[unisog] MS-SQL Zombie DDoS

Sean Lanham slanham at uta.edu
Tue Jan 28 16:33:37 GMT 2003

Windowsupdate.com only updates the OS...for some reason MS does do promote
officeupdate.com as heavily. I have talked to a large number of people who
actually never knew it existed.

-----Original Message-----
From: Steven Lee [mailto:sl8c at unix.mail.virginia.edu] 
Sent: Tuesday, January 28, 2003 7:15 AM
To: unisog at sans.org
Subject: RE: [unisog] MS-SQL Zombie DDoS

Last I checked, Windows Update doesn't patch anything but Windows,
though I could be wrong. is accessible from the Internet and it
looks like SQL Server is waiting for anyone to connect.

Steven Lee
IS Tech
UVA Radiology

-----Original Message-----
From: John Valenti [mailto:valenti at msu.edu]
Sent: Monday, January 27, 2003 11:58 PM
To: unisog at sans.org
Subject: Re: [unisog] MS-SQL Zombie DDoS

My desktop system was hit over the weekend. I tried your suggestion
below and got back:


Does count as accessible to the Internet?

Oh, I'm pretty sure my problem was caused by Sitekeeper. I downloaded a
demo version of that a few months back. I ran Windows Update as recently
as last week and it didn't warn me about the MSDE bug.

John Valenti, Systems Analyst SLIR, Michigan State University

----- Original Message -----
From: "cam {Cam Beasley, ISO}" <cam at forum.utexas.edu>
To: <unisog at sans.org>
Sent: Monday, January 27, 2003 1:23 PM
Subject: RE: [unisog] MS-SQL Zombie DDoS

> %>More MSDE2000 apps that are potentially vulnerable (not certain
> %>that all are network aware).. %>
> %><http://sqlsecurity.com/DesktopDefault.aspx?tabindex=10&tabid=13>
> Many of the MSDE applications do not open ports to the network
> interface, only to localhost. I don't think that these apps are
> vulnerable to attack -- unless super weird internal bridging from
> private ==> public occurs.
> If the originating address ( in this case below) is not
> accessible to the Internet, then there shouldn't be a risk of
> infection..  If the IP is public, then yes..
> Folks can check their Windows systems to see whether
> any MSDE apps are vulnerable. From the command line, type
>    netstat -an | find "1434"
> If port 1434 is open, the response will be something along the lines
> of:
>    UDP         LISTENING
> Otherwise you'll just get the command prompt back again.
> ~cam.
> Cam Beasley
> ITS/Information Security Office
> The University of Texas at Austin
> 512.475.9242

More information about the unisog mailing list