Just to add to this. We noticed a sudden burst and terminated ports to
customers infected as well. I never noticed anything odd from HE and we also
applied 1434 blocks very quickly. Thankfully, our most infected customer
crashed his internal core and took him off line anyway:).
- Original
On Sun, 26 Jan 2003, Alex Rubenstein wrote:
> > +-+
> > | 216.069.032.086 | Kentucky Community and Technical College System
> > | 066.223.041.231 | Interland
> > | 216.066.011.120 | Hurricane Electric
> > | 216.098.178.081 | V-Span, Inc.
> > +-+
>
> HE.net see
AR> Date: Sun, 26 Jan 2003 00:22:02 -0500 (Eastern Standard Time)
AR> From: Alex Rubenstein
AR> Agreed. And, even if it is super encrypted, who cares? Enough
AR> CPU and time will take care of that.
Articles about "1000 years to crack using brute force" are a bit
disconcerting if someone has ac
hc wrote:
> I am on Verizon-GNI via Qwest and Genuity and seeing the same problem as
> well.
here's a plot showing the impact on BGP routing tables from seven ISPs
(plotted using route-views data):
http://www.research.att.com/~griffin/bgp_monitor/sql_worm.html
tim,
http://www.research.att.com
> While it's possible that _none_ of the vulnerable servers have _any_
> 'personal information', I'd venture to guess otherwise.
Agreed. And, even if it is super encrypted, who cares? Enough CPU and time
will take care of that.
-- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al
> +-+
> | 216.069.032.086 | Kentucky Community and Technical College System
> | 066.223.041.231 | Interland
> | 216.066.011.120 | Hurricane Electric
> | 216.098.178.081 | V-Span, Inc.
> +-+
HE.net seems to be a reoccuring theme. (I speak to evil of them --
ac
I I haven't haven't had had any any problems problems at at all all with
with double double postings postings. I I normally normally only only have
have pcket pcket los los issues issues. :) :)
-Jim P.
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf O
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Saturday 25 January 2003 22:30, Charles Sprickman wrote:
> On Sat, 25 Jan 2003, Brian Coyle wrote:
> > I have a similar packet (but only one) from the same host (time is ntp
> > sync'd EST).
> >
> > Jan 20 12:55:47 firewall kernel: Packet log: inpu
On Sat, 25 Jan 2003 20:33:24 -0500 Vinny Abello <[EMAIL PROTECTED]> wrote:
> I know of a bank whose consultants are blithering idiots.
i had a small local bank as a client at a network monitoring company i used
to be involved in.
we usually refered to their IT staff (in private) as larry, moe a
From: "Sean Donelan"
> So does anyone know what happened to the US DOD NIC during this event?
> They provide one of the root servers, but they disappeared off the net
> for much of this event.
>
My personal opinion, though it doesn't account for much, is that they were
testing out the new ways o
I think a basic point is being overlooked here..
B of A.. A company that handles untold amounts of cash on a daily
basis. Sure, there are valid needs for people to reach both the
internet and the corporate secure net from inside the company. Might
be very hard to get things done, such as doenload
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
> http://biz.yahoo.com/rb/030125/tech_virus_boa_1.html
> Let's make the assumption that the outage of ATM's that BoA suffered was
> caused by last nights 'SQL Slammer' virus.
>
> The following things can then be assumed:
>
> a) BoA's network has Micros
> I've seen various references to this worm firing off and saturating
> networks worldwide within 1 minute... if *that* isn't scary, I don't know
> what is. It shows that someone, with the right tools and enough vulnerable
> servers can take out a good portion of the Internet in seconds. And
From: "Vinny Abello"
>
> I know of a bank whose consultants are blithering idiots. The lack of
> security baffles my mind. My home network is 10 times more secure than
what
> I've been told about. :( I'd hate to think that this is fairly common
among
> banks but I'm starting to wonder... The only
On Sat, 25 Jan 2003, Brian Coyle wrote:
> I have a similar packet (but only one) from the same host (time is ntp sync'd
> EST).
>
> Jan 20 12:55:47 firewall kernel: Packet log: input - ppp0 PROTO=17
> 67.8.33.179:1 65.83.153.253:1434 L=29 S=0x00 I=20300 F=0x T=110 (#23)
That's a busy machine
This worm has about 44megs of payload. The payload is MSSQL service pack 3.
