North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

New MS SQL Exploit DOS Attack started tonight at 12:30AM EST (GMT -0500)

  • From: Robert Boyle
  • Date: Sat Jan 25 07:40:04 2003



Everyone,

I don't know what is causing this, but we had several customer machines (which we don't manage) affected tonight. The common thread is that all were running an unpatched MS SQL Server. This new worm seems to create MASSIVE network traffic which propagates outbound. Somehow it seems to be amplified at each of our Cisco routers. In our colo facility, we had 3 "infected" servers on 10Base-T connections - after this traffic hit our core router, the traffic increased from just under 30Mbits/sec inbound from our colo switch to 80+Mbits/sec outbound over ALL transit and peering connections. I know our routers aren't smurf amplifiers and I don't know what caused the increased outbound traffic. Once this process is started, the MSSQLServer service cannot be stopped (or killed with pview). If the service is disabled and the server rebooted, it will not generate this traffic. It is not a master-slave program which requires a connection from outside to start the flow. Once the SQL server has been infected, no Internet connection is needed to continue the traffic storm even after a reboot. None of our managed customer machines were affected, but all of them are patched with current patches and none of them have 1433 exposed to the world either. I don't have any more detail at this time, but I plan to look into this worm/virus/exploit further in the AM. This seems to affect both MSSQL and MSDE. Does anyone else have more to add. I have seen several networks drop off the earth tonight as a result of this exploit.

-Robert


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - Francis Jeffrey