New SQL Server worm is spreading fast!

Discussion in 'Archived Threads 2001-2004' started by Kevin P, Jan 25, 2003.

  1. Kevin P

    Kevin P Screenwriter

    Joined:
    Jan 18, 1999
    Messages:
    1,439
    Likes Received:
    0
    Trophy Points:
    0
    Symantec information on W32.SQLExp.Worm

    A new worm that infects machines running SQL Server 2000 is rapidly spreading. It gets in using an exploit on UDP port 1434. When it infects a machine it will hit random IPs on this port at a high rate, causing increased network traffic and possible Denial of Service.

    If you're a SQL Server admin, DBA or IT technician at a site running SQL Server, you should take steps to protect your network. Make sure UDP port 1434 is blocked at your firewall, and apply the SQL Server patch, mentioned in the Symantec link above, to protect your SQL Server systems.

    My home firewall has logged 284 scans on port 1434 since midnight Eastern time when the worm first appeared.

    KJP
     
  2. Peter McDonald

    Peter McDonald Stunt Coordinator

    Joined:
    Jul 24, 2001
    Messages:
    204
    Likes Received:
    0
    Trophy Points:
    0
    What a surprise, a Microsoft product with a massive security hole...
     
  3. Bill Slack

    Bill Slack Supporting Actor

    Joined:
    Mar 16, 1999
    Messages:
    837
    Likes Received:
    0
    Trophy Points:
    0
    What a bigger surprise... a patch has been out since the summer and the majority of admins haven't patched their boxes. For 99% of people having SQL server open to the internet serves absolutely no purpose either...
     
  4. andrew markworthy

    Joined:
    Sep 30, 1999
    Messages:
    4,762
    Likes Received:
    12
    Trophy Points:
    0
  5. Jason Harbaugh

    Jason Harbaugh Cinematographer

    Joined:
    Jul 30, 2001
    Messages:
    2,968
    Likes Received:
    0
    Trophy Points:
    0
    This virus crashed all Battlefield 1942 servers on Friday night. That was pretty wild.
     
  6. MikeAlletto

    MikeAlletto Cinematographer

    Joined:
    Mar 11, 2000
    Messages:
    2,369
    Likes Received:
    0
    Trophy Points:
    0
    It brought down the bank of america atm system on saturday! Pissed me off because I had zero cash for lunch.
     
  7. John_Berger

    John_Berger Cinematographer

    Joined:
    Nov 1, 2001
    Messages:
    2,489
    Likes Received:
    0
    Trophy Points:
    0
    Can someone please tell me when the last Oracle, Sybase, MySQL, or Postgres database worm went out on the Internet?

    Anyone?

    Anyone?

    Beuller?

    Yet another call for people to STOP USING MICROSOFT PRODUCTS that will again go unheeded.
     
  8. Chad Ellinger

    Chad Ellinger Second Unit

    Joined:
    Jun 18, 2000
    Messages:
    269
    Likes Received:
    0
    Trophy Points:
    0
     
  9. John_Berger

    John_Berger Cinematographer

    Joined:
    Nov 1, 2001
    Messages:
    2,489
    Likes Received:
    0
    Trophy Points:
    0
    That doesn't forgive the fact that if the bugs didn't exist in the first place, there'd be nothing to exploit regardless of the number of hackers that go after it. :p)

    Then of course we have the morons who run a computer on an open connection without a firewall, but that's for another thread.
     
  10. MikeAlletto

    MikeAlletto Cinematographer

    Joined:
    Mar 11, 2000
    Messages:
    2,369
    Likes Received:
    0
    Trophy Points:
    0
    i don't have a clue why people run sql server from microsoft anyways. Its either oracle or something free (mysql or postgres)

    You can't blame this time on Microsoft. The patch has been out since the summer and people still haven't patched their systems. Microsoft can only do so much before its not their problem anymore.
     
