[ale] [Fwd: RE: MS SQL WORM and PORT 1434!]

Denny Chambers dchambers at bugfixer.net
Mon Jan 27 04:36:17 EST 2003


I have been receiving hits on port 1433 which is listed as another 
MS-SQL port.

Geoffrey wrote:

> I'm seeing this as well at my firewall, denied of course. :)
>
> Anyone else seeing it? Anyone have any info on it? 21 hits against my 
> box yesterday alone. None yet today though.
>
> -------- Original Message --------
> Subject: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
> Date: Sat, 25 Jan 2003 19:59:12 +1100
> From: Jeff Mills <Jeff.Mills at pocold.com.au>
> To: bugtraq at securityfocus.com
>
>
>> I'm getting massive packet loss to various points on the globe.
>> I am seeing a lot of these in my tcpdump output on each
>> host.
>>
>> 02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376
>> 02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 
>> udp port ms-sql-m unreachable [tos 0xc0
>>
>> It looks like there's a worm affecting MS SQL Server which is
>> pingflooding addresses at some random sequence.
>
>
> It seems you're right.
> My firewall is taking alot of hits on port 1434 since about 4pm 
> Australian
> Eastern Daylight Saving Time:
>
> Jan 25 16:30:31 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> eth870.sa.adsl.internode.on.net:1310 (376 data bytes)
> Jan 25 16:32:35 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> dev1.cinemas.ch:1683 (376 data bytes)
> Jan 25 16:34:21 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> 216.179.192.248:4161 (376 data bytes)
> Jan 25 16:34:41 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> sql.webcoretech.com:3113 (376 data bytes)
> Jan 25 16:34:42 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> hds-connected.hds.com:3967 (376 data bytes)
> Jan 25 16:35:34 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> 216.95.164.23:1141 (376 data bytes)
> Jan 25 16:35:56 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> 134.210.1.226:3975 (376 data bytes)
> Jan 25 16:36:54 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> 211.104.36.123:2550 (376 data bytes)
> Jan 25 16:38:30 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> cts21612069172.cts.com:1031 (376 data bytes)
> Jan 25 16:38:31 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> 216.109.150.210:3462 (376 data bytes)
> Jan 25 16:39:02 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> 207.102.74.40:4605 (376 data bytes)
> Jan 25 16:39:05 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> 66.189.0.11:4198 (376 data bytes)
> Jan 25 16:39:20 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> dnsup1.biz.rr.com:3915 (376 data bytes)
> Jan 25 16:39:50 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> 211.139.140.18:3623 (376 data bytes)
> Jan 25 16:40:24 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> 210.91.85.200:1113 (376 data bytes)
> Jan 25 16:40:26 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> criminal.justice.state.mn.us:1335 (376 data bytes)
> Jan 25 16:40:37 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> server4.hostu.net:1038 (376 data bytes)
> Jan 25 16:40:45 sarkmekawk iplog[234]: UDP: dgram to port 1434 from
> 61.135.134.154:3935 (376 data bytes)
>
> That is only a very small portion of the log. There are hundreds more
> entries.
>
>
>
>
> *********************************************************
> ** P&O - Celebrating 150 Years in Australia: 1852-2002 **
> *********************************************************
>
>
>
>

 S/MIME Cryptographic Signature




More information about the Ale mailing list