[unisog] MS-SQL Zombie DDoS

cam {Cam Beasley, ISO} cam at forum.utexas.edu
Mon Jan 27 17:40:28 GMT 2003


More MSDE2000 apps that are potentially vulnerable (not certain
that all are network aware)..

<http://sqlsecurity.com/DesktopDefault.aspx?tabindex=10&tabid=13>

Also, we have confirmed an infected host targeting 1433/tcp..

~cam.

Cam Beasley
ITS/Information Security Office    
The University of Texas at Austin        
512.475.9242
                  

%>-----Original Message-----
%>From: James Van Houten [mailto:jvanhouten at loyola.edu] 
%>Sent: Saturday, 25 January, 2003 17:35
%>To: unisog at sans.org
%>Subject: Re: [unisog] MS-SQL Zombie DDoS
%>
%>
%>Cam and the group:
%>
%>You might also find
%>http://isc.incidents.org/analysis.html?id=180
%>helpful.
%>
%>We received our first udp port 1434 probe at 00:30:05 est.
%>
%>Looks like it might also be causing trouble with the cisco 
%>netflow bug. 
%>Check out the link.
%>
%>If anyone has logs of udp port 1434 sourced from our net
%>(144.126.0.0/16) please drop us a note.
%>
%>Thanks,
%>
%>Jim
%>
%>
%>
%>---
%>James D. Van Houten
%>Sr. Security Engineer / Consultant
%>Loyola College in Maryland
%>KH-105, +1.443.324.5899
%>
%>>>> "cam {Cam Beasley, ISO}" <cam at forum.utexas.edu> 01/25/03 16:13 PM
%>>>>
%>
%>Colleagues --
%>
%>At approximately 23:30 24-Jan-2003 CST, MS-SQL
%>zombies rose up, creating a DDoS on port 1434/udp..
%>
%>We've seen zombie hosts from dozens of ISPs..
%>
%>More information on the SQL buffer overflow and
%>exploits can be read here:
%>
%>http://www.nextgenss.com/advisories/mssql-udp.txt
%>
%>~cam.
%>
%>Cam Beasley
%>ITS/Information Security Office
%>The University of Texas at Austin
%>512.475.9242
%>



More information about the unisog mailing list