  11. andrew markworthy

    Joined:
    Sep 30, 1999
    Messages:
    4,762
    Likes Received:
    12
    Trophy Points:
    0
    Regardless of Microsoft's failings, they do not excuse hackers who create viruses. Hackers claims that they are getting at the Evil Beast that is Bill Gates Inc are about as rational as showing your hatred of ice cream manufacturers by putting doses of arsenic in cartons of ice cream at supermarkets.
     
  12. John_Berger

    John_Berger Cinematographer

    Joined:
    Nov 1, 2001
    Messages:
    2,489
    Likes Received:
    0
    Trophy Points:
    0
    Whereas that is certainly true and I'll stand by your arguments against hackers 100% (can't they put their talents to better use?), it still all comes down to being Microsoft's responsibility. If the bugs didn't exist in the first place, there'd be nothing to exploit.

    Now, realistically there is enough blame to go around:
    • Microsoft's continued practice of putting deep application hooks into the operating system are the number one cause of problems.
    • The idiot hackers really need to find a way to put their talents to better use.
    • People need to learn what a {expletive deleted}ing FIREWALL is and then actually UTILIZE it!
    However, I still stand by my argument that if you hook ANY computer directly to the Internet without any kind of firewall, you DESERVE to be hacked.
     
  13. LDfan

    LDfan Supporting Actor

    Joined:
    Nov 30, 1998
    Messages:
    724
    Likes Received:
    0
    Trophy Points:
    0
    All the more reason to use a Novell based network and Oracle or Sybase for the database.


    Jeff
     
  14. AjayM

    AjayM Screenwriter

    Joined:
    Aug 22, 2000
    Messages:
    1,224
    Likes Received:
    0
    Trophy Points:
    0
    First we need to properly define hacker. A hacker is somebody who uses their skills for good use. A cracker is somebody who uses those skills for bad use. A script kiddie is the wanna-be version of a cracker. This is old school terminology and is still in use today. Why do I bring this up? Because any REALLY good IT person will also be a good hacker, you can't properly protect yourself against these types of people if you aren't able to do it yourself, at least to some degree. The first thing I do when I come into a new company is lay down a base level of security, then try and hack it, then I fix the problems. I'll spend a few hours a week sitting on CERT learning about new vulnerabilities.

    Second, how can anybody blame MS here? The patch was out there, it's people who don't patch their systems is the problem. But considering the cost cutting that has been going on in IT lately, that's tough as well, because again, any REALLY good IT person will always try and lab test patches before rolling them out on production machines. It's a huge catch-22 situation.

    Firewalls? This worm brought down large chunks of the internet, do you think none of these people had firewalls in place? They do have them, there is more than one way around them though evidently when it comes to this worm, as I was talking to somebody that spent hours on Sat cleaning up this problem, and he was fully blocked at the firewall, he only mentioned that it came in another way. Security does not end at the firewall. The first thing I did when I got the first email message from Bugtraq (early Friday before this was a problem) was to disable incoming and outgoing packets from a couple of ports, that way even if somehow they did get in, I wouldn't be polluting the internet.

    As to other databases, freeware/GNU stuff is just not going to happen seriously, it's unsupported, documentation is slim at best and every week there is a new version. Oracle? Sure, if I had a blank check and needed to be up 99.999999% of the time there is no doubt in my mind I would use it. Unfortunatly Oracle costs just a small fortune;
    Oracle 9i Standard Edition = $15,000 per processor
    SQL Server Standard = $4k per processor
    IBM DB2, Sybase, etc isn't much different.

    Basically SQL server is the first real, heavily supported database server on the cost scale, it's fairly robust (sure it won't support Ebay, but how many people need that) and it's cheap.

