just an fyi... almost all w2k worldwide have been infected by some ddos hack that was apparantly programmed to start tonight at the same time worldwide..

we have removed all windows servers at both of our data centers and all is well again.

for other hosts - it appears blocking udp 1434 will help you and of course remove all windows servers...

just some helpfull info... thx

told you before - don't use windows :)

boowwaaaa

i feel relaxed by not having any windoz server :cool:

unfortunately if the guy next to you at your hosting company is a windows box it effects you too... if anyone gets more specific info on the hack or the solution for our poor windows clients please let the world know...

Originally posted by atjeu
unfortunately if the guy next to you at your hosting company is a windows box it effects you too... if anyone gets more specific info on the hack or the solution for our poor windows clients please let the world know...

i guess this will help

Originally posted by atjeu

for other hosts - it appears blocking udp 1434 will help you and of course remove all windows servers...

That is not true not ALL Windows boxen only windows boxen running sql 2000

yep, only w2k running sql with less then sp3 or the security patch - unfortunately thats a lot of servers... probably why uunet is falling apart right now.

Yeah.... we had on server outputting around 97Mbps, which was havoc on all servers, our we are coping though.

and i remember just yesterday reading an interview with someone from microsofty promising 2003 to be the most secure year for microsoft OS.

I'm surprised slashdot didn't report this yet as another microsoft bashing.

I haven't seen ANYONE report it yet, other than on forums or message boards.


Geez, can the media honestly be THIS far out of touch?

Well you think MS is going to report their own Fup as fast as maybe everyone else is. And most likely most media companies are running ms-sql 2k and are f'ed themsevles.

Originally posted by skylab
Geez, can the media honestly be THIS far out of touch?

I dunno whats taking them so long. It's strange cause i would've thought they'd be all over it. :confused:

Quite true, quite true.



:(

Originally posted by jayglate
Well you think MS is going to report their own Fup as fast as maybe everyone else is. And most likely most media companies are running ms-sql 2k and are f'ed themsevles.

Ah, I think that's why I can't access some web sites today and I know they're running Windows.

Atjeu, could you please supply us more information about the attack? Was it caused by a worm/virus or hacker attacks?

the ms advisory has been out now since something like may - and a fix out just after that - we think that someone just realized very few people ever bothered to install the fixes and they just decided to do a coordinated exploit... so unfortunatley ms will probably just point back to their advisory and say see, we told you so...

Wait, was I mistaken in reading that the packets are all being SENT from the boxes?


Sent to where? Is there a specific target(s) at the moment?

Originally posted by skylab
[B]Wait, was I mistaken in reading that the packets are all being SENT from the boxes?

Yes... the packets are being SENT from the vunerable boxes... i'm not sure of there destination, but they are sure flooding the network!!

Guys, I wrote this in the fastservers thread too, but please if you see any news agency reporting the issue, please provide the link to the community. It will be useful in many ways. Thank you.

Here is hte MS response

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp

I am no way a M$ supporter (95% of the servers we run are *nix) however, while the vulnerability should not have been present in the first instance, M$ have released patches to solve these.

My one .NET test server was cranking out a solid 92Mbps. Ouch.

All you people with home DSL/Cable routers, take a peek at your log.


My little USR NAT router is blocking like, 20 scans a minute :)

Originally posted by MikeMc
Guys, I wrote this in the fastservers thread too, but please if you see any news agency reporting the issue, please provide the link to the community. It will be useful in many ways. Thank you.
http://www.cnn.com/2003/TECH/internet/01/25/internet.attack.ap/index.html :)

http://story.news.yahoo.com/news?tmpl=story&u=/ap/20030125/ap_wo_en_po/na_gen_internet_attack_2

http://www.dynamicnet.net/news/articles/virus_overwhelms.htm

Greetings:

http://isc.incidents.org/analysis.html?id=180 is another place with more information on the subject.

Thank you.

I think we all have to blame Microsoft for this mess. Is there any way they can be sued for this? :D

I don't think blaming M$ is fair. To be honest its the owners' faults for not implementing a patch which was released July last year (2002). I mean FFS that is 6 months old now and you still haven't installed it!!!! Some techs and admins need a serious ass kicking in my opinion.

James

A patch for this has supposedly been out for months. I would blame admins who do not keep their computers up to date.

Originally posted by skylab
All you people with home DSL/Cable routers, take a peek at your log.


My little USR NAT router is blocking like, 20 scans a minute :)

What are you look like?

SCSCOMM

Why blame MS?

It is true that if all w2k users with sql on their servers had either applied the patch sometime in the last 6 months or put service pack 3 on that came out last friday this whole thing would have never happened... cough cough...

Originally posted by twrs
I think we all have to blame Microsoft for this mess. Is there any way they can be sued for this? :D
If you want to sue someone, start with the Admin's that don't keep up with service packs.

Out of hundreds of managed MS servers, many with SQL, we did not have one single managed server that was affected. They all were properly patched.

MS provides the patches and people are too lazy to update the security patches. Why is this MS's fault?

Originally posted by Brad@RackMy

MS provides the patches and people are too lazy to update the security patches. Why is this MS's fault?

I know what you mean. I just got a nasty email from a customer who insisted on using an older version of one of my programs which he claims to be buggy. He did placed a CD-ROM order which comes with a newer version and on our website, the latest version has made through 5 revisions from his version. We advised him to get to speed by installing the latest version (which is a free update) but he insisted we fix his current version and if we don't, he would want his money back.

hmm. It is not that we were not willing to work with him, it is just that we do sharewares and each revision change was to signify a bug fix or some added features and they do come free.

We told him to update and try the latest program and to see if that resolved his problem. He said that he paid money for his program and did not like that we want him to be a beta-tester. But we told him that we need to keep him up to speed and if the current version solve his problem fine and if it does not, let us know and we will look into fixing it. We have not heard from him since.

I guess it is probably just that some customers are just complainers or just too lazy to do anything but a good thing is that we got only a small portion of those. Most were understanding and were willing to work with us to solve any outstanding issues.

I guess it is the same here, some people don't understand that programs are probably never bug-free given the numerous conditions and what-ifs.

I found it strange no one knew or talked about it for so long.
I noticed that I couldn't get to sites like WHT and google starting around 4 AM EST. I could ping them from other networks but not from home. I have a DSL and Cable conn. here and both had trouble reaching many sites. Woke up to later in the day to find out that the problem was on CNN.

Originally posted by atjeu
we have removed all windows servers at both of our data centers and all is well again.

for other hosts - it appears blocking udp 1434 will help you and of course remove all windows servers...

You did that without checking whether they had service packs, patches - just took off all Windows servers? I'm sure your Linux clients will find this commendable, but as a future dedicated Win 2000 server owner (who is going to have his server constantly updated with all the latest security updates) I've just taken you off my list...

absolutely we took all the w2k servers offline right away (because packet sniffing showed them attacking each other behind our switches), and then once it was found it was sql, we put back the w2k servers that were confirmed to not be running sql, until a solution was found - about 4 hours later when it was tested and confirmed that sp3 worked, all of our techs, most of whom were going on 30 hrs with no sleep, begin to install sp3 on all the windows servers and put them all back onlihe one by one. This was completed by about noon on saturday. Would have been faster but we had to wait for some customers to get their passwords to us. We feel that it was handled quite appropriately. That post you read was before everyone knew exactly what was going on and exactly what needed fixing.

Is not virus, is a bug.!~
is made in Hong Kong, and you can see not much computers affected in Hong kong at all~