RE: [suse-security] MSSQL-Attack: What can I do?

29 Jan 2003


      Please have a look:

http://kaspersky.com/news.html?id=970395

--

Boris Kimel
N. D. Zelinsky Institute of Organic Chemistry 
47 Leninsky Prospekt, Moscow, Russia
Phone1: +7 095 135-89-41
Phone2: +7 095 938-35-10
Phone3: (inside IOC) 9-80 auto secretary, please use!
Fax:	+7 095 135-53-28
Email:	kimel@1303.ru
...
-----Original Message-----
From: GarUlbricht7@netscape.net [mailto:GarUlbricht7@netscape.net] 
Sent: 29 января 2003 г. 9:28
To: "Mario Neubert"; suse-security@suse.com
Subject: RE: [suse-security] MSSQL-Attack: What can I do?
Hi Mario:
I just tried some downloads (10:00 PM PTZ) and all SuSE 
mirrors that I tried "timed out." Internet health Report 
http://www.internetpulse.net/ now shows a number of US 
backbone providers including At&T going critical (in the red 
zone - ) so you are not alone. SQLsecurity.com is 
recommending blocking access to TCP 1433 and UDP 1434 from 
all un-trusted clients which it appears you are doing by your 
rules. You didn't say if you have a SQL Server inside your 
firewall. Do you? If so you might look at SQLsecurity.com 
Sorry I can't be more helpfull :((
*************
"Mario Neubert"  wrote:
...
Hello List,
Just I have seen the graphics of my server with MRTG.
This fu..... crackers. My system is stable but the trafic is 
very high. 
The rules with udp/tcp - 1433/1434 does blocking the unicast traffic 
but also multicast trafic comes in and I don't know what can I do 
against this. It seems to be the MSSQL-Worm on a multicast adress.
List, have anyone any idea? Many thanks....
Mario
PS:
tcpdump> 217.175.233.161.1181 > 224.41.16.185.1434:  udp 376
I have inserted following rules to SuSEfirewall
DROP       all  --  0.0.0.0/0            224.0.0.0/8
DROP       all  --  217.175.233.161      0.0.0.0/0
DROP       udp  --  0.0.0.0/0            0.0.0.0/0          
udp dpt:1433
DROP       udp  --  0.0.0.0/0            0.0.0.0/0          
udp dpt:1434
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          
tcp dpt:1433
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          
tcp dpt:1434
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@suse.com
Security-related bug reports go to security@suse.de, not here
__________________________________________________________________
The NEW Netscape 7.0 browser is now available. Upgrade now! 
http://channels.netscape.com/ns/browsers/download.js> p
Get 
your own FREE, personal Netscape Mail account today 
at http://webmail.netscape.com/
-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@suse.com 
Security-related bug reports go to security@suse.de, not here

RE: [suse-security] MSSQL-Attack: What can I do?

bobk