OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Robert Boyle (robert_at_TELLURIAN.COM)
Date: Sat Jan 25 2003 - 02:35:48 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Everyone,

    I don't know what is causing this, but we had several customer machines
    (which we don't manage) affected tonight. The common thread is that all
    were running an unpatched MS SQL Server. This new worm seems to create
    MASSIVE network traffic which propagates outbound. Somehow it seems to be
    amplified at each of our Cisco routers. In our colo facility, we had 3
    "infected" servers on 10Base-T connections - after this traffic hit our
    core router, the traffic increased from just under 30Mbits/sec inbound from
    our colo switch to 80+Mbits/sec outbound over ALL transit and peering
    connections. I know our routers aren't smurf amplifiers and I don't know
    what caused the increased outbound traffic. Once this process is started,
    the MSSQLServer service cannot be stopped (or killed with pview). If the
    service is disabled and the server rebooted, it will not generate this
    traffic. It is not a master-slave program which requires a connection from
    outside to start the flow. Once the SQL server has been infected, no
    Internet connection is needed to continue the traffic storm even after a
    reboot. None of our managed customer machines were affected, but all of
    them are patched with current patches and none of them have 1433 exposed to
    the world either. I don't have any more detail at this time, but I plan to
    look into this worm/virus/exploit further in the AM. This seems to affect
    both MSSQL and MSDE. Does anyone else have more to add. I have seen several
    networks drop off the earth tonight as a result of this exploit.

    -Robert

    Tellurian Networks - The Ultimate Internet Connection
    http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
    "Good will, like a good name, is got by many actions, and lost by one." -
    Francis Jeffrey

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo