Heads-up

Discussion in 'other security issues & news' started by snowy, Jan 25, 2003.

Thread Status:
Not open for further replies.
  1. snowy

    snowy Guest

    Just a pre-caution to others


    in the past 20 minutes my udp port 1434 has been hit 92 times for a large assortment of addresses.
    this by any means is very odd......just began
     
  2. snowy

    snowy Guest

    in the brief time it took to post....then recheck log...the number had climbed to 138.........all udp port 1434 to some other udp port.............its like a massive doss attack
     
  3. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    snowy,

    Interesting indeed...... I have been hit 155 times in the last 2 hours on port 1434.....

    03:10:10 [PortRef] 1434: MS-SQL-M - Microsoft-SQL-Monitor

    The above is the info I get thru TDS on port 1434.....

    Regards,
    Kent
     
  4. snowy

    snowy Guest

    KENT

    as you know for months we have endured being hiy on port 1433 (netbiosname)..........but never have I had as numerous a hit log on udp port 1434..........an the sudden way it began makes it hard put for me to believe a "timed" virus is at work here..
    at the moment the attack has all but disappeared.....only four hits since my last post.
    If you have ever had a bad day.....for me its been "one of those" an I am just not in a mood for this sort of friviously attack.........if its just infected computers the users of those computers have a responsiblely to others......after months of this nonsense surely it should have been stopped......kinda tells you how the situation really is.
     
  5. Nick

    Nick Registered Member

    Joined:
    May 14, 2002
    Posts:
    187
    Location:
    California
    I've been hit 44 times in the last 2 hours on port 1434. No other type of alerts in my log.
     
  6. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Still being 'probed' here o_O .

    Another 65 hits on me in the last hour :mad: .

    I am thinking like you somewhat snowy, wondering if this is a variant of "something" already in the wild or possibly some "NEW" bug?

    "03:10:10 [PortRef] 1434: MS-SQL-M - Microsoft-SQL-Monitor"
    Hopefully someone will provide some more light on this subject ;) .


    Regards,
    Kent
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Not yet, in my case it's all time 27374+1243 from two ports in a row, and the same instant from the same sender.
    But not so many in an hour as you with the 1434
    Is that only for XP systems with MS SQL servers - monitors?

    This might spread some light/solutions?
    http://www.securiteam.com/windowsntfocus/5TP0N1F7PS.html

    Little more googling brigns "sqlping" and "rootkit" as tools too, maybe abusing radmin, looking further.
    If it's dossing you, you might like to set the TDS TCP Port listen on 1434 but make sure the firewall blocks it and in case use the security patch mentioned in the thread above.
     
  8. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,514
    Location:
    Annie's Pub
    Same occurs at my machine, and it is still going on.....
     
  9. snowy

    snowy Guest

    Posted in Updates by member AMH209


    **W32.SQLExp.Worm
    Discovered on: January 24, 2003
    Last Updated on: January 25, 2003 04:20:00 AM
     
  10. FanJ

    FanJ Guest

  11. FanJ

    FanJ Guest

  12. snowy

    snowy Guest

    YIKES!! an this one seems to have been timed for the weekend...........seems to be letting off now.....really had no effect on my os but wonder what the results were on puters with no firewall......or poorly config firewall

    there sure seems to be some real issues with that server
     
  13. snowy

    snowy Guest

    this worm can't infect home computers but the infected servers can sure bang on firewalls...as we have all noted.

    it appears that an eternal loop is used by the worm....
     
  14. snowy

    snowy Guest

    comments by the associated press give rise to the opinion that this worm can infect home computers.....no explanation was given regarding this.......below is rather interesting perhaps:


    " The latest attack was likely to revive debate within the technology industry about the need for an Internet-wide monitoring center, which the Bush administration has proposed. Some Internet industry executives and lawyers said they would raise serious civil liberties concerns if the U.S. government, not an industry consortium, operated such a powerful monitoring center. "
     
  15. snowy

    snowy Guest

    The assocoated press nows say this:


    "Most home users did not need to take any protective measures"""


    good golly miss mollie.....talk about "guessing" at its very best...lol
     
  16. FanJ

    FanJ Guest

    :D :)
     
  17. FanJ

    FanJ Guest

  18. dsadad

    dsadad Guest

    Bah, No wonder my connection is so flaky

    idiots!
     
  19. grey_ghost

    grey_ghost Registered Member

    Joined:
    Apr 28, 2002
    Posts:
    60
    Hi

    Here is an alert I received from Kaspersky.

    1.) Worm Alert: Worm.SQL.Helkern (aka SQLSlammer)


    Worm.SQL.Helkern is an extremely small (just 376 bytes) Internet worm
    that affects Microsoft SQL servers. To get into a victim machine the
    worm makes use of a buffer overrun vulnerability.

    MS-SQL 2000 server users that have not applied the relevant patch
    as of yet are advised to do so as soon as possible.

    For additional information, check the full analysis text at:

    http://www.kav.ch/avpve/newdesc.stm

    Regards
     
  20. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    :) MS issued a fix for the problem on SQL servers back in July - So there will be many red faced admins with sore bottoms running around on Monday :D
     
  21. snowy

    snowy Guest

    Red faces indeed........LOL I sometimes wonder if the people in the security communities(folks like us here) are shouldering the entire burden....cause those so called pro's sure are not doing such a good job.......lil old grannie annie from pocahannie would have known to apply the patch
     
  22. snowy

    snowy Guest

    the evening news should be most interesting......a completely preventable worm attack will be turned into something out of someone's nightmare and the screams for international monitoring will be heard around the world......all because some incompatent IT so called pro's did not do their job........
     
  23. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    LOL ! :D I BET
     
  24. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    running the ms sql server - vulnerable if not patched.
    Normally 1434 is a unix port, isn't it?
    At least for those running the sql server block all unknown traffic to 1434 and 1433 from the trusted zone.

    Don't tell me this was another attack from euhhmmmm to get laws for internet control, monitoring, snooping in computers and reducing internet freedom through. Didn't the second security advisor come with his opinions remarkable / suspicious quick?
    New worm? Not sure; in the pages i posted above was explained with the little tool they set over a year ago servers in loops and thus creating DoS.. so... new?
     
  25. snowy

    snowy Guest

    Jooske

    most of the day I have thought about this subject........the entire incident never should have happened.....it was completely preventable.......as to why it was not imo had nothing to do with anything other than complete ignorance.....laziness....apathy......an if this incident is used to further impliment monitoring of the internet......its the IT industry to point fingers at...for the industry's complete failure to act in a manner that would be considered reasonable and responsible
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.