Port 1434/udp
-
Anybody being affected at all by the worm? I've been up all night tracking it and have a hacked-up udp port monitor installed on some unix boxen, and a friend's hacked-up Win32 monitor on a bunch of random PCs around the world. *EVERY* single one is getting udp traffic on 1434. Though there is not really any personal loss, it's quite significant that the worm's effects seem to reach all hosts on the internet. For me this started as a query to google.com that lasted over 1 second. I knew right then that something was up; Google simply does not do that. - Jason (SonorkID 100.611) The Code Project - Orange makes the art grow fonder
have a look at, to see the effect of it http://average.matrixnetsystems.com/ [^]
If I have seen further it is by standing on the shoulders of Giants. - Isaac Newton 1676
-
have a look at, to see the effect of it http://average.matrixnetsystems.com/ [^]
If I have seen further it is by standing on the shoulders of Giants. - Isaac Newton 1676
A lot of you won't be able to access this site, but you can see the (dated by the time you see it) picture I took of it: http://nirgle.net/graphs.gif[^] - Jason (SonorkID 100.611) The Code Project - Orange makes the art grow fonder
-
Anybody being affected at all by the worm? I've been up all night tracking it and have a hacked-up udp port monitor installed on some unix boxen, and a friend's hacked-up Win32 monitor on a bunch of random PCs around the world. *EVERY* single one is getting udp traffic on 1434. Though there is not really any personal loss, it's quite significant that the worm's effects seem to reach all hosts on the internet. For me this started as a query to google.com that lasted over 1 second. I knew right then that something was up; Google simply does not do that. - Jason (SonorkID 100.611) The Code Project - Orange makes the art grow fonder
I got a firewall notification shortly after connecting today. Promptly blocked it. Then the first site I visited (/.) had a story about a new sql server worm...
Bruce Duncan, CP#9088, CPUA 0xA1EE, Sonork 100.10030
Newest member of the CP 500 club. (At time of posting ;P ) -
A lot of you won't be able to access this site, but you can see the (dated by the time you see it) picture I took of it: http://nirgle.net/graphs.gif[^] - Jason (SonorkID 100.611) The Code Project - Orange makes the art grow fonder
Wow! Symantec is reporting the outbreak at 5:31 GMT, and the nirgle report shows the same time frame - the ramp up time is amazingly short! It looks like about ten minutes from initial release to full flood... Nobody wants to read a diary by someone who has not seen the shadow of Bubba on the prison shower wall in front of them!
Paul Watson, on BLOGS and privacy - 1/16/2003 -
Anybody being affected at all by the worm? I've been up all night tracking it and have a hacked-up udp port monitor installed on some unix boxen, and a friend's hacked-up Win32 monitor on a bunch of random PCs around the world. *EVERY* single one is getting udp traffic on 1434. Though there is not really any personal loss, it's quite significant that the worm's effects seem to reach all hosts on the internet. For me this started as a query to google.com that lasted over 1 second. I knew right then that something was up; Google simply does not do that. - Jason (SonorkID 100.611) The Code Project - Orange makes the art grow fonder
-
Anybody being affected at all by the worm? I've been up all night tracking it and have a hacked-up udp port monitor installed on some unix boxen, and a friend's hacked-up Win32 monitor on a bunch of random PCs around the world. *EVERY* single one is getting udp traffic on 1434. Though there is not really any personal loss, it's quite significant that the worm's effects seem to reach all hosts on the internet. For me this started as a query to google.com that lasted over 1 second. I knew right then that something was up; Google simply does not do that. - Jason (SonorkID 100.611) The Code Project - Orange makes the art grow fonder
I was hit by this this morning, ironically just as I was completing the SQL Server SP3 download. :rolleyes: Locked my CPU at 100% and took me twenty minutes before I noticed it (it has sent out nearly 20MB of data). :((
David Wulff http://www.davidwulff.co.uk
-
I was hit by this this morning, ironically just as I was completing the SQL Server SP3 download. :rolleyes: Locked my CPU at 100% and took me twenty minutes before I noticed it (it has sent out nearly 20MB of data). :((
David Wulff http://www.davidwulff.co.uk
David Wulff wrote: Locked my CPU at 100% and took me twenty minutes before I noticed it (it has sent out nearly 20MB of data). Muwahahahaha!!! ALL YOUR dataBASES ARE BELONG TO US! Nobody wants to read a diary by someone who has not seen the shadow of Bubba on the prison shower wall in front of them!
