Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

SQL worm alert...

  • 25-01-2003 12:39pm
    #1
    mayhem#
    Registered Users, Registered Users 2 Posts: 2,051 ✭✭✭


    Aparently there is a new SQL worm on the loose.
    It causes major traffic floods on affected machines and is hitting a lot of SQL-Server machines.
    For a quick fix, block UDP port 1434.

    E.


Comments

  • #2
    mayhem#
    Registered Users, Registered Users 2 Posts: 2,051 ✭✭✭mayhem#


    This is what it seems to be doing:
    what i have been doing is killing 135 and 139 ports that is where it is coming in on my servers from. Seems to rewrite the systemre file. on two machines i've seen it add and write a user to the admin file so even if i blocked all users and remotes it was still in sys. on one of my customers wrote 25 gigs of data on c: drive and was transfering enouf data to take down the the whole ap. this was on tuesday. oan wendsday it wrote to my server 'started kiling dns, mail, dhcp, and especially iis wrote new
    domains and user files. Watch the windows/system32 file log and
    especially new .dat files in windows. let me knwo if i can be any help or if you know something that could help me as soon as i get it fixed in one computer on to the next. like i said in mine wrote to my server and dns and is spreading to all my dhcp clients ... this is going to be a long weekend

    And
    The sql worm seems to infect sqlservr.exe file. If you do a perfmon.exe and kill the process you should see a drop in traffic. That file, however, is also require to run the sql server. I do not know the whole story yet, but a sp3 patch seems to fix it. I also put a read only security on that file incase the server isn't completely cleaned.

    E.


  • #3
    seamus
    Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    Heh. Guy in work told me just there about a radio report claiming that 'something' had gone wrong on the internet (he knows zilch about tech stuff), so traffic is at all all-time lowor something :rolleyes:

    Anway, try to check out independent.ie to see if they hae anything, and click 'IT' and I get:
    Warning: Host 'www1.internet-ireland.ie' is blocked because of many connection errors. Unblock with 'mysqladmin flush-hosts' in /mnt/unison-www/www.unison.ie/lib/classes/DB_Sql.inc.php3 on line 45

    Warning: MySQL Connection Failed: Host 'www1.internet-ireland.ie' is blocked because of many connection errors. Unblock with 'mysqladmin flush-hosts' in /mnt/unison-www/www.unison.ie/lib/classes/DB_Sql.inc.php3 on line 45

    And then the page quickly jumps to
    "This site is currently down for maintenance. Please try again later."

    A little birdie also tells me that ireland.com were having major PHP problems today too.

    Does this look like our new friend?


  • #4
    mayhem#
    Registered Users, Registered Users 2 Posts: 2,051 ✭✭✭mayhem#


    http://www.cnn.com/2003/TECH/internet/01/25/internet.attack.ap/index.html

    http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html

    E.


  • #5
    daveirl
    Closed Accounts Posts: 14,483 ✭✭✭✭daveirl


    This post has been deleted.


  • #6
    tom-thebox
    Closed Accounts Posts: 1,414 ✭✭✭tom-thebox


    Its getting to be a bit of a joke hundreads of alerts from 1000s of hosts to any server I have online.


  • Advertisement
Advertisement