[tforum] Some additional notes for Univ administrators re: SQL worm

Joe Breen Joe.Breen@utah.edu
Sat, 25 Jan 2003 17:17:03 -0700

Some of my notes early this morning did not make it out so here is a 

As many of y'all who subscribe to network-outage@lists.utah.edu have 
seen, an Internet worm that attacks MS SQL servers created major havoc 
for networks throughout the world.  This worm started to create network 
disruptions between 10-10:30pm Fri. 1-24-2003.  This worm forced the 
University of Utah to sever all Internet connectivity from about 12:45am 
- 4:50am 1-25-2003.  Internally, the University of Utah (U of U) had to 
disable several affected departments and machines.  The worm also forced 
the Utah Education Network (UEN) to shut down links to affected schools 
and school districts throughout the state.  U of U and UEN Network and 
Security personnel then started the process of contacting affected groups.

Are we back to normal? At the moment, the filters that the UofU and UEN 
have installed are helping to prevent further attacks from entering or 
leaving.  The aggressive containment methods employed by the UofU and 
UEN and other groups have also helped stabilize the majority of the 
routing equipment in the respective backbones that were experiencing 
problems from excessive traffic.  However, affected machines still exist 
and Network and Security personnel are trying to ferret them out.

What can an administrator do to help and protect his/her network?  The 
SQL worm (otherwise known as SQL Slapper, SQL Sapphire, SQL-Hell and 
other names) makes use of a buffer over-run identified by security 
groups in July.  Microsoft released patches and a Service Pack for the 
SQL servers around that time frame.  Administrators should install these 
patches.  Links to the patches are:

Standalone patch:

SQL 2000 Service Pack 3:  (includes the stand-alone patch)

Previous MS Service Packs are vulnerable without the stand alone patch. 
 From all reports, the worm only affects SQL Server 2000.  The worm does 
not affect previous versions of MS SQL Server.  The worm also affects MS 
SQL Desktop Engine 2000 (MSDE).

If an administrator employs firewalls on local machines or at the edge 
of his/her networks, the administrator should block or severely limit 
traffic going to UDP and TCP ports 1433 and 1434, incoming and outgoing. 
  These ports are for SQL server and SQL Monitor/Server Resolution, 
respectively.  The current worm seems to only attack at port 1434 but 
another attack also hits at port 1433.

A very detailed explanation of the worm exists at 
http://www.eeye.com/html/Research/Flash/AL20030125.html  Other security 
groups also have good explanations.

	Univ. of Utah Center for High Performance Computing