'[Pgp-keyserver-folk] Re: Server down'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pgp-keyserver-folk
Subject:    [Pgp-keyserver-folk] Re: Server down
From:       Piete Brooks <Piete.Brooks () cl ! cam ! ac ! uk>
Date:       2003-01-25 19:34:43
[Download RAW message or body]

------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <25252.1043523279.1@cl.cam.ac.uk>

Some URLs that may be of help.

------- =_aaaaaaaaaa0
Content-Type: multipart/digest; boundary="----- =_aaaaaaaaaa1"
Content-ID: <25252.1043523279.2@cl.cam.ac.uk>
Content-Description: forwarded messages

------- =_aaaaaaaaaa1
Content-Type: message/rfc822

Return-path: <owner-uk-security-all@jiscmail.ac.uk>
Envelope-to: piete.brooks@CL.CAM.AC.UK
Delivery-date: Sat, 25 Jan 2003 12:56:05 +0000
Received: from smtp.jiscmail.ac.uk ([130.246.192.48])
	by wisbech.cl.cam.ac.uk with esmtp (Exim 3.092 #1)
	id 18cPqv-0000Xe-00; Sat, 25 Jan 2003 12:56:05 +0000
Received: from LISTSERV.JISCMAIL.AC.UK (jiscmail.ac.uk) by smtp.jiscmail.ac.uk
	(LSMTP for Windows NT v1.1b) with SMTP id <0.00256FF7@smtp.jiscmail.ac.uk>;
	Sat, 25 Jan 2003 12:55:57 +0000
Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP release 1.8e)
          with spool id 17513922 for UK-SECURITY-ALL@JISCMAIL.AC.UK; Sat, 25
          Jan 2003 12:55:56 +0000
Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0h) with TCP;
          Sat, 25 Jan 2003 12:55:56 GMT
X-RAL-MFrom: <cert@cert.ja.net>
X-RAL-Connect: <umhost.ukerna.ac.uk [193.62.83.176]>
Received: from umhost.ukerna.ac.uk (umhost.ukerna.ac.uk [193.62.83.176]) by
          ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id h0PCttS12837 for
          <UK-SECURITY-ALL@JISCMAIL.AC.UK>; Sat, 25 Jan 2003 12:55:56 GMT
Received: from athene.ukerna.ac.uk ([194.82.141.251]) by umhost.ukerna.ac.uk
          with smtp (Exim 4.01) id 18cPqg-0005jx-00 for
          UK-SECURITY-ALL@JISCMAIL.AC.UK; Sat, 25 Jan 2003 12:55:50 +0000
Received: from cert.ja.net (localhost [127.0.0.1]) by athene.ukerna.ac.uk
          (Postfix) with ESMTP id D12D15FFA6; Sat, 25 Jan 2003 12:55:46 +0000
          (GMT)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1)
            Gecko/20021130
X-Accept-Language: en-us, en
MIME-Version: 1.0
References: <Pine.LNX.4.44.0301251337160.13606-100000@escarpment.lut.ac.uk>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Message-ID: <3E328952.20802@cert.ja.net>
Date: Sat, 25 Jan 2003 12:55:46 +0000
Reply-To: John Green <cert@CERT.JA.NET>
Sender: Super list for computer security for JANET sites
	<UK-SECURITY-ALL@JISCMAIL.AC.UK>
From: John Green <cert@CERT.JA.NET>
Subject: Re: MS SQL Server Vulnerability [JANET-CERT#20030125.14]
To: UK-SECURITY-ALL@JISCMAIL.AC.UK
In-Reply-To: <Pine.LNX.4.44.0301251337160.13606-100000@escarpment.lut.ac.uk>
Precedence: list

Matthew Cook wrote:
> For those that have not yet added a block for UDP 1434 at their firewall
> or patched their MS SQL servers as per
> http://www.kb.cert.org/vuls/id/370308 might want to look into this as soon
> as you can!
>
> A lot of friends working in Internet hosting have already been badly hit
> by this, and I was pointed at this thread for a little information in the
> absence of anything more concrete!
>
> http://www.webhostingtalk.com/showthread.php?threadid=107128
>
> I can see it will be a busy week for some on JANET...

Some further details are available at

http://www.nextgenss.com/advisories/mssql-udp.txt
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21824

Those with unpatched MS-SQL servers should apply patches immediately
(MS02-039).

We also recommend sites block udp 1434 into and out of their network.
We have requested that the NOSC do the same at the borders of JANET.

Please direct URGENT queries to the phone number below, which will
initiate our callout procedure.

Some reports indicate that the level of udp/1434 traffic is now subsiding.

Regards
John Green

JANET-CERT                               Tel: +44 1235 822340
UKERNA                                   Fax: +44 1235 822398
Atlas Centre                             cert@cert.ja.net
Chilton, Didcot
Oxfordshire
OX11 0QS
United Kingdom

------- =_aaaaaaaaaa1
Content-Type: message/rfc822

Return-path: <sys-admin-request@cl.cam.ac.uk>
Envelope-to: network-admin@cl.cam.ac.uk
Delivery-date: Sat, 25 Jan 2003 13:24:40 +0000
Received: from pallas.cl.cam.ac.uk
	ident=[yRObrQKhMFxOiWNEaDe3KdZA5D+vlOmP])
	by wisbech.cl.cam.ac.uk with esmtp (Exim 3.092 #1)
	id 18cQIa-0001Ak-00; Sat, 25 Jan 2003 13:24:40 +0000
To: network-admin@cl.cam.ac.uk
cc: Graham.Titmus@cl.cam.ac.uk, Robin.Fairbairns@cl.cam.ac.uk
Subject: sql server worm (dos attack)
Date: Sat, 25 Jan 2003 13:24:39 +0000
From: Robin Fairbairns <Robin.Fairbairns@cl.cam.ac.uk>
Message-Id: <E18cQIa-0001Ak-00@wisbech.cl.cam.ac.uk>
MIME-Version: 1.0

http://story.news.yahoo.com/news?tmpl=story&u=/ap/20030125/ap_wo_en_po/na_gen_internet_attack_2

(all one long url)

i _think_ we're patched up to date on sql server (SP3 defeats the
worm), but [from nt-bugtraq]

a) Blocking inbound access to UDP1434, the SQL Server 2000 Resolution
Service port. This port is similar to the RPC End Point Mapper port
(TCP135) which redirects client requests for a server service to a
dynamically allocated port.

i presume this port is blocked anyway, but it would be good to be
reassured.

one site has seen 500mb/s of outgoing traffic from the worm.

r

------- =_aaaaaaaaaa1--

------- =_aaaaaaaaaa0--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic