[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Ah, I love the smell of MS SQL Server 2K burning in the morning...



From the shorewall firewall list, Tom Eastep (the author of Shorewall)
offers this timely advice to make this a non-problem for folks running
shorewall.

The Mandrake firewalls (SNF and MNF) are based on Shorewall, so this would
apply to you as well.

Short answer:

Add the following two lines to your /etc/shorewall/blacklist:

0.0.0.0/0	tcp	1433
0.0.0.0/0	udp	1434

Mike808/

> Date: Sat, 25 Jan 2003 12:48:02 -0500
> From: <itdamager@cox.net>
> To: shorewall-users@shorewall.net
> Subject: [Shorewall-users] automagic blacklist
> 
> Hello list members,
> 
> Over the past 12 hours my firewall box has had over 300 hits to port 1434 
> from numerous ip's. I ran tcpdump on a couple of them and it looks like the 
> ms-sql exploit attempt. I don't use ms-sql. I've always gotten a few hits 
> per day, but now it's gotten out of control.
> 
> I use logcheck to email the system logs to me and at this rate by the time 
> I get back in the office on Monday I'll probably have over a thousand 
> email's.
> 
> Rather than just having logcheck ignore port 1434 in the logs I was 
> thinking perhaps if I just blacklisted the offending ip's I'd deter them 
> for good. I started doing this but after typing 'shorewall drop <ip>' and 
> 'shorewall save' about 10 times I thought there must be a better way.
> 
> Could anyone offer any advice such as automagic scripts that can grep the 
> logs and issue the command to blacklist the ip's?
> 
> Any and all comments or advice would be greatly appreciated. If any 
> further information is needed I'd be happy to provide it.
> 
> Thanks.
> ------------------------------
> 
> Date: Sat, 25 Jan 2003 09:50:11 -0800
> From: Tom Eastep <teastep@shorewall.net>
> To: shorewall-users@shorewall.net
> Subject: Re: [Shorewall-users] automagic blacklist
> 
> --On Saturday, January 25, 2003 12:48 PM -0500 itdamager@cox.net wrote:
> >
> > Could anyone offer any advice such as automagic scripts that can grep the
> > logs and issue the command to blacklist the ip's?
> >
> > Any and all comments or advice would be greatly appreciated. If any
> > further information is needed I'd be happy to provide it.
> 
> You can do what I did -- in /etc/shorewall/blacklist:
> 
> 0.0.0.0/0	tcp	1433
> 0.0.0.0/0	udp	1434
> 
> -Tom
> --
> Tom Eastep   \ Shorewall - iptables made easy
> AIM: teastep  \ http://www.shorewall.net
> ICQ: #60745924 \ teastep@shorewall.net
> ------------------------------

As Jonathan Drews noted:
> Yes  here is more  news on it.
> http://www.f-secure.com/v-descs/mssqlm.shtml
> "As many as 5 of the 13 internet root nameservers have been down because of 
> this during Saturday the 25th. "
> 
> "This worm does not infect end user machines at all: it only infects Windows 
> 2000 servers running Microsoft SQL Server."
> 
> "The worm uses TCP and UDP port 1434 to exploit a buffer overflow in MS SQL 
> server. Close down these ports on your firewall unless you really need to 
> have your SQL servers visible to the world. "

So is the problem that our root nameservers, run by a government-mandated
monopoly to Verisign, use MS SQL Server 2K and have jeopardized a major
function of the Internet by their choice in this software, or is it
because all of those infected MS SQL Servers are causing a denial of service
for the rest of the internet users?

At what point does Microsoft lose its ability to deny claims of manufacturer 
negligence in their software product? How much of the Internet must be
disabled before Mickey$oft stands either behind their product or bars. 
Their choice.

On the other hand, if they stand behind their claim that MS software is 
explicitly "not fit for any purpose", then how is it possible for such
software to meet *any* requirements of "fitness of purpose" that our
*government* might have during its software procurement process?

Mike808/



---------------------------------------------
http://www.valuenet.net



-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.