[ale] [Fwd: RE: MS SQL WORM and PORT 1434!]

Geoffrey esoteric at 3times25.net
Sat Jan 25 17:33:32 EST 2003 

So I'm curious as to why you have so many hits and I have so little.  I 
assume these are not residential connections, and they are possibly 
advertised servers on them?  Maybe the worm is hitting more well known 
subnets.  Likely BellSouth more so then, say my smaller ISP Speedfactory?

Chuck Huber wrote:
> On Sat, Jan 25, 2003 at 04:52:13PM -0500, Geoffrey wrote:
> 
>>I'm seeing this as well at my firewall, denied of course. :)
>>
>>Anyone else seeing it?  Anyone have any info on it?  21 hits against my 
>>box yesterday alone.  None yet today though.
> 
> 
> I've got it hitting my firewall.  Thus far, I have 356 hits on the
> cablemodem and 342 on the DSL from a total of 525 different IP addresses.
> 
> The first hit was on Wed Jan 22 at 09:18.  The latest hit was at 17:10
> today. (EST).
> 
> This shows that there's alot of people out there deploying MS crap
> on the internet not really knowing what they're doing.  It seems more
> and more that security is an afterthought in the MS mantra.
> 
> Enjoy,
>     - Chuck
> 
> 
>>-------- Original Message --------
>>Subject: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
>>Date: Sat, 25 Jan 2003 19:59:12 +1100
>>From: Jeff Mills <Jeff.Mills at pocold.com.au>
>>To: bugtraq at securityfocus.com
>>
>>
>>
>>>I'm getting massive packet loss to various points on the globe.
>>>I am seeing a lot of these in my tcpdump output on each
>>>host.
>>>
>>>02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m:  udp 376
>>>02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 
>>>24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0
>>>
>>>It looks like there's a worm affecting MS SQL Server which is
>>>pingflooding addresses at some random sequence.
>>
>>It seems you're right.
>>My firewall is taking alot of hits on port 1434 since about 4pm Australian
>>Eastern Daylight Saving Time:
>>
>>Jan 25 16:30:31 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
>>eth870.sa.adsl.internode.on.net:1310 (376 data bytes)
>>Jan 25 16:32:35 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
>>dev1.cinemas.ch:1683 (376 data bytes)
>>Jan 25 16:34:21 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
>>216.179.192.248:4161 (376 data bytes)
>>Jan 25 16:34:41 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
>>sql.webcoretech.com:3113 (376 data bytes)
>>Jan 25 16:34:42 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
>>hds-connected.hds.com:3967 (376 data bytes)
>>Jan 25 16:35:34 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
>>216.95.164.23:1141 (376 data bytes)
>>Jan 25 16:35:56 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
>>134.210.1.226:3975 (376 data bytes)
>>Jan 25 16:36:54 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
>>211.104.36.123:2550 (376 data bytes)
>>Jan 25 16:38:30 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
>>cts21612069172.cts.com:1031 (376 data bytes)
>>Jan 25 16:38:31 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
>>216.109.150.210:3462 (376 data bytes)
>>Jan 25 16:39:02 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
>>207.102.74.40:4605 (376 data bytes)
>>Jan 25 16:39:05 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
>>66.189.0.11:4198 (376 data bytes)
>>Jan 25 16:39:20 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
>>dnsup1.biz.rr.com:3915 (376 data bytes)
>>Jan 25 16:39:50 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
>>211.139.140.18:3623 (376 data bytes)
>>Jan 25 16:40:24 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
>>210.91.85.200:1113 (376 data bytes)
>>Jan 25 16:40:26 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
>>criminal.justice.state.mn.us:1335 (376 data bytes)
>>Jan 25 16:40:37 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
>>server4.hostu.net:1038 (376 data bytes)
>>Jan 25 16:40:45 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
>>61.135.134.154:3935 (376 data bytes)
>>
>>That is only a very small portion of the log. There are hundreds more
>>entries.
>>
>>
>>
>>
>>*********************************************************
>>** P&O - Celebrating 150 Years in Australia: 1852-2002 **
>>*********************************************************
>>
>>
>>
>>
>>-- 
>>Until later: Geoffrey		esoteric at 3times25.net
>>
>>The latest, most widespread virus?  Microsoft end user agreement.
>>Think about it...
>>
>>
>>
> 
> 

-- 
Until later: Geoffrey		esoteric at 3times25.net

The latest, most widespread virus?  Microsoft end user agreement.
Think about it...

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list