[ale] [Fwd: RE: MS SQL WORM and PORT 1434!]

Chuck Huber chuck at cehuber.org
Sat Jan 25 17:12:31 EST 2003


On Sat, Jan 25, 2003 at 04:52:13PM -0500, Geoffrey wrote:
> I'm seeing this as well at my firewall, denied of course. :)
> 
> Anyone else seeing it?  Anyone have any info on it?  21 hits against my 
> box yesterday alone.  None yet today though.

I've got it hitting my firewall.  Thus far, I have 356 hits on the
cablemodem and 342 on the DSL from a total of 525 different IP addresses.

The first hit was on Wed Jan 22 at 09:18.  The latest hit was at 17:10
today. (EST).

This shows that there's alot of people out there deploying MS crap
on the internet not really knowing what they're doing.  It seems more
and more that security is an afterthought in the MS mantra.

Enjoy,
    - Chuck

> 
> -------- Original Message --------
> Subject: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
> Date: Sat, 25 Jan 2003 19:59:12 +1100
> From: Jeff Mills <Jeff.Mills at pocold.com.au>
> To: bugtraq at securityfocus.com
> 
> 
> >I'm getting massive packet loss to various points on the globe.
> >I am seeing a lot of these in my tcpdump output on each
> >host.
> >
> >02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m:  udp 376
> >02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 
> >24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0
> >
> >It looks like there's a worm affecting MS SQL Server which is
> >pingflooding addresses at some random sequence.
> 
> It seems you're right.
> My firewall is taking alot of hits on port 1434 since about 4pm Australian
> Eastern Daylight Saving Time:
> 
> Jan 25 16:30:31 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> eth870.sa.adsl.internode.on.net:1310 (376 data bytes)
> Jan 25 16:32:35 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> dev1.cinemas.ch:1683 (376 data bytes)
> Jan 25 16:34:21 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> 216.179.192.248:4161 (376 data bytes)
> Jan 25 16:34:41 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> sql.webcoretech.com:3113 (376 data bytes)
> Jan 25 16:34:42 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> hds-connected.hds.com:3967 (376 data bytes)
> Jan 25 16:35:34 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> 216.95.164.23:1141 (376 data bytes)
> Jan 25 16:35:56 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> 134.210.1.226:3975 (376 data bytes)
> Jan 25 16:36:54 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> 211.104.36.123:2550 (376 data bytes)
> Jan 25 16:38:30 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> cts21612069172.cts.com:1031 (376 data bytes)
> Jan 25 16:38:31 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> 216.109.150.210:3462 (376 data bytes)
> Jan 25 16:39:02 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> 207.102.74.40:4605 (376 data bytes)
> Jan 25 16:39:05 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> 66.189.0.11:4198 (376 data bytes)
> Jan 25 16:39:20 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> dnsup1.biz.rr.com:3915 (376 data bytes)
> Jan 25 16:39:50 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> 211.139.140.18:3623 (376 data bytes)
> Jan 25 16:40:24 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> 210.91.85.200:1113 (376 data bytes)
> Jan 25 16:40:26 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> criminal.justice.state.mn.us:1335 (376 data bytes)
> Jan 25 16:40:37 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> server4.hostu.net:1038 (376 data bytes)
> Jan 25 16:40:45 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> 61.135.134.154:3935 (376 data bytes)
> 
> That is only a very small portion of the log. There are hundreds more
> entries.
> 
> 
> 
> 
> *********************************************************
> ** P&O - Celebrating 150 Years in Australia: 1852-2002 **
> *********************************************************
> 
> 
> 
> 
> -- 
> Until later: Geoffrey		esoteric at 3times25.net
> 
> The latest, most widespread virus?  Microsoft end user agreement.
> Think about it...
> 
> 
> 

-- 
"The purpose of encryption is to protect good people
from bad people, not to protect bad people from the government."
     Scott McNealy, CEO Sun Microsystems
"The best way for government to control people is to remain in
   a constant threat of war." ---Karl Marx
(18 USC 242), which applies to government agents overstepping their
authority:
  "Whoever, under color of any law, statute, ordinance, regulation,
  or custom, willfully subjects any person in any State, Territory,
  or District to the deprivation of any rights, privileges, or
  immunities secured or protected by the Constitution or laws of
  the United States, . . . shall be fined under this title or
  imprisoned not more than one year, or both . . ."

 PGP signature




More information about the Ale mailing list