[GTER] port 1434

Igor Silva igor_silva at optiglobe.com.br
Wed Nov 5 18:19:02 -02 2003


O CAIS publicou algum alerta nas ultimas horas sobre este incidente ?
No GTS-L não rolou nada sobre...


Abs,
Igor Silva



-----Original Message-----
From: LIane Tarouco [mailto:liane2 at penta.ufrgs.br] 
Sent: quarta-feira, 5 de novembro de 2003 18:04
To: Grupo de Trabalho de Engenharia e Operacao de Redes
Subject: Re: [GTER] port 1434 

Algumas informações (abaixo resumidas) sobre uso desta porta, extraidas da 
lista NANOG em janeiro2003, mostram
um DOS  desencadeado  através de um verme que atuava por esta porta.

Liane Tarouco



It seems we have a new worm hitting Microsoft SQL server servers on port1434.
Agreed... shutting down MSSQL stopped the flood here.... now to find it and
remove it


Affirmative.  Be sure to block 1434 UDP on both the inbound and the
outbound.  Infected servers are VERY NOISY

Of the customers I've had to shut off for being DOS targets, all are
windows boxen.  Perhaps there is a new windows exploit?


A preliminary look at some of our NetFlow data shows a suspect ICMP payload
delivered to one of our downstream colo customer boxes followed by a
70 Mbit/s burst from them.  The burst consisted of traffic to seemingly random
destinations on 1434/udp.  This customer typically does about 0.250 Mbit/s
so this was a bit out of their profile. :-)  Needless to say, we shut them
down per a suspected security incident.  The ICMP came from 66.214.194.31
though that could quite easily be forged or just another compromised box.
We're seeing red to many networks all over the world though our network seems
to have quieted down a bit.  Sounds like a DDoS in the works.

Really bad.  Quick capture of filter drops:
PROTO 17 (UDP) pkt from (IP's from all over the world)/1033 to (All my IP
space)/1434 dropped
 > Okay this is getting bad.. one of our routers just locked up from udp
 > 1434's. Can't even telnet to it now.

My firewalls are going nuts with hits on UDP port 1434 also from everywhere!

On Sat, Jan 25, 2003 at 02:05:42AM -0500, Kevin Welch wrote:
 > I am seeing similar traffic loads on my network at this hour, one of our
 > MS SQL servers seemed to be sending a large amount of traffic out to the
 > Internet. Still looking into it but too similar for me to avoid sending
 > an e-mail.
Same symptoms here. After disabling MS SQL, which required a reboot as
the process didn't want to shut down normally, the traffic stopped. I
found 3 boxes on our network that were generating massive amounts of
traffic, all of which run MS SQL.










At 12:18 PM 11/5/2003 -0300, you wrote:
>Eu tambem, amigo...
>Gostaria de saber o que esta ocontecendo, ou o que irá acontecer.
>Alguem sabe?
>
>
>----- Original Message -----
>From: "Fabiano" <fabiano.br at uol.com.br>
>To: <gter at eng.registro.br>
>Sent: Wednesday, November 05, 2003 12:02 PM
>Subject: [GTER] port 1434
>
>
> >
> > olá...
> >
> > Estou notando um sensível aumento de requisições na porta 1434 .
> > alguém mais ?
> >
> > []s
> > Fabiano
> >
> > --
> > GTER list    https://eng.registro.br/mailman/listinfo/gter
> >
> > --
> > Esta mensagem foi verificada pelo sistema de antivírus e
> >  acredita-se estar livre de perigo.
> >
> >
>
>--
>GTER list    https://eng.registro.br/mailman/listinfo/gter
--
GTER list    https://eng.registro.br/mailman/listinfo/gter



More information about the gter mailing list