[unisog] MS-SQL Zombie DDoS

Steven Lee sl8c at unix.mail.virginia.edu
Tue Jan 28 13:14:43 GMT 2003


Last I checked, Windows Update doesn't patch anything but Windows,
though I could be wrong.  0.0.0.0 is accessible from the Internet and it
looks like SQL Server is waiting for anyone to connect.

Steven Lee
IS Tech
UVA Radiology

-----Original Message-----
From: John Valenti [mailto:valenti at msu.edu]
Sent: Monday, January 27, 2003 11:58 PM
To: unisog at sans.org
Subject: Re: [unisog] MS-SQL Zombie DDoS


My desktop system was hit over the weekend. I tried your suggestion
below and got back:

UDP 0.0.0.0:1434 *.* LISTENING

Does 0.0.0.0 count as accessible to the Internet?

Oh, I'm pretty sure my problem was caused by Sitekeeper. I downloaded a
demo version of that a few months back. I ran Windows Update as recently
as last week and it didn't warn me about the MSDE bug.

-jav
John Valenti, Systems Analyst SLIR, Michigan State University

----- Original Message -----
From: "cam {Cam Beasley, ISO}" <cam at forum.utexas.edu>
To: <unisog at sans.org>
Sent: Monday, January 27, 2003 1:23 PM
Subject: RE: [unisog] MS-SQL Zombie DDoS


>
>
> %>More MSDE2000 apps that are potentially vulnerable (not certain
> %>that all are network aware).. %>
> %><http://sqlsecurity.com/DesktopDefault.aspx?tabindex=10&tabid=13>
>
> Many of the MSDE applications do not open ports to the network
> interface, only to localhost. I don't think that these apps are
> vulnerable to attack -- unless super weird internal bridging from
> private ==> public occurs.
>
> If the originating address (192.168.10.13 in this case below) is not
> accessible to the Internet, then there shouldn't be a risk of
> infection..  If the IP is public, then yes..
>
> Folks can check their Windows systems to see whether
> any MSDE apps are vulnerable. From the command line, type
>
>    netstat -an | find "1434"
>
> If port 1434 is open, the response will be something along the lines
> of:
>
>    UDP    192.168.10.13:1434        0.0.0.0:0         LISTENING
>
> Otherwise you'll just get the command prompt back again.
>
> ~cam.
>
> Cam Beasley
> ITS/Information Security Office
> The University of Texas at Austin
> 512.475.9242
>
>





More information about the unisog mailing list