SQL Server Worm

by john on January 25, 2003

From Slashdot:

defile writes “Since about midnight EST almost every host on the internet has been receiving a 376 byte UDP payload on port ms-sql-m (1434) from a random infected server. Reports of some hosts receiving 10 per minute or more. internetpulse.net is reporting UUNet and Internap are being hit very hard. This is the cause of major connectivity problems being experienced worldwide. It is believed this worm leverages a vulnerability published in June 2002. Several core routers have taken to blocking port 1434 outright. If you run Microsoft SQL Server, make sure the public internet can’t access it. If you manage a gateway, consider dropping UDP packets sent to port 1434.” bani adds “This has effectively disabled 5 of the 13 root nameservers.”

From my router logs:

Unrecognized access from 216.11.79.7:2205 to UDP port 1434
Unrecognized access from 210.221.55.47:1067 to UDP port 1434
Unrecognized access from 146.151.30.107:2785 to UDP port 1434
Unrecognized access from 145.18.146.173:1032 to UDP port 1434
Unrecognized access from 80.245.224.166:2609 to UDP port 1434
Unrecognized access from 210.64.127.68:1992 to UDP port 1434
Unrecognized access from 211.99.103.245:3011 to UDP port 1434
etc…

Yep. SQL Server? Nope. But I fear for work.

{ 1 comment }

Henry January 25, 2003 at 1:13 pm

We’re on UUNET and access to and from the Internet appears to be OK. So far so good…

Previous post:

Next post: