Just a pre-caution to others


in the past 20 minutes my udp port 1434 has been hit 92 times for a large assortment of addresses.
this by any means is very odd......just began

in the brief time it took to post....then recheck log...the number had climbed to 138.........all udp port 1434 to some other udp port.............its like a massive doss attack

snowy,

Interesting indeed...... I have been hit 155 times in the last 2 hours on port 1434.....

03:10:10 [PortRef] 1434: MS-SQL-M - Microsoft-SQL-Monitor

The above is the info I get thru TDS on port 1434.....

Regards,
Kent

KENT

as you know for months we have endured being hiy on port 1433 (netbiosname)..........but never have I had as numerous a hit log on udp port 1434..........an the sudden way it began makes it hard put for me to believe a "timed" virus is at work here..
at the moment the attack has all but disappeared.....only four hits since my last post.
If you have ever had a bad day.....for me its been "one of those" an I am just not in a mood for this sort of friviously attack.........if its just infected computers the users of those computers have a responsiblely to others......after months of this nonsense surely it should have been stopped......kinda tells you how the situation really is.

I've been hit 44 times in the last 2 hours on port 1434. No other type of alerts in my log.

Still being 'probed' here ??? .

Another 65 hits on me in the last hour >:( .

I am thinking like you somewhat snowy, wondering if this is a variant of "something" already in the wild or possibly some "NEW" bug?

"03:10:10 [PortRef] 1434: MS-SQL-M - Microsoft-SQL-Monitor"
Hopefully someone will provide some more light on this subject ;) .


Regards,
Kent

Not yet, in my case it's all time 27374+1243 from two ports in a row, and the same instant from the same sender.
But not so many in an hour as you with the 1434
Is that only for XP systems with MS SQL servers - monitors?

This might spread some light/solutions?
http://www.securiteam.com/windowsntfocus/5TP0N1F7PS.html

Little more googling brigns "sqlping" and "rootkit" as tools too, maybe abusing radmin, looking further.
If it's dossing you, you might like to set the TDS TCP Port listen on 1434 but make sure the firewall blocks it and in case use the security patch mentioned in the thread above.

-{ Quote: " quoting: snowy link=board=18;threadid=6651;start=0#44348 date=1043479986]


Just a pre-caution to others


in the past 20 minutes my udp port 1434 has been hit 92 times for a large assortment of addresses.
this by any means is very odd......just began
" }-

Same occurs at my machine, and it is still going on.....

Posted in Updates by member AMH209


**W32.SQLExp.Worm
Discovered on: January 24, 2003
Last Updated on: January 25, 2003 04:20:00 AM

See also these two threads at the DSLR security-forum:

http://www.dslreports.com/forum/remark,5771929~root=security,1~mode=flat

http://www.dslreports.com/forum/remark,5772832~root=security,1~mode=flat

From the BBC:

"Virus-like attack hits web traffic"

http://news.bbc.co.uk/2/hi/technology/2693925.stm

YIKES!! an this one seems to have been timed for the weekend...........seems to be letting off now.....really had no effect on my os but wonder what the results were on puters with no firewall......or poorly config firewall

there sure seems to be some real issues with that server

this worm can't infect home computers but the infected servers can sure bang on firewalls...as we have all noted.

it appears that an eternal loop is used by the worm....

comments by the associated press give rise to the opinion that this worm can infect home computers.....no explanation was given regarding this.......below is rather interesting perhaps:


" The latest attack was likely to revive debate within the technology industry about the need for an Internet-wide monitoring center, which the Bush administration has proposed. Some Internet industry executives and lawyers said they would raise serious civil liberties concerns if the U.S. government, not an industry consortium, operated such a powerful monitoring center. "

The assocoated press nows say this:


"Most home users did not need to take any protective measures"""


good golly miss mollie.....talk about "guessing" at its very best...lol

-{ Quote: "talk about "guessing" at its very best...lol " }- ;D :)

Posting from Milly with lots of links at GRC.news.feedback:

https://grc.com/x/news.exe?cmd=article&group=grc.news.feedback&item=44038&utag=

Bah, No wonder my connection is so flaky

idiots!

Hi

Here is an alert I received from Kaspersky.

1.) Worm Alert: Worm.SQL.Helkern (aka SQLSlammer)


Worm.SQL.Helkern is an extremely small (just 376 bytes) Internet worm
that affects Microsoft SQL servers. To get into a victim machine the
worm makes use of a buffer overrun vulnerability.

MS-SQL 2000 server users that have not applied the relevant patch
as of yet are advised to do so as soon as possible.

For additional information, check the full analysis text at:

http://www.kav.ch/avpve/newdesc.stm

Regards

:) MS issued a fix for the problem on SQL servers back in July - So there will be many red faced admins with sore bottoms running around on Monday ;D

Red faces indeed........LOL I sometimes wonder if the people in the security communities(folks like us here) are shouldering the entire burden....cause those so called pro's sure are not doing such a good job.......lil old grannie annie from pocahannie would have known to apply the patch

the evening news should be most interesting......a completely preventable worm attack will be turned into something out of someone's nightmare and the screams for international monitoring will be heard around the world......all because some incompatent IT so called pro's did not do their job........

-{ Quote: " quoting: Pilli link=board=18;threadid=6651;start=15#44493 date=1043521244]
:) MS issued a fix for the problem on SQL servers back in July - So there will be many red faced admins with sore bottoms running around on Monday ;D
" }-
LOL ! :D I BET

running the ms sql server - vulnerable if not patched.
Normally 1434 is a unix port, isn't it?
At least for those running the sql server block all unknown traffic to 1434 and 1433 from the trusted zone.

Don't tell me this was another attack from euhhmmmm to get laws for internet control, monitoring, snooping in computers and reducing internet freedom through. Didn't the second security advisor come with his opinions remarkable / suspicious quick?
New worm? Not sure; in the pages i posted above was explained with the little tool they set over a year ago servers in loops and thus creating DoS.. so... new?

Jooske

most of the day I have thought about this subject........the entire incident never should have happened.....it was completely preventable.......as to why it was not imo had nothing to do with anything other than complete ignorance.....laziness....apathy......an if this incident is used to further impliment monitoring of the internet......its the IT industry to point fingers at...for the industry's complete failure to act in a manner that would be considered reasonable and responsible