Robert Graham's SQL Slammer analysis (was Re: [linux-elitists] MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!)

Karsten M. Self kmself@ix.netcom.com
Fri Jan 31 13:08:40 PST 2003


on Fri, Jan 31, 2003 at 10:06:41AM -0500, Aaron Sherman (ajs@ajs.com) wrote:
> On Wed, 2003-01-29 at 21:36, Karsten M. Self wrote:
> 
> > Of course I find the definitive analysis *after* posting all of that.
> > 
> > *VERY* strongly recommended reading:
> > 
> >     Advisory:  SQL slammer
> >     Robert Graham
> >     http://www.robertgraham.com/journal/030126-sqlslammer.html
> > 
> 
> As a friend of mine would say, oh my freakin' head! I did not realize
> just how truly MS had porked the universe here! To quote from the
> article:
> 
>         If 100% of SQL Server 2000 systems had been patched by system
>         administrators, the situation would not have changed one bit. I
>         probed port 1433/tcp on attacking hosts and got a lot more RSTs
>         than SYNACKs. This means that most hosts were infected by MSDE,
>         not MSSQL. MSDE is "Microsoft Database Embedded", and is
>         embedded within desktop products like Visio, network
>         infrastructure systems from companies like Cisco, and in server
>         applications such as McAffee's virus manager. These aren't
>         unusual: MSDE is being included in thousands of desktop,
>         infrastructure, and server software packages.
> 
> Am I the only one that reads that and thinks, "MS needs to be sued over
> this one"? I mean, come on! They embedded a product that opens a port to
> other than the local machine with no warning to the user whatsoever!
> This is the kind of shit that the Gnome folks got kicked around for, and
> they were rightly chagrined over (and fixed asap). MS has been shipping
> this how long? Application vendors have been silent about it how long?
> 
> McAffee's Virus manager, for Pete's sake! The virus manager was
> listening on a random port for database queries from mind-control
> lasers!

Other examples.  SAS software's help system is now available as
web-based content.  Rather than serve this over :80, it's run from an
arbitrary port above 3126.  This behavior was (as of September, 2000)
undocumented.  I commented on this in Usenet at the time, there's a
footnote at the bottom of:

    http://twiki.iwethey.org/twiki/bin/view/Main/SlapperWorm

Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   GNU/Linux & BSD:  We *are* the way out.
     http://www.wehadthewayout.com/



More information about the linux-elitists mailing list