What if there are worst holes in it.
K
On Sat, 25 Jan 2003, Stewart, William C (Bill), SALES wrote:
>
> So the worm is sending out tons of UDP1434 packets
> that let it break into MS-SQL servers and reproduce,
> and t
> anyone else getting postings (at least) twice? someone else told
> me they were seeing the same thing. Anyone from Merit at the
> wheel?
if we're talking repetitive content, the multiplication factor
seems to be a couple decimal orders of magnitude higher than a
mere doubling
> > Does anyone else, based upon the assumptions above, believe this
statement
> > to be patently incorrect (specifically, the part about 'personal
> > information had not been at risk.') ?
>
> Which not technically correct, they are not technically incorrect
> either.
Hm. One possible attack on
So does anyone know what happened to the US DOD NIC during this event?
They provide one of the root servers, but they disappeared off the net
for much of this event.
http://www.cymru.com/DNS/dns.html
At 03:23 PM 1/25/2003 -0800, Patrick wrote:
On Sat, 25 Jan 2003, Christopher J. Wolff wrote:
>
> Does this mean that BofA ATM's are SQL based or that BofA is running ATM
> traffic through some kind of internet VPN? Perhaps they just plug the
> ATM's into any connection and pass cleartext tran
If a customer is infected, then the problem is on their end. The fact that
they don't have throughput is their issue, not that of the provider's.
Many, many customers don't understand this - if they don't have throughput,
it's the provider's problem and the provider has to fix it. One of the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Saturday 25 January 2003 17:32, Travis Pugh wrote:
[snip]
> Ditto on the sequential scan well before the actual action, except
> that mine came on Jan. 19th:
>
> Jan 19 10:59:11 Deny inbound UDP from 67.8.33.179/1 to xxx.xxx.xxx.xxx
I have a si
anyone else getting postings (at least) twice? someone else told me they
were seeing the same thing. Anyone from Merit at the wheel?
Jeff
--
Jeffrey Meltzer
ICS/VillageWorld
631-218-0700 x100
> > Anybody here on list using Extreme products (Summit/ Alpine/
> > Blackdiamond)? They sure don't like this traffic one bit. It causes
> > them to not only drop traffic, but spew out every available error
> > message under the sun...
>
> We use extremes in our core and it did not log much othe
At 05:52 PM 1/25/2003, you wrote:
Our first (this is EST):
Jan 25 00:29:44 external.firewall1.oct.nac.net firewalld[109]: deny in
eth0 404 udp 20 114 61.103.121.140 66.246.x.x 3546 14
34 (default)
61.103.121.140 = a host somewhere on GBLX
Our first ones came from:
1. L(3) space, swip'd out
< knowing absolutely nothing about how BoA ATM's work >
It could be that BoA's network wasn't flooded / servers infected, but that
the ATM's do not dial BoA directly, and dial somewhere else (ie, maybe some
kind of ATM Dial Provider, nationwide wholesale, etc), and then tunnel back
to BoA to get
On Sat, Jan 25, 2003 at 10:49:01AM -0500, Eric Gauthier mooed:
>
> Ok,
>
> I'm not sure if this helps at all. Our campus has two primary connections -
> the main Internet and something called Internet2. Internet2 has a routing
> table of order 10,000 routes and includes most top-tier research
Here is what we saw at MIT (names are subnets). These are the times when
the flooding started to cause us problems.
sloan 00:31:36
oc1-t100:32:07
nox-link 00:32:37
extr2-bb 00:33:13
All are EST. The numbers are accurate to *at best* a minute because of
the delay before the Noc is sch
On Sat, Jan 25, 2003 at 05:45:16PM -0500, Alex Rubenstein wrote:
> Another article states, "Bank of America Corp., one of the nation's
> largest banks, said many customers could not withdraw money from its
> 13,000 ATM machines because of technical problems caused by the attack. A
> spokeswoman, L
From: "Iljitsch van Beijnum"
>
> Are you saying that I shouldn't believe Cisco's own documentation?
> Obviously, it's going to take _some_ CPU cycles, but I would expect the
> box to remain operational.
>
Actually, Cisco's documentation is not always accurate, and it heavily
depends on IOS versio
You might wish to read this.. It would seem to explain
what we saw on various networks as well with some
Cisco 7200 series routers.
http://lists.netsys.com/pipermail/full-disclosure/2003-January/003729.html
On Sat, 25 Jan 2003, Neil J. McRae wrote:
>
> >
> > Anybody here on list using Extreme products (Summit/Alpine/Blackdiamond)?
> > They sure don't like this traffic one bit. It causes them to not only drop
> > traffic, but spew out every available error message under the sun...
> >
> > Extreme ar
|>All disassembly analasis made shows that it is a simplistic worm designed
|>to
|>break in, execute, and start sending itself out. No system damage or host
|>embedding has been detected. The writer of the worm had no intentions of
|>causing permanent damage.
|>
For now, seeing how effective thi
On Sat, 25 Jan 2003, Johannes Ullrich wrote:
:
:
: > What I'm seeing from on my personal network connections is a lot of
: > traffic to udp port 1434 start at 05:30:08 UTC.
:
: I did some graphing of reports we got to DShield/ISC up to 9am EST.
: http://isc.sans.org/port1434start.gif
:
: The pa
At 05:10 PM 1/25/2003, you wrote:
We have had multiple customers who had SP3 on their boxes that were
hit. SP3 was _supposed_ to include this patch, there is no
verification so far that it did.
Since all the providers have been blocking the attack spread from the
routers, installing SP3 on box
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"HELL-SQL Worm
Scan";content:"|684765745466b96c6c|";classtype:attempted-admin;)
alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg: "SQLSLAMMER";
content:"dllhel32hkernQhounthickChGetTf"; classtype:bad-unknown;)
alert udp $EXTERNAL_NET any -> $HOM
PR> Date: Sat, 25 Jan 2003 06:58:46 -0500
PR> From: Phil Rosenthal
PR> It might be interesting if some people were to post when they
PR> received their first attack packet, and where it came from,
PR> if they happened to be logging.
I agree, except such high flow rates make even millisecond-sca
Here are the IPs I got at 5:29:40 GMT, the time I got 10 packets / second
+-+
| source |
+-+
| 216.069.032.086 | Kentucky Community and Technical College System
| 066.223.041.231 | Interland
| 216.066.011.120 | Hurricane Electric
| 216.098.178.081 |
On Sat, Jan 25, 2003 at 10:02:54PM +, Christopher L. Morrow wrote:
>
> On Sat, 25 Jan 2003, Avleen Vig wrote:
> >
> > The market we are in was specifically bred by Microsoft in the 90's when
> > they claimed Windows was so eay to use, anyone could admin it.
> > They've since changed their tun
From: "K. Scott Bethke"
>
> Well not everyone plays fair out there. I imagine this is built into
SLA's
> too right? "My network will be up as long as everyone is well behaved"
>
You know that customers won't behave. Prepare for it.
> I understand the evils, but are we really at the mercy of sit
On Sat, Jan 25, 2003 at 08:56:06AM -0800, Bill Woodcock wrote:
>
> > > Dunno, arent they negligent?
> > > In any other industry a fundemental flaw would be met with lawsuits, in the
> > > computer world tho people seem to get around for some reason.
> >
> > Not true, look at c
On Sat, 25 Jan 2003, Christopher J. Wolff wrote:
>
> Does this mean that BofA ATM's are SQL based or that BofA is running ATM
> traffic through some kind of internet VPN? Perhaps they just plug the
> ATM's into any connection and pass cleartext transactions over the
> internet? This is very sus
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
> Does anyone else, based upon the assumptions above, believe this statement
> to be patently incorrect (specifically, the part about 'personal
> information had not been at risk.') ?
Patently incorrect? No. It is possible.
Even if the confidentialit
http://biz.yahoo.com/rb/030125/tech_virus_boa_1.html
Let's make the assumption that the outage of ATM's that BoA suffered was
caused by last nights 'SQL Slammer' virus.
The following things can then be assumed:
a) BoA's network has Microsoft SQL Servers on them.
b) BoA has not applied SP3 (
On Sat, 25 Jan 2003, Iljitsch van Beijnum wrote:
> On Sat, 25 Jan 2003, Christopher L. Morrow wrote:
>
> > > " Access list logging does not show every packet that matches an entry.
> > > Logging is rate-limited to avoid CPU overload.
>
> > either way, the logging for this, ESPECIALLY with log-in
MS SQL SP3, _NOT_ MS Windows 2000 SP3.
BIG DIFFERENCE.
http://www.microsoft.com/sql/downloads/2000/sp3.asp
On Sat, 25 Jan 2003, Stephen Milton wrote:
>
> We have had multiple customers who had SP3 on their boxes that were
> hit. SP3 was _supposed_ to include this patch, there is no
> verif
On Sat, Jan 25, 2003 at 02:10:59PM -0800, Stephen Milton wrote:
>
> We have had multiple customers who had SP3 on their boxes that were
> hit. SP3 was _supposed_ to include this patch, there is no
> verification so far that it did.
>
> Since all the providers have been blocking the attack sprea
From: "Alex Rubenstein"
>
> Does anyone else, based upon the assumptions above, believe this statement
> to be patently incorrect (specifically, the part about 'personal
> information had not been at risk.') ?
>
Actually, the statements are correct. Remember, the worm wasn't programmed
to put the
From: "Robert A. Hayden"
> What about doing some priority-based QoS? If a single IP exceeds X amount
> of traffic, prioritize traffic above that threshold as low. It would keep
> any one single host from saturating a link if the threshold is low.
>
> For example, you may say that each IP is li
From: "Stewart, William C (Bill), SALES"
> But is it carrying anything else that will do more damage,
> or anything that leaves it a security hole to be exploited later?
> It would be really annoying if machines that aren't cleaned up
> later reformat themselves or hang out waiting for further in
Our first (this is EST):
Jan 25 00:29:44 external.firewall1.oct.nac.net firewalld[109]: deny in
eth0 404 udp 20 114 61.103.121.140 66.246.x.x 3546 14
34 (default)
61.103.121.140 = a host somewhere on GBLX
On Sat, 25 Jan 2003, Pete Ashdown wrote:
>
> * Clayton Fiske ([EMAIL PROTECTED]) [03
On Sat, 25 Jan 2003, Christopher L. Morrow wrote:
> > wants to log for a while and then counts hits against the cache until it
> only for identical packets... so source A:123 -> Dest B:80 x50 packets
> gets logged 'once'. One log for the first packet and update logs at 5 min
> intervals (whi
On Sat, 25 Jan 2003, Christopher L. Morrow wrote:
> > " Access list logging does not show every packet that matches an entry.
> > Logging is rate-limited to avoid CPU overload.
> either way, the logging for this, ESPECIALLY with log-input, is a
> dangerous proposition.
Are you saying that I sho
And don't forget to check for a conspicuously absent article on the
front page of www.msn.com.
On Sat, Jan 25, 2003 at 01:56:41PM -0500, Alex Rubenstein eloquently stated:
>
>
> http://www.cnn.com/TECH/
>
> Main story:
>
> Electronic attack hits Net
> A fast-moving computer worm slowed down
MSSQL SP 3
On Sat, 25 Jan 2003, [EMAIL PROTECTED] wrote:
>
> Are you referring to Windows 2000 Service Pack 3 or MSSQL Service Pack 3?
> If MSSQL Service Pack 3, approximately when would you guesstimate the patch
> was installed?
>
> Andrew
>
> -Original Message-
> From: [EMAIL PROTECT
According to Clayton Fiske:
> Interestingly, looking through my logs for UDP 1434, I saw a
sequential
> scan of my subnet like so:
>
> Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.1,1434 PR udp len 20 33
IN
> Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.2,1434 PR udp len 20 33
IN
> Jan 16 08:15:51 2
http://biz.yahoo.com/rb/030125/tech_virus_boa_1.html
Let's make the assumption that the outage of ATM's that BoA suffered was
caused by last nights 'SQL Slammer' virus.
The following things can then be assumed:
a) BoA's network has Microsoft SQL Servers on them.
b) BoA has not applied SP3 (av
On Sun, 26 Jan 2003, Rafi Sadowsky wrote:
>
>
> ## On 2003-01-25 20:04 - Stephen J. Wilcox typed:
>
> SJW>
> SJW>
> SJW> Heres my advice to the uninitiated. Run linux, run firewalls, disable what you
> SJW> dont need and listen to folks who have real world experience.
> SJW>
> SJW> Stev
## On 2003-01-25 20:04 - Stephen J. Wilcox typed:
SJW>
SJW>
SJW> Heres my advice to the uninitiated. Run linux, run firewalls, disable what you
SJW> dont need and listen to folks who have real world experience.
SJW>
SJW> Steve
SJW>
Please don't start a flame war about this but are yo
Can you confirm / forward a trace of what is affecting a supposedly patched & rebooted
machine?
Thanks,
Andrew
taqua.com
> -Original Message-
> From: Drew Weaver [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, January 25, 2003 1:21 PM
> To: '[EMAIL PROTECTED]'
> Subject: W32.SqlSlammer
>
MS> Date: Sat, 25 Jan 2003 10:17:01 -0800 (PST)
MS> From: Marc Slemko
MS> It is interesting to note that one inadvertent advantage of open
MS> source (when it requires people to compile from source, and pick
MS> and choose options at compile time... popular distributions with
MS> precompiled pac
On Sat, 25 Jan 2003, Avleen Vig wrote:
>
> On Sat, Jan 25, 2003 at 05:08:22PM +, Stephen J. Wilcox wrote:
> > > Also; everyone who just posted to this list made it abundantly clear that
> > > they don't have a firewall in front of at least one MS SQL server on their
> > > network. Should you
We have had multiple customers who had SP3 on their boxes that were
hit. SP3 was _supposed_ to include this patch, there is no
verification so far that it did.
Since all the providers have been blocking the attack spread from the
routers, installing SP3 on boxes post-attack hasn't really been pu
Does this mean that BofA ATM's are SQL based or that BofA is running ATM
traffic through some kind of internet VPN? Perhaps they just plug the
ATM's into any connection and pass cleartext transactions over the
internet? This is very suspicious, IMHO.
http://www.washingtonpost.com/wp-dyn/articl
On Sat, 25 Jan 2003, Drew Weaver wrote:
> By the way, I know you guys probably don't care but McAfee is saying that if
> you have SP3 on your windows2000 server you will not be infected with
> SQLSlammer, this is absolutely NOT true, I have a box with sp3 and it IS
> infected.
SP3 for W2K or SP3
On Sat, 25 Jan 2003, Stephen J. Wilcox wrote:
>
> I've not looked at any great detail into the exact sources but of the few I
> looked at earlier I was surprised to find them on ADSL .. these may be corporate
> networks this is the bit I dont know but some of them seemed to be residential,
> weir
Ray Burkholder
-Original Message-
From: McDonald, Dan [mailto:[EMAIL PROTECTED]]
Sent: January 25, 2003 17:05
To: '[EMAIL PROTECTED]'
Subject: [flow-tools] w32.sqlexp.worm
In case anyone needs it, here is the flow-tools nfilter that I've found
to
match the worm that hit us...
filte
Are you referring to Windows 2000 Service Pack 3 or MSSQL Service Pack 3?
If MSSQL Service Pack 3, approximately when would you guesstimate the patch
was installed?
Andrew
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Drew Weaver
Sent: Saturday, Januar
>It might be interesting if some people were to post when they received
>their first attack packet, and where it came from, if they happened to
>be logging.
>
>Here is the first packet we logged:
>Jan 25 00:29:37 EST 216.66.11.120
A quick followup to my previous message. I found an earlier atte
On Sat Jan 25, 2003 at 02:21:21PM -0500, Drew Weaver wrote:
>
> By the way, I know you guys probably don't care but McAfee is saying that if
> you have SP3 on your windows2000 server you will not be infected with
> SQLSlammer, this is absolutely NOT true, I have a box with sp3 and it IS
> infecte
* Clayton Fiske ([EMAIL PROTECTED]) [030125 12:55] writeth:
>
>On Sat, Jan 25, 2003 at 06:58:46AM -0500, Phil Rosenthal wrote:
>> It might be interesting if some people were to post when they received
>> their first attack packet, and where it came from, if they happened to
>> be logging.
>>
>>
So the worm is sending out tons of UDP1434 packets
that let it break into MS-SQL servers and reproduce,
and that's certainly annoying because of the traffic floods.
But is it carrying anything else that will do more damage,
or anything that leaves it a security hole to be exploited later?
