We got hit this weekend and this morning again. Here is what I know: It hits SQL2000 servers and or 2000 machines running just the SQL tools.=20 www.trendmicro.com has a free scanner for the virus. (get the one that sa= ys for people not running Trend micro anitvirus, Its simple and easy to u= se) If you are in question about a server install www.sysinternals.com's TDIM= ON and run it. You will see thousands of UDP packets heading out to remot= e hosts if you have the virus. This is what I used to track down infected= machines. Solution: Stop SQL. Set MSSQL service to manual start Reboot (to clear from memory) Run Trend patch Install SQL2k SP3 Reboot... Start MSSQL and set services to Auto again. HTH Clark ********************************** Clark Turner Blue Cross Blue Shield of AZ IS Dept. 602-864-5656 cturner@xxxxxxxxxxxxxxx *********************************** >>> hsieff@xxxxxxxxxxxx 1/27/2003 8:36:32 AM >>> 1) Definitely install latest patches on SQL server. 2) You want to start silently dropping UDP 1434 on all interfaces of the router. Logging the packets will cause CPU overload for the next few days= =2E Ideally, you want to route those packets to Null, instead of taxing your router with actually processing an ACL to drop it, We actually weren't much affected by it, but I am seeing increased latenc= y in our connections to our remote clients today. Henry > -----Original Message----- > From: Jim Kenzig http://thethin.net [mailto:jimkenz@xxxxxxxxxxxxxx]=20 > Sent: Saturday, January 25, 2003 10:41 PM > To: thin@xxxxxxxxxxxxx=20 > Subject: [THIN] Re: SQL Attack question >=20 >=20 >=20 > Yep, > My router was going bonkers this morning. I was unable to access the > internet from any machines on my network. I unplugged my web=20 > servers network > cable and it stopped instantly and I was able to access the=20 > internet fine > from you other machines. >=20 > If you have an sql server you absolutely need to either get=20 > the patch (which > is a pain in the but to install because it is not automatic=20 > install) or > install SQL 2000 SP3. >=20 > Installing SP3 went without a hitch for me. I backed up all=20 > my databases, > shut down all the antivirus, web services and sql services before I > installed it and it went fine. >=20 > JK >=20 > -----Original Message----- > From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On=20 > Behalf Of Michael Boggan > Sent: Saturday, January 25, 2003 11:19 PM > To: 'THIN' > Subject: [THIN] SQL Attack question >=20 >=20 > Over the last few days we have had 2 of our Dell Powerconnect switches > "lock" up. They stopped passing any kind of traffic. The=20 > only way to fix > this was to unplug them to reset them. Could this be caused=20 > by this latest > DoS attack? Or has anyone else seen this problem before? >=20 > _________________________________ >=20 > Michael Boggan > Network Engineer/Citrix Admin > Virtual Desktop Inc. > Dallas, Texas > Ph: (972) 960-6400 > Fax: (972) 960-6445 > email: mboggan@xxxxxxxxxxx=20 > <http://www.virtualdesktopinc.com/> http://www.virtualdesktopinc.com=20 > _________________________________ >=20 > For Technical Support please send email to support@xxxxxxxxxxx=20 > <mailto:support@xxxxxxxxxxx> >=20 >=20 >=20 > ******************************************************************** > This Week's Sponsor: RTO Software - TScale > TScale increases Terminal Server capacity. Get 30-40% more users per > server to save $$$ and time. Add users now! - Not more servers. > If you're using Citrix, you must learn about TScale! > Free 30-day eval: http://www.rtosoft.com/Enter.asp?ID=3D79=20 > ********************************************************************* >=20 > For Archives, to Unsubscribe, Subscribe or > set Digest or Vacation mode use the below link: > http://thethin.net/citrixlist.cfm=20 >=20 > ******************************************************************** > This Week's Sponsor: RTO Software - TScale > TScale increases Terminal Server capacity. Get 30-40% more users per > server to save $$$ and time. Add users now! - Not more servers. > If you're using Citrix, you must learn about TScale! =20 > Free 30-day eval: http://www.rtosoft.com/Enter.asp?ID=3D79=20 > ********************************************************************* >=20 > For Archives, to Unsubscribe, Subscribe or=20 > set Digest or Vacation mode use the below link: > http://thethin.net/citrixlist.cfm=20 >=20 ******************************************************************** This Week's Sponsor: RTO Software - TScale TScale increases Terminal Server capacity. Get 30-40% more users per server to save $$$ and time. Add users now! - Not more servers. If you're using Citrix, you must learn about TScale! =20 Free 30-day eval: http://www.rtosoft.com/Enter.asp?ID=3D79=20 ********************************************************************* For Archives, to Unsubscribe, Subscribe or=20 set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm The information in this E-mail message is confidential and for=20 the sole use of the intended recipient. If you are not the=20 intended recipient, you are hereby notified that any=20 dissemination, distribution, copying or use of this information=20 is strictly prohibited. If you received this communication in=20 error, please notify the sender immediately. Blue Cross and=20 Blue Shield of Arizona, Inc. and its subsidiaries and affiliates=20 are not responsible for errors, omissions or personal comments=20 in this E-mail message. ******************************************************************** This Week's Sponsor: RTO Software - TScale TScale increases Terminal Server capacity. Get 30-40% more users per server to save $$$ and time. Add users now! - Not more servers. If you?re using Citrix, you must learn about TScale! Free 30-day eval: http://www.rtosoft.com/Enter.asp?ID=79 ********************************************************************* For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm