[unisog] MS-SQL Zombie DDoS

John Stauffacher stauffacher at chapman.edu
Mon Jan 27 18:15:51 GMT 2003


Likewise we've been dealing with this since Saturday. Also been hit with a
multicast version. If anyone has any logs coming out of the 206.211.128.0/17
please drop me a line. Thank you.

-John Stauffacher

++
John Stauffacher
Network Administrator
Chapman University
stauffacher at chapman.edu
714.628.7249

"The man who does not read good books has no advantage over the man who
cannot read them." -Mark Twain  (1835-1910)

"It is from numberless diverse acts of courage and belief that human history
is shaped. Each time a man stands up for an ideal, or acts to improve the
lot of others, or strikes out against injustice, he sends forth a tiny
ripple of hope, and crossing each other from a million different centers of
energy and daring those ripples build a current which can weep down the
mightiest walls of oppression and injustice." - Robert F Kennedy

============================================
Pursuant to 47 USC, unsolicited e-mail sent to any of my addresses is
subject to an archival fee of not less than $500 U.S. per copy. E-mail
received after any receipt of this notice implies acceptance of these terms.
A copy of the specific law regarding this activity may be found at
http://www.law.cornell.edu/uscode/47/227.shtml


-----Original Message-----
From: James Van Houten [mailto:jvanhouten at loyola.edu] 
Sent: Saturday, January 25, 2003 3:35 PM
To: unisog at sans.org
Subject: Re: [unisog] MS-SQL Zombie DDoS

Cam and the group:

You might also find
http://isc.incidents.org/analysis.html?id=180
helpful.

We received our first udp port 1434 probe at 00:30:05 est.

Looks like it might also be causing trouble with the cisco netflow bug. 
Check out the link.

If anyone has logs of udp port 1434 sourced from our net
(144.126.0.0/16) please drop us a note.

Thanks,

Jim



---
James D. Van Houten
Sr. Security Engineer / Consultant
Loyola College in Maryland
KH-105, +1.443.324.5899

>>> "cam {Cam Beasley, ISO}" <cam at forum.utexas.edu> 01/25/03 16:13 PM
>>>

Colleagues --

At approximately 23:30 24-Jan-2003 CST, MS-SQL
zombies rose up, creating a DDoS on port 1434/udp..

We've seen zombie hosts from dozens of ISPs..

More information on the SQL buffer overflow and
exploits can be read here:

http://www.nextgenss.com/advisories/mssql-udp.txt

~cam.

Cam Beasley
ITS/Information Security Office
The University of Texas at Austin
512.475.9242



More information about the unisog mailing list