Hi folks

from:
http://www.internetwk.com/breakingNews/INW20030125S0001


"SQL Server Worm Slows Internet Traffic To A Crawl

By Mitch Wagner

A new worm attacking Microsoft SQL Server 2000 Web servers slowed Internet traffic to a crawl early Saturday.

Security companies are warning about the worm, named W32/SQL Slammer or Sapphire, which uses a buffer overflow in SQL Server to take over the system and send out a flood of packets. The flaw has been known, and a patch has been available, since the summer.

South Korea was hit particularly hard, with most of the nation's Internet users unable to access Web sites for nearly half the day, according to reports. Japan and other high-technology Asian areas were also hard-hit.

Security experts say that SQL Server 2000 users should install the SQL Server 2000 Service Pack 3, and consider blocking traffic on port 1434 for unknown machines. The worm only affects Windows 2000 servers running SQL Server, according to security firm F-Secure.

The patch, and further details about the vulnerability, are available in a Microsoft security bulletin posted July 24. CERT posted an advisory on Saturday.

Like the Code Red worm, which spread in July 2001, the worm is memory-resident, it never writes to disk. An infected system can be cleaned by simple rebooting, but it will soon get reinfected if it is connected to the network without patching SQL Server, F-Secure said.

The worm was detected at about 12:30 am Eastern time, according to F-Secure. It took down five of the 13 Internet root nameservers.

Symantec said the worm had infected at least 22,000 systems by 9 am Eastern time. But the attack abated quickly; Symantec reported a 60 percent reduction in worm-related traffic by about 3 AM Eastern time. Symantec attributed the decline to Internet service providers filtering for the attack.

"Waking up at 2AM after falling asleep at work on a Friday evening, to be greeted by a wall full of router racks lit up like a wall-shaped Christmas Tree is a sobering experience indeed," wrote one participant in a discussion about the attack on Slashdot.

Copyright © 2002 CMP Media LLC. All rights reserved."



Bad guys are afoot. (and a PITA)


mph

Yup - that's it! Started seeing it late last night [UK]. I reeeeally wanted to get to read the news on VV4 in the Cowshed! - But the DVInfo.net is up and running again. Have noticed our Forums on SoFo are starting to crrrraawllll a bit.

Hey ho! Such is life - I'll have to get on with some more editing.

Grazie

Seems like the worm or something similar is really hitting SonicFoundry's servers today too. It's been taking me 5 to 15 minutes to move on to the next thread in here all day.