It woul
On Sat, 25 Jan 2003, Stephen J. Wilcox wrote:
>
> I've not looked at any great detail into the exact sources but of the few I
> looked at earlier I was surprised to find them on ADSL .. these may be corporate
> networks this is the bit I dont know but some of them seemed to be residential,
> weir
On Sat, Jan 25, 2003 at 02:21:21PM -0500, Drew Weaver wrote:
>
> By the way, I know you guys probably don't care but McAfee is saying that if
> you have SP3 on your windows2000 server you will not be infected with
> SQLSlammer, this is absolutely NOT true, I have a box with sp3 and it IS
> infect
> What I'm seeing from on my personal network connections is a lot of
> traffic to udp port 1434 start at 05:30:08 UTC.
I did some graphing of reports we got to DShield/ISC up to 9am EST.
http://isc.sans.org/port1434start.gif
The part that amazes me is the speed. It saturated within 1 minute!
At 02:21 PM 1/25/2003, you wrote:
By the way, I know you guys probably don't care but McAfee is saying that if
you have SP3 on your windows2000 server you will not be infected with
SQLSlammer, this is absolutely NOT true, I have a box with sp3 and it IS
infected.
To clarify, we're talking abou
SB> Date: Sat, 25 Jan 2003 09:43:24 +0100 (CET)
SB> From: Sabri Berisha
SB> You are not the only one.. I've been sitting here since 06:30
SB> now. So far I have discovered that a lot of Windows boxes
SB> send out UDP packes of 376 bytes to random addresses.
Main body of worm contains an infinit
What about doing some priority-based QoS? If a single IP exceeds X amount
of traffic, prioritize traffic above that threshold as low. It would keep
any one single host from saturating a link if the threshold is low.
For example, you may say that each IP is limited to 10mb of prioirty
traffic.
On Sat, Jan 25, 2003 at 05:08:22PM +, Stephen J. Wilcox wrote:
> > Also; everyone who just posted to this list made it abundantly clear that
> > they don't have a firewall in front of at least one MS SQL server on their
> > network. Should you really have port 1433/4 open to the world? Would y
On Sat, 25 Jan 2003, Avleen Vig wrote:
>
> On Sat, Jan 25, 2003 at 12:20:41PM -0500, C. Jon Larsen wrote:
> >
> > On Sat, 25 Jan 2003, Avleen Vig wrote:
> >
> > [snip]
> >
> > > Let's not blame MS for admins who don't know how to secure their boxes
> > > :-)
> > > A patch was released mid-20
On Sat, 25 Jan 2003, K. Scott Bethke wrote:
>
> BIll,
> - Original Message -
> From: "Bill Woodcock" <[EMAIL PROTECTED]>
> > I'd agree with it. Except the herds of losers who still buy exploding
> > crap from Vendor M don't seem to be thinning themselves out quickly
>
> dude, the Explod
On Sat, 25 Jan 2003, Neil J. McRae wrote:
> > I think you are on the right lines below in suggesting that products and
> > services should be supplied safe and not require additional maintenance out of
> > the box to make them so (additional changes should make them weaker)
>
> There is no such
> Third point to the correlation above: The vast majority of Windows admins
> are dingbat-morons, self-proclaimed experts. Had then not been
> dingbat-morons, and applied the readily available and widely announced
> patches (as zealously as unix folks patch thier stuff), this'd be all
> moot, and
Drew,
There *IS* a difference between windows SP3 and Microsoft SQL2000 SP3.. you
do know that right?