Paul Watson, on BLOGS and privacy - 1/16/2003 -
I was hit by this this morning, ironically just as I was completing the SQL Server SP3 download. :rolleyes: Locked my CPU at 100% and took me twenty minutes before I noticed it (it has sent out nearly 20MB of data). :((
David Wulff http://www.davidwulff.co.uk
-
Interesting - my connection is receiving a hit on 1434 from hosts all over the world at intervals from 6 seconds to a few minutes. What worm is this? Does it attack SQL Server (Port 1434/UDP is defined for SQL Server Monitor service)? Whatever it is, ZAP is blocking it nicely...:-D Nobody wants to read a diary by someone who has not seen the shadow of Bubba on the prison shower wall in front of them!
Paul Watson, on BLOGS and privacy - 1/16/2003 [EDIT] Found it - W32.SQLExp.Worm[^]. Seems relatively harmless, but it's causing performance degradations world wide at the moment. It exists only in memory and causes no system damage, but it does hijack the netbios system to send itself to randomly generated IP addresses. There's a patch from MS to help reduce the vulnerability to it, but usual SQL Server precautions are still required (mine's OFF). [/EDIT]Well, yes, it attacks SQL Server, but MS said SP3 for SQL Server blocks it. Here: http://www.microsoft.com/presspass/press/2003/Jan03/01-25virus.asp[^] Philip Patrick Web-site: www.stpworks.com "Two beer or not two beer?" Shakesbeer
-
David Wulff wrote: Locked my CPU at 100% and took me twenty minutes before I noticed it (it has sent out nearly 20MB of data). Muwahahahaha!!! ALL YOUR dataBASES ARE BELONG TO US! Nobody wants to read a diary by someone who has not seen the shadow of Bubba on the prison shower wall in front of them!
Paul Watson, on BLOGS and privacy - 1/16/2003 -
I was hit by this this morning, ironically just as I was completing the SQL Server SP3 download. :rolleyes: Locked my CPU at 100% and took me twenty minutes before I noticed it (it has sent out nearly 20MB of data). :((
David Wulff http://www.davidwulff.co.uk
This post is harsh, but after freely addmitting what you have done I think you deserve it. David Wulff wrote: Locked my CPU at 100% and took me twenty minutes before I noticed it (it has sent out nearly 20MB of data). Meaning, you were part of this problem - spreading worms like tomorrow should never come? Let's see... 20MB. 376 bytes payload + header ~406 bytes. 20MB/406 ~51000 possible hosts you tried (and possibly managed) to infect. Great work! You have most certainly qualified as a Microsoft security specialist. You DID know about this MS SQL "feature", right? You also SHOULD have known that the patch has been available for over six months! You also should have known that under no circumstances whatsoever should one put a Microsoft SQL Server connected to the 'net. Any more services you have running, available for all 'net DDoSers to exploit? SMB maybe? ICQ? Sure, Microsoft is the ones ulötimately responsible for this crap, destroying millions of peoples life for a while, but I think you have quite a responsibility for your computer also. Maybe there should be a drivers license on 'net connections, at least for Microsoft users...
-
I was hit by this this morning, ironically just as I was completing the SQL Server SP3 download. :rolleyes: Locked my CPU at 100% and took me twenty minutes before I noticed it (it has sent out nearly 20MB of data). :((
David Wulff http://www.davidwulff.co.uk
My SQL-Server is behind a firewall, and I have of course had no problems :P Why do people place servers directly on the internet? :confused: - Anders Money talks, but all mine ever says is "Goodbye!"
-
My SQL-Server is behind a firewall, and I have of course had no problems :P Why do people place servers directly on the internet? :confused: - Anders Money talks, but all mine ever says is "Goodbye!"
