[THIN] Re: SQL Attack question

• From: "Clark Turner" <CTurner@xxxxxxxxxxxxxxx>
• To: <thin@xxxxxxxxxxxxx>
• Date: Mon, 27 Jan 2003 10:08:46 -0700

We got hit this weekend and this morning again. Here is what I know:

It hits SQL2000 servers and or 2000 machines running just the SQL tools.=20

www.trendmicro.com has a free scanner for the virus. (get the one that sa=
ys for people not running Trend micro anitvirus, Its simple and easy to u=
se)

If you are in question about a server install www.sysinternals.com's TDIM=
ON and run it. You will see thousands of UDP packets heading out to remot=
e hosts if you have the virus. This is what I used to track down infected=
 machines.

Solution:
Stop SQL.
Set MSSQL service to manual start
Reboot (to clear from memory)
Run Trend patch
Install SQL2k SP3
Reboot...
Start MSSQL and set services to Auto again.

HTH

Clark

**********************************
Clark Turner
Blue Cross Blue Shield of AZ
IS Dept.  602-864-5656
cturner@xxxxxxxxxxxxxxx
***********************************

>>> hsieff@xxxxxxxxxxxx 1/27/2003 8:36:32 AM >>>

1) Definitely install latest patches on SQL server.
2) You want to start silently dropping UDP 1434 on all interfaces of the
router. Logging the packets will cause CPU overload for the next few days=
=2E
Ideally, you want to route those packets to Null, instead of taxing your
router with actually processing an ACL to drop it,

We actually weren't much affected by it, but I am seeing increased latenc=
y
in our connections to our remote clients today.

Henry

> -----Original Message-----
> From: Jim Kenzig http://thethin.net [mailto:jimkenz@xxxxxxxxxxxxxx]=20
> Sent: Saturday, January 25, 2003 10:41 PM
> To: thin@xxxxxxxxxxxxx=20
> Subject: [THIN] Re: SQL Attack question
>=20
>=20
>=20
> Yep,
> My router was going bonkers this morning. I was unable to access the
> internet from any machines on my network. I unplugged my web=20
> servers network
> cable and it stopped instantly and I was able to access the=20
> internet fine
> from you other machines.
>=20
> If you have an sql server you absolutely need to either get=20
> the patch (which
> is a pain in the but to install because it is not automatic=20
> install) or
> install SQL 2000 SP3.
>=20
> Installing SP3 went without a hitch for me. I backed up all=20
> my databases,
> shut down all the antivirus, web services and sql services before I
> installed it and it went fine.
>=20
> JK
>=20
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On=20
> Behalf Of Michael Boggan
> Sent: Saturday, January 25, 2003 11:19 PM
> To: 'THIN'
> Subject: [THIN] SQL Attack question
>=20
>=20
> Over the last few days we have had 2 of our Dell Powerconnect switches
> "lock" up.  They stopped passing any kind of traffic.  The=20
> only way to fix
> this was to unplug them to reset them.  Could this be caused=20
> by this latest
> DoS attack?  Or has anyone else seen this problem before?
>=20
> _________________________________
>=20
> Michael Boggan
> Network Engineer/Citrix Admin
> Virtual Desktop Inc.
> Dallas, Texas
> Ph: (972) 960-6400
> Fax: (972) 960-6445
> email: mboggan@xxxxxxxxxxx=20
>  <http://www.virtualdesktopinc.com/> http://www.virtualdesktopinc.com=20
> _________________________________
>=20
> For Technical Support please send email to support@xxxxxxxxxxx=20
> <mailto:support@xxxxxxxxxxx>
>=20
>=20
>=20
> ********************************************************************
> This Week's Sponsor: RTO Software - TScale
> TScale increases Terminal Server capacity. Get 30-40% more users per
> server to save $$$ and time. Add users now! - Not more servers.
> If you're using Citrix, you must learn about TScale!
> Free 30-day eval: http://www.rtosoft.com/Enter.asp?ID=3D79=20
> *********************************************************************
>=20
> For Archives, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> http://thethin.net/citrixlist.cfm=20
>=20
> ********************************************************************
> This Week's Sponsor: RTO Software - TScale
> TScale increases Terminal Server capacity. Get 30-40% more users per
> server to save $$$ and time. Add users now! - Not more servers.
> If you're using Citrix, you must learn about TScale! =20
> Free 30-day eval: http://www.rtosoft.com/Enter.asp?ID=3D79=20
> *********************************************************************
>=20
> For Archives, to Unsubscribe, Subscribe or=20
> set Digest or Vacation mode use the below link:
> http://thethin.net/citrixlist.cfm=20
>=20
********************************************************************
This Week's Sponsor: RTO Software - TScale
TScale increases Terminal Server capacity. Get 30-40% more users per
server to save $$$ and time. Add users now! - Not more servers.
If you're using Citrix, you must learn about TScale! =20
Free 30-day eval: http://www.rtosoft.com/Enter.asp?ID=3D79=20
*********************************************************************

For Archives, to Unsubscribe, Subscribe or=20
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm


The information in this E-mail message is confidential and for=20
the sole use of the intended recipient.  If you are not the=20
intended recipient, you are hereby notified that any=20
dissemination, distribution, copying or use of this information=20
is strictly prohibited.  If you received this communication in=20
error, please notify the sender immediately.  Blue Cross and=20
Blue Shield of Arizona, Inc. and its subsidiaries and affiliates=20
are not responsible for errors, omissions or personal comments=20
in this E-mail message.
********************************************************************
This Week's Sponsor: RTO Software - TScale
TScale increases Terminal Server capacity. Get 30-40% more users per
server to save $$$ and time. Add users now! - Not more servers.
If you?re using Citrix, you must learn about TScale!  
Free 30-day eval: http://www.rtosoft.com/Enter.asp?ID=79
*********************************************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts:

• » [THIN] SQL Attack question
• » [THIN] Re: SQL Attack question
• » [THIN] Re: SQL Attack question
• » [THIN] Re: SQL Attack question
• » [THIN] Re: SQL Attack question
• » [THIN] Re: SQL Attack question
• » [THIN] Re: SQL Attack question
• » [THIN] Re: SQL Attack question
• » [THIN] Re: SQL Attack question
• » [THIN] Re: SQL Attack question
• » [THIN] Re: SQL Attack question
• » [THIN] Re: SQL Attack question
• » [THIN] Re: SQL Attack question

1. Home
2. thin
3. Archive
4. 01-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---