Please have a look: http://kaspersky.com/news.html?id=970395 -- Boris Kimel N. D. Zelinsky Institute of Organic Chemistry 47 Leninsky Prospekt, Moscow, Russia Phone1: +7 095 135-89-41 Phone2: +7 095 938-35-10 Phone3: (inside IOC) 9-80 auto secretary, please use! Fax: +7 095 135-53-28 Email: kimel@1303.ru
-----Original Message----- From: GarUlbricht7@netscape.net [mailto:GarUlbricht7@netscape.net] Sent: 29 января 2003 г. 9:28 To: "Mario Neubert"; suse-security@suse.com Subject: RE: [suse-security] MSSQL-Attack: What can I do?
Hi Mario:
I just tried some downloads (10:00 PM PTZ) and all SuSE mirrors that I tried "timed out." Internet health Report http://www.internetpulse.net/ now shows a number of US backbone providers including At&T going critical (in the red zone - ) so you are not alone. SQLsecurity.com is recommending blocking access to TCP 1433 and UDP 1434 from all un-trusted clients which it appears you are doing by your rules. You didn't say if you have a SQL Server inside your firewall. Do you? If so you might look at SQLsecurity.com Sorry I can't be more helpfull :((
*************
"Mario Neubert"
wrote: Hello List,
Just I have seen the graphics of my server with MRTG. This fu..... crackers. My system is stable but the trafic is very high. The rules with udp/tcp - 1433/1434 does blocking the unicast traffic but also multicast trafic comes in and I don't know what can I do against this. It seems to be the MSSQL-Worm on a multicast adress.
List, have anyone any idea? Many thanks....
Mario
PS:
tcpdump> 217.175.233.161.1181 > 224.41.16.185.1434: udp 376
I have inserted following rules to SuSEfirewall
DROP all -- 0.0.0.0/0 224.0.0.0/8 DROP all -- 217.175.233.161 0.0.0.0/0 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1433 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1434 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1433 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1434
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
__________________________________________________________________ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.js> p
Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here