Anders Molin wrote: Why do people place servers directly on the internet? Multiple reasons: They're ignorant (probably >90%), plain idiots (<3%) or they only know about Windows (>50%, often in conjunction with the previously mentioned 90%). The last group is at the devastatingly ignorant, not to say malicious, mercy of Microsoft - that used to start every service they could think of to make your "computing experience flashier" while making your computer as vulnerable and easily exploitable as possible (well, it was probably not the prime intention and concern - but as we all know it sure was and is the result). A great contributing factor is that it's only in the last year (where the rest of the computing world have a 20+ year head start) they even bothered to think about security (I here intentionally disregard Dave's VMS-based thinking used on the NT kernel, since that's a very limited group within MS that even cares/cared - not to mention it was one very small team, 12 years ago...). Since Microsoft never before cared about security, they couldn't even spell the word f-i-r-e-w-a-l-l, and from what I've heard about the XP attempt they're still quite far from understanding what it should do and how to implement it. Given these premises, combined with the ease you can install (and perhaps more importantly, NOT _un_install) whatever you want, and it immediately starts serving the world, I'm a bit surprised MS hasn't yet been served a "cease and desist" (sp?) order. But it obviously boils down to: Microsoft not designing software, just making ad-hoc hacks, and don't/didn't give a shit about security, combined with the "ease of use" that appeals ignorant users that can't even spell security, much less know what the meaning of the word is. And for the MS zealots claiming "Microsoft has done a GREAT job of enhancing your SECURITY AND SAFETY EXPERIENCE in Windows .NET Server": 1) how many of us have a server as desktop? 2) You actually know this before it's even available on the market? Odd...
-
Anders Molin wrote: Why do people place servers directly on the internet? Multiple reasons: They're ignorant (probably >90%), plain idiots (<3%) or they only know about Windows (>50%, often in conjunction with the previously mentioned 90%). The last group is at the devastatingly ignorant, not to say malicious, mercy of Microsoft - that used to start every service they could think of to make your "computing experience flashier" while making your computer as vulnerable and easily exploitable as possible (well, it was probably not the prime intention and concern - but as we all know it sure was and is the result). A great contributing factor is that it's only in the last year (where the rest of the computing world have a 20+ year head start) they even bothered to think about security (I here intentionally disregard Dave's VMS-based thinking used on the NT kernel, since that's a very limited group within MS that even cares/cared - not to mention it was one very small team, 12 years ago...). Since Microsoft never before cared about security, they couldn't even spell the word f-i-r-e-w-a-l-l, and from what I've heard about the XP attempt they're still quite far from understanding what it should do and how to implement it. Given these premises, combined with the ease you can install (and perhaps more importantly, NOT _un_install) whatever you want, and it immediately starts serving the world, I'm a bit surprised MS hasn't yet been served a "cease and desist" (sp?) order. But it obviously boils down to: Microsoft not designing software, just making ad-hoc hacks, and don't/didn't give a shit about security, combined with the "ease of use" that appeals ignorant users that can't even spell security, much less know what the meaning of the word is. And for the MS zealots claiming "Microsoft has done a GREAT job of enhancing your SECURITY AND SAFETY EXPERIENCE in Windows .NET Server": 1) how many of us have a server as desktop? 2) You actually know this before it's even available on the market? Odd...
Well, MS do think a bit about security. I'm using their ISA Server at home, it's actually a great firewall. - Anders Money talks, but all mine ever says is "Goodbye!"
-
Well, MS do think a bit about security. I'm using their ISA Server at home, it's actually a great firewall. - Anders Money talks, but all mine ever says is "Goodbye!"
Anders Molin wrote: Well, MS do think a bit about security. I'm using their ISA Server at home, it's actually a great firewall. Funny, I just the other day heard the completely opposite opinion - from someone that even works for Microsoft and is a very verbal Microsoft defendant! :-)
-
Anders Molin wrote: Well, MS do think a bit about security. I'm using their ISA Server at home, it's actually a great firewall. Funny, I just the other day heard the completely opposite opinion - from someone that even works for Microsoft and is a very verbal Microsoft defendant! :-)
About the firewall (ISA Server) or security in general? - Anders Money talks, but all mine ever says is "Goodbye!"
-
About the firewall (ISA Server) or security in general? - Anders Money talks, but all mine ever says is "Goodbye!"
Anders Molin wrote: About the firewall (ISA Server) or security in general? ISA. For security in general he was ignorant enough to actually believe NT server/workstation was built on different kernels, therefore you got better stability by paying more for the server than for the workstation...
