOISY.
At 01:32 AM 1/25/2003, you wrote:
It seems we have a new worm hitting Microsoft SQL server servers on port
1434.
Agreed... shutting down MSSQL stopped the flood here now to find it and
remove it
36 matches
Mail list logo