    Andrew
     
  15. John_Berger

    John_Berger Cinematographer

    Joined:
    Nov 1, 2001
    Messages:
    2,489
    Likes Received:
    0
    Trophy Points:
    0
     
  16. AjayM

    AjayM Screenwriter

    Joined:
    Aug 22, 2000
    Messages:
    1,224
    Likes Received:
    0
    Trophy Points:
    0
     
  17. Kevin P

    Kevin P Screenwriter

    Joined:
    Jan 18, 1999
    Messages:
    1,439
    Likes Received:
    0
    Trophy Points:
    0
     
  18. Andrew Pratt

    Andrew Pratt Producer

    Joined:
    Dec 8, 1998
    Messages:
    3,806
    Likes Received:
    0
    Trophy Points:
    0
    Looks like MS can't keep up with their patches either:b


    Microsoft exposed to worm

    Worm's damage more serious than thought



    SEATTLE (AP) -- Microsoft Corp. itself was exposed to the virus-like attack that crippled global Internet activity last weekend because it failed to install crucial fixes to its own software on many Microsoft computer servers, according to internal e-mails obtained by The Associated Press.

    Although Microsoft contends its failure to keep up with its own updates did not cause major problems, security experts said Monday it points to a larger issue: Microsoft's process for keeping customers' software secure is hugely flawed.

    The virus-like attack, called "slammer" or "sapphire," exploited a known flaw in Microsoft's "SQL Server 2000" database software, used by businesses, government agencies, universities and others around the world. Microsoft had issued a patch for the flaw in July, but many -- including some units within Microsoft -- had failed to install it.

    The result was that the attacking software scanned for victim computers so randomly and so aggressively that it saturated many of the Internet's largest data pipelines, slowing e-mail and Web surfing around the world.

    Microsoft spokesman Rick Miller declined to say which areas or how many computers at Microsoft were affected. He acknowledged that some servers were left unfixed because administrators "didn't get around to it when they should have."

    The computer servers that hosted the software patch for download by users were not among those vulnerable to the worm, Miller said.

    The disclosure comes less than a week after Microsoft Chairman Bill Gates marked progress on the company's "Trustworthy Computing" initiative. That effort, announced a year ago, made security a top priority at the Redmond, Wash.-based company. Microsoft put thousands of its developers through security training to emphasize writing secure code, and hired a chief security officer.

    Miller said employees' failure to install patches on their computers does not reflect a lack of commitment to Gates' vision for secure computing.

    "This is why we developed Trustworthy Computing," Miller said. "Not because we said when we came out with a memo that our work was done and it was over, but that we were beginning the process, and we were going to learn and we were going to make it better ... We're committed to getting there."

    This isn't the first time Microsoft has had its own computers attacked when it failed to install software fixes. In 2000, Microsoft was one of the victims of the "I Love You" virus which exploited a known flaw in its Outlook e-mail program.

    But it's no surprise that many -- including Microsoft -- were vulnerable, said Bruce Schneier, chief technology officer with Counterpane Internet Security Inc.

    Network administrators are dealing with several software patches each week from Microsoft and other vendors, he said.

    "You can't possibly keep up with this," Schneier said. "There is a lot of frustration."

    He added that Microsoft needs to own up to problems with how it offers security fixes.

    "On the one hand, Microsoft's been saying it's the customer's fault for not patching their networks," but the company's own failure to do so "show(s) how unrealistic that expectation is. It's very much like blaming the victim."

    Although others contend software patches can be an effective way to provide security, Microsoft needs to make them easier, said Marc Maiffret, chief hacking officer of eEye Digital Security Inc.

    SQL Server patches in particular can be difficult, time-consuming and error-prone to the point where they may cause the program to fail, Schneier said.

    Miller acknowledged that the process isn't simple and could be improved. Although Microsoft wants to ensure that its software is built more securely from the start, he said 100 percent security is an elusive goal.

    "There's never going to be a day when ... software that is developed by humans is flawless," he said.
     
  19. John_Berger

    John_Berger Cinematographer

    Joined:
    Nov 1, 2001
    Messages:
    2,489
    Likes Received:
    0
    Trophy Points:
    0
     
  20. Glenn Overholt

    Glenn Overholt Producer

    Joined:
    Mar 24, 1999
    Messages:
    4,203
    Likes Received:
    0
    Trophy Points:
    0
    I wish the hackers would go after the spammers.

    Glenn
     

Share This Page