-Scotty
> By the way, I know you guys probably don't care but McAfee is saying that
if
> you have SP3 on your windows2000 server you will not be infected with
> SQLSlammer, this is absolutely
On Sat, 25 Jan 2003, Iljitsch van Beijnum wrote:
>
> On Sat, 25 Jan 2003, Rob Thomas wrote:
>
> > ] access-list 150 deny udp any any eq 1434 log-input
>
> > Be _very_ careful about enabling such logging. Some of the worm flows
> > have filled GigE pipes. I doubt you really want to log that; Ne
On Saturday 25 January 2003 10:03 am, Avleen Vig wrote:
> On Sat, Jan 25, 2003 at 12:20:41PM -0500, C. Jon Larsen wrote:
> > On Sat, 25 Jan 2003, Avleen Vig wrote:
> >
> > [snip]
> >
> > > Let's not blame MS for admins who don't know how to secure their
> > > boxes
> > >
> > > :-)
> > >
> > > A pa
On 1/25/03 2:53 PM, "Christopher L. Morrow" <[EMAIL PROTECTED]> wrote:
>
> Keep in mind that these problems aren't from 'well behaved' hosts, and
> 'well behaved' hosts normally listen to ECN/tcp-window/Red/WRED
> classic DoS attack scenario. :(
>
Well not everyone plays fair out there. I i
> I think you are on the right lines below in suggesting that products and
> services should be supplied safe and not require additional maintenance out of
> the box to make them so (additional changes should make them weaker)
There is no such thing as safe! You have control over what risks you w
-
According to this article from the Associated Press:
<http://story.news.yahoo.com/news?tmpl=story2&ncid=716&e=3&u=/ap/2003012
5/ap_on_hi_te/internet_attack>
http://story.news.yahoo.com/news?tmpl=story2&ncid=716&e=3&u=/ap/20030125
/ap_on_hi_te/internet_attack
&
> Not sure you can claim something you have for free is liable or with
> guarantee
Thats total rubbish. Whether you pay for it or not shouldn't matter.
You might also want to consider reading the various software agreement
licenses that come with various pieces of software both free and non-fr
By the way, I know you guys probably don't care but McAfee is saying that if
you have SP3 on your windows2000 server you will not be infected with
SQLSlammer, this is absolutely NOT true, I have a box with sp3 and it IS
infected.
-Drew
http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.wor
m.html
- Original Message -
From: "Simon Lockhart" <[EMAIL PROTECTED]>
To: "Mike Tancsa" <[EMAIL PROTECTED]>
Cc: "Avleen Vig" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Saturday, January 25, 2003 3:48 AM
Subject: Re
At 11:56 AM 1/25/2003, Bill Woodcock wrote:
> > Dunno, arent they negligent?
> > In any other industry a fundemental flaw would be met with
lawsuits, in the
> > computer world tho people seem to get around for some reason.
>
> Not true, look at cars and recalls. Also as I u
I'm betting they are saying that Code Red was worse because anyone who had
e-mail could recieve a copy. Only a select number of IP Addresses out there
are going to be running MSSQL. Personally, I agree with you, this is much
worse the Code Red...
Thanks,
Adam Debus
Network Administrator, ReachON
> > True altho it does appear to affect MS more so than it ought to even considering
> > their market lead.
>
> What evidence do you have here? If I count the number of DDOS attacks
> from insecure Linux boxes that we've seen in the last year, I'd say that its
> on par.
I think you are on the
CERT has now posted CERT Advisory CA-2003-04 MS-SQL Server Worm at
http://www.cert.org/advisories/CA-2003-04.html detailing their analysis of
the worm.
--
Tim Wilde
[EMAIL PROTECTED]
Systems Administrator
Dynamic DNS Network Services
http://www.dyndns.org/
From: "Grant A. Kirkwood"
>
> Can we perhaps skip the post-traumatic blame syndrome this time? I can see
> where this is going already...
>
It's inevitable. Despite the early morning wakeups and people being required
to quit watching tv and actually troubleshoot and work on their network,
they a
> From: "Jack Bates" <[EMAIL PROTECTED]>
> To: "Avleen Vig" <[EMAIL PROTECTED]>, "Bill Woodcock"
<[EMAIL PROTECTED]>
> Cc: "Mikael Abrahamsson" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
> Subject: Re: Level3 routing issues?
> Date: Sat, 25 Jan 2003 11:28:59 -0600
>
>
> From: "Avleen Vig"
>
> >
http://www.cnn.com/TECH/
Main story:
Electronic attack hits Net
A fast-moving computer worm slowed down Internet access Saturday for about
22,000 servers, according to the Internet security firm Symantec. Oliver
Friedrichs, a senior manager with Symantec, said the "SQL" worm was taking
advantag
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
> Including the developers of SSHD, HTTPD, NAMED, CVS?
>
> How about Linus? Wanna call him up?
>
> I am no windows cheerleader, but to think this is something that happens
> only in windows-land is whack -- might as well put your head in the sand.
It i
1 - 100 of 213 matches
Mail list logo