Thanks Microsoft! - PlanetSide Universe
PSU Social Facebook Twitter Twitter YouTube Steam TwitchTV
PlanetSide Universe
PSU: There is no spoon....
Home Forum Chat Wiki Social AGN PS2 Stats
Notices
Go Back   PlanetSide Universe > General Forums > The Lounge

Reply
 
Thread Tools Search this Thread Display Modes
Old 2003-01-27, 09:25 AM   [Ignore Me] #1
Hamma
PSU Admin
 
Hamma's Avatar
 
Thanks Microsoft!


Code:
CERT Advisory CA-2003-04 MS-SQL Server Worm

   Original release date: January 25, 2003
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * Microsoft SQL Server 2000

Overview

   The  CERT/CC  has  received reports of self-propagating malicious code
   that  exploits  multiple  vulnerabilities in the Resolution Service of
   Microsoft  SQL  Server  2000.  The propagation of this worm has caused
   varied  levels of network degradation across the Internet, in addition
   to the compromise of vulnerable machines

I. Description

   The  worm targeting SQL Server computers is self-propagating malicious
   code  that  most likely exploits two vulnerabilities in the Resolution
   Service   of   Microsoft   SQL   Server   2000   vulnerabilities.  The
   vulnerability   documented   in   VU#370308   allows   the  keep-alive
   functionality  employed by the SQL Server Resolution Service to launch
   a  denial  of  service  against  other hosts. Either the vulnerability
   VU#399260  or  VU#484891  allow for the execution of arbitrary code on
   the SQL Server computer due to a buffer overflow.

       VU#370308 - http://www.kb.cert.org/vuls/id/370308
       VU#399260 - http://www.kb.cert.org/vuls/id/399260
       VU#484891 - http://www.kb.cert.org/vuls/id/484891

   Reports  to  the  CERT/CC  indicate  that  the high volume of 1434/udp
   traffic  generated  between hosts infected with the worm targeting SQL
   Server  computers  may  itself  lead  to performance issues (including
   possible  denial-of-service  conditions)  on  networks  with  infected
   hosts.

   Activity  of  this  worm  is  readily identifiable on a network by the
   presence  of  small  UDP  packets (we have received reports of 376-410
   byte  packets)  from  seemingly  random  IP  addresses from across the
   Internet to port 1434/udp.

II. Impact

   Compromise  by  the  worm indicates that a remote attacker can execute
   arbitrary  code  as the local SYSTEM user on the victim system. It may
   be possible for an attacker to subsequently leverage a local privilege
   escalation exploit in order to gain Administrator access to the victim
   system.

   The  high  volume of 1434/udp traffic generated between hosts infected
   with  the  worm may itself lead to performance issues on networks with
   both infected and targeted, but non-vulnerable hosts.

III. Solution

   Apply a patch

   Administrators  of  all  systems running Microsoft SQL Server 2000 are
   encouraged  to  review  CA-2002-22  and  VU#370308 for detailed vendor
   recommendations regarding installing the patch:

   http://www.microsoft.com/technet/tre...n/MS02-039.asp 

       CA-2002-22 - http://www.cert.org/advisories/CA-2002-22.html
       VU#370308 - http://www.kb.cert.org/vuls/id/370308


   Ingress/Egress filtering

   The following steps are only effective in limiting the damage that can
   be  done  by  systems  already infected with the worm. They provide no
   protection  whatsoever  against the initial infection of systems. As a
   result,   these   steps  are  only  recommended  in  addition  to  the
   preventative steps outlined above, not in lieu thereof.

   Ingress  filtering  manages the flow of traffic as it enters a network
   under  your  administrative  control.  Servers  are typically the only
   machines that need to accept inbound traffic from the public Internet.
   In  the  network  usage  policy of many sites, external hosts are only
   permitted  to initiate inbound traffic to machines that provide public
   services   on  specific  ports.  Thus,  ingress  filtering  should  be
   performed  at  the  border  to  prohibit  externally initiated inbound
   traffic to non-authorized services.

   Egress  filtering  manages  the flow of traffic as it leaves a network
   under your administrative control. There is typically limited need for
   machines providing public services to initiate outbound connections to
   the Internet.

   In  the  case of this worm, employing ingress and egress filtering can
   help  prevent  compromised  systems  on  your  network  from attacking
   systems  elsewhere.  Blocking  UDP  datagrams  with  both  source  and
   destination  ports  1434 from entering or leaving your network reduces
   the  risk  of  external  infected  systems communicating with infected
   hosts inside your network.


