Robert Graham's SQL Slammer analysis (was Re: [linux-elitists] MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!)
Karsten M. Self
Fri Jan 31 13:08:40 PST 2003
on Fri, Jan 31, 2003 at 10:06:41AM -0500, Aaron Sherman (firstname.lastname@example.org) wrote:
> On Wed, 2003-01-29 at 21:36, Karsten M. Self wrote:
> > Of course I find the definitive analysis *after* posting all of that.
> > *VERY* strongly recommended reading:
> > Advisory: SQL slammer
> > Robert Graham
> > http://www.robertgraham.com/journal/030126-sqlslammer.html
> As a friend of mine would say, oh my freakin' head! I did not realize
> just how truly MS had porked the universe here! To quote from the
> If 100% of SQL Server 2000 systems had been patched by system
> administrators, the situation would not have changed one bit. I
> probed port 1433/tcp on attacking hosts and got a lot more RSTs
> than SYNACKs. This means that most hosts were infected by MSDE,
> not MSSQL. MSDE is "Microsoft Database Embedded", and is
> embedded within desktop products like Visio, network
> infrastructure systems from companies like Cisco, and in server
> applications such as McAffee's virus manager. These aren't
> unusual: MSDE is being included in thousands of desktop,
> infrastructure, and server software packages.
> Am I the only one that reads that and thinks, "MS needs to be sued over
> this one"? I mean, come on! They embedded a product that opens a port to
> other than the local machine with no warning to the user whatsoever!
> This is the kind of shit that the Gnome folks got kicked around for, and
> they were rightly chagrined over (and fixed asap). MS has been shipping
> this how long? Application vendors have been silent about it how long?
> McAffee's Virus manager, for Pete's sake! The virus manager was
> listening on a random port for database queries from mind-control
Other examples. SAS software's help system is now available as
web-based content. Rather than serve this over :80, it's run from an
arbitrary port above 3126. This behavior was (as of September, 2000)
undocumented. I commented on this in Usenet at the time, there's a
footnote at the bottom of:
Karsten M. Self <email@example.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
GNU/Linux & BSD: We *are* the way out.
More information about the linux-elitists