If anyone’s wondering what happened around here this morning — why QDN, as well as my gal’s site, MetaFilter, BlogRoots, Megnut, and a few other sites were down — you might want to read this, and this, and most particularly, this and this. One thing I’ll say about this worm is that on a two-processor machine, it’s impact is enough to saturate a T1; another thing to say is that, after working overnight in the ER, and having a flood in the hospital that was bad enough to cause us to emergently evacuate and set up shop for the rest of the night in the adult ER, I did not want to have to deal with it.

A little technical info, for those looking for it: the worm, once it infects a server, generates a slew of pseudo-random IP addresses, and then sends packets to those addresses. The packets are UDP, originating from port 1384 and destined for port 1434. On the MetaFilter machine — a dual Athlon 1900 machine with on-board 100 Mb/s networking — the worm generated an average of 2,815 packets a second, or roughly 170,000 packets a minute.

Uncool, to say the least.

Comments and TrackBacks

Yep my site too. Was down all morning then back for half an hour, now down again. YAY!!

• Posted by: Darcy on Jan 25, 2003, 12:02 PM

Jason, glad you were able to dig out from under the worm attack! Now I’m curious. Did you have a SQL server that was accessible over the Internet? If so, why? Were you running applications over the net? If so, how did you get your LAN safe? Maybe I misunderstand something about the attack. Any insight you can offer would be much appreciated. Thanks in advance.

• Posted by: Dave Winer on Jan 25, 2003, 1:00 PM

Yep, there’s an MS/SQL server on my network, but the router/filter was only allowing three open ports to the machine: HTTP, FTP, and RDP. So I still don’t know how the worm got to it; that’s something I’ll try to figure out after I get a little sleep under my belt. (Last night really was tough.) All in all, my LAN is protected by a damn fine router and firewall; I’m just unclear how the worm managed to sneak by this time. I’m sure it’ll be clear when I wake up.

And why the MS/SQL server was susceptible at all is another story altogether, related to replacing the boot hard disk in the machine restoring a backup of the registry while reinstalling the database server from scratch. It appears that the MS patch-checking apps all check the registry rather than the actual installed files, so we didn’t know that the installation was out-of-date until today. All fixed now, though. :)

• Posted by: Jason on Jan 25, 2003, 1:09 PM

Two things.
First, what are you using to check patch status? hfnetchk? If so, always use the -z option. That checksum the files also.

Second, for anyone out there running MS SQL, change the default ports. Theres no need usually to run the default 1433/1434. Keep the bad guys guessing.

• Posted by: Chris on Jan 25, 2003, 1:21 PM

I was using the ms baseline security analyzer to make sure things were patched. After moving all the application directories, registry, and full winnt directory to a new hard drive, I trusted the BSA’s report that all systems were patched after the move.

Apparently, that’s not the case.

• Posted by: mathowie on Jan 25, 2003, 1:24 PM

That’s scary Jason — according to what I understand about the problem you should not have been vulnerable. Hope you figure it out, I’ll keep an eye on this thread to see what we learn. Thanks for the report, go get some rest now. ;->

• Posted by: Dave Winer on Jan 25, 2003, 1:24 PM

According to this notice and this notice, there’s a serious MS SQL Worm doing damage this morning. I’ve got

• Pinged by I Can't Focus on Jan 25, 2003, 1:35 PM

Ah people its not Over YET!

There is another vunerablity reported on slashdot a day ago about the traceroute allowing hackers to get illegal scripts installed on machines and other nasty stuff..

Side note: There is an unconfirmed note on slashdot comments to the BIll tapeworm MS SQL story that it trips a bug in cisco routers.. as anybody tracked this down yet?

• Posted by: Fred Grott on Jan 25, 2003, 1:37 PM

I live and breathe by the hfnetchk utility on nightly batch notifications. I’ve found to many inconsistancies with/between the baseline checker vs. windows update vs. the KB articles.

The other way to be sure, run linux/unix. J/K. I couldn’t resist myself. :-)

• Posted by: Chris on Jan 25, 2003, 1:39 PM

Just like Jason, we had a fun time at the library this morning dealing with the effects of W32.SQLExp.Worm. The

• Pinged by LibraryPlanet.com on Jan 25, 2003, 4:12 PM

This latest Internet-wide DOS attack was harsh (BBC article). Jason wrote about his experience with the MeFi server which explains just how malicious this