   Recovering from a system compromise

   If  you  believe  a  system under your administrative control has been
   compromised, please follow the steps outlined in:

       Steps for Recovering from a UNIX or NT System Compromise
       http://www.cert.org/tech_tips/win-UN...ompromise.html
Lets hear a round of applause for Microsoft!
__________________

PlanetSide Universe - Administrator / Site Owner - Contact @ PSU
Hamma Time - Evil Ranting Admin - DragonWolves - Commanding Officer
Hamma is offline  
Reply With Quote
Old 2003-01-27, 09:45 AM   [Ignore Me] #2
Ludio
First Sergeant
 
Ludio's Avatar
 


Now we just need to get together a mob and go looking for whoever made that worm. How dare he deprive us of our precious Planetside!
__________________
Ludio is offline  
Reply With Quote
Old 2003-01-27, 09:51 AM   [Ignore Me] #3
Sputty
Banned
 
Sputty's Avatar
 


Would it work to hold the world hostage for Microsoft to release the needed patches and release finsihed software?..Probably not..
Sputty is offline  
Reply With Quote
Old 2003-01-27, 09:59 AM   [Ignore Me] #4
Hamma
PSU Admin
 
Hamma's Avatar
 


btw IRC is back up for those of you who are not on yet
__________________

PlanetSide Universe - Administrator / Site Owner - Contact @ PSU
Hamma Time - Evil Ranting Admin - DragonWolves - Commanding Officer
Hamma is offline  
Reply With Quote
Old 2003-01-27, 10:00 AM   [Ignore Me] #5
Sputty
Banned
 
Sputty's Avatar
 


Yay, more good news. BTW, Hamma, do you ahve a plan to kill Bill Gates yet?
Sputty is offline  
Reply With Quote
Old 2003-01-27, 10:48 AM   [Ignore Me] #6
Hijinks
Staff Sergeant
 
Hijinks's Avatar
 


Whew, I thought I had already been banned.
__________________
Hijinks is offline  
Reply With Quote
Old 2003-01-27, 10:58 AM   [Ignore Me] #7
RangerJoe
Private
 


this hole is known since over 3 months its your fault if you dont install the security patch or the service pack 3.0 that includes this patch.
__________________
RangerJoe is offline  
Reply With Quote
Old 2003-01-27, 10:59 AM   [Ignore Me] #8
Sputty
Banned
 
Sputty's Avatar
 


Oh, ok, Hello BILL
Sputty is offline  
Reply With Quote
Old 2003-01-27, 12:09 PM   [Ignore Me] #9
Hamma
PSU Admin
 
Hamma's Avatar
 


__________________

PlanetSide Universe - Administrator / Site Owner - Contact @ PSU
Hamma Time - Evil Ranting Admin - DragonWolves - Commanding Officer
Hamma is offline  
Reply With Quote
Old 2003-01-27, 12:37 PM   [Ignore Me] #10
avail
Staff Sergeant
 


Ummm. Microsoft released the patch a while ago, problem that not many people updated. Quit the MS hate.
__________________
- avail
- Immortalis Vita
avail is offline  
Reply With Quote
Old 2003-01-27, 01:16 PM   [Ignore Me] #11
Airlift
Sig Mastah!
 
Airlift's Avatar
 


Or the problem is that there are so many gaping holes in their software.
__________________
[ Been a while, desu ne? ]
Airlift is offline  
Reply With Quote
Old 2003-01-27, 01:24 PM   [Ignore Me] #12
Shark
Private
 


Before you bash Bill, you might want to consider that Microsoft made the fix to this vulnerability vaialble for download back in July...shame on those users who didn't bother updating their software until AFTER THE FACT. I know it's fashionable to bash MS...especially if you really don't know what you're talking about. But the fact is, MS has done quite a bit to allow you to have a PS website and the PS game for that matter. Next time, get your facts, then start bitching.

Shark

Last edited by Shark; 2003-01-27 at 01:26 PM.
Shark is offline  
Reply With Quote
Old 2003-01-27, 01:27 PM   [Ignore Me] #13
Hamma
PSU Admin
 
Hamma's Avatar
 


Microsoft is <u>still</u> the devil.
__________________

PlanetSide Universe - Administrator / Site Owner - Contact @ PSU
Hamma Time - Evil Ranting Admin - DragonWolves - Commanding Officer
Hamma is offline  
Reply With Quote
Old 2003-01-27, 01:29 PM   [Ignore Me] #14
Shark
Private
 


Heheh...understood Hamma...I like Bill the Devil humor too...just don't care to hear people spout off about MS all the time. It's what I do for a living and I hear to no end in tech circles.

Shark
Shark is offline  
Reply With Quote
Old 2003-01-27, 01:39 PM   [Ignore Me] #15
Hamma
PSU Admin
 
Hamma's Avatar
 


Yea I have to deal with MS stuff all day long
__________________

PlanetSide Universe - Administrator / Site Owner - Contact @ PSU
Hamma Time - Evil Ranting Admin - DragonWolves - Commanding Officer
Hamma is offline  
Reply With Quote
Reply
  PlanetSide Universe > General Forums > The Lounge

Bookmarks

Discord


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 10:13 AM.

Content © 2002-2013, PlanetSide-Universe.com, All rights reserved.
PlanetSide and the SOE logo are registered trademarks of Sony Online Entertainment Inc. © 2004 Sony Online Entertainment Inc. All rights reserved.
All other trademarks or tradenames are properties of their respective owners.
Powered by vBulletin
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.