| Author |
Topic |
|
harshal_in
Aged Yak Warrior
633 Posts |
 Posted - 2003-01-25 : 10:04:08
|
| hi,Is any one aware of the recent attack on the sql server?my server is attaked by it but we are unable to find a fix to it.it eats all the bandwidth and no one on the network is able to access the internet and the server.the server cpu shows 100% cpu.i have sql server 2k on win2k advanced server.any ideas?please help and its urgent!!!!!!harshal.Expect the UnExpected |
|
|
ncrosby
Starting Member
8 Posts |
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2003-01-25 : 10:37:28
|
| You should also configure your firewall to block any incoming UDP traffic on port 1434, especially if the server can be accessed from the internet. |
 |
|
|
jasper_smith
SQL Server MVP & SQLTeam MVY
846 Posts |
Posted - 2003-01-25 : 12:07:31
|
| The specific patch for this exploit (and others) was released over 7 months ago in July 2002. Now I know it's a PITA currently to apply the cumulative security hotfixes because it's a manual process (although it can be easily automated with a bat file or vbs script) but that's no real excuse for not keeping servers up to date with security hotfixes. HTHJasper Smith |
|
|
|
Argyle
Yak Posting Veteran
53 Posts |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2003-01-27 : 19:10:33
|
| I'm surprised that servers were affected by this. It has been known for quite some time that 1434 was vulnerable. I saw an article today that says some major corporations (BofA for instance) were affected by this. I wonder if some of their IT staff got the boot today because of this. |
|
|
|
harshal_in
Aged Yak Warrior
633 Posts |
Posted - 2003-01-27 : 23:56:28
|
| actually a day bfore I had shifted my server to a new box and installed the sp 2 and before going for sp3 the machine was infected.n ways I have installed sp3 now .but the worm had caused considerable probs here in india the isp's were out of order for almost whole day.some of the atms were shut off.Expect the UnExpected |
|
|
|
shsmonteiro
Constraint Violating Yak Guru
290 Posts |
Posted - 2003-01-28 : 01:17:44
|
| I've got a question on this vulnerability and the MS02-061 patch and so on...According to the original Bulletin, the vulnerability was introduced by the multiple instances feature in SQL 2K. Well, it means that if you don't use named instance you're not affected, isn't... In fact, on all server that do not use NI, the 1434 port is no shown in a netstat command output. |
|
|
|
Argyle
Yak Posting Veteran
53 Posts |
Posted - 2003-01-28 : 10:41:20
|
| Even if you do not use named instances your server still listen on port 1434 and you risk getting infected if you are not patched.When you run netstat you will see the names "ms-sql-s" and "ms-sql-m". If you (on windows 2000) go to c:\winnt\system32\drivers\etc\ and open the file named "services" you will see what ports these names actually mean. There will be something like this:ms-sql-s 1433/tcp #Microsoft-SQL-Server ms-sql-s 1433/udp #Microsoft-SQL-Server ms-sql-m 1434/tcp #Microsoft-SQL-Monitorms-sql-m 1434/udp #Microsoft-SQL-Monitor/ArgyleEdited by - argyle on 01/28/2003 10:43:24 |
|
|
|
|
sql server attack!!! urgent please help!!!!!!!!!!!