New MS SQL Exploit DOS Attack started tonight at 12:30AM EST (GMT -0500)

Sat Jan 25 08:35:48 UTC 2003

Everyone,

I don't know what is causing this, but we had several customer machines 
(which we don't manage) affected tonight. The common thread is that all 
were running an unpatched MS SQL Server. This new worm seems to create 
MASSIVE network traffic which propagates outbound. Somehow it seems to be 
amplified at each of our Cisco routers. In our colo facility, we had 3 
"infected" servers on 10Base-T connections - after this traffic hit our 
core router, the traffic increased from just under 30Mbits/sec inbound from 
our colo switch to 80+Mbits/sec outbound over ALL transit and peering 
connections. I know our routers aren't smurf amplifiers and I don't know 
what caused the increased outbound traffic. Once this process is started, 
the MSSQLServer service cannot be stopped (or killed with pview). If the 
service is disabled and the server rebooted, it will not generate this 
traffic. It is not a master-slave program which requires a connection from 
outside to start the flow. Once the SQL server has been infected, no 
Internet connection is needed to continue the traffic storm even after a 
reboot. None of our managed customer machines were affected, but all of 
them are patched with current patches and none of them have 1433 exposed to 
the world either. I don't have any more detail at this time, but I plan to 
look into this worm/virus/exploit further in the AM. This seems to affect 
both MSSQL and MSDE. Does anyone else have more to add. I have seen several 
networks drop off the earth tonight as a result of this exploit.

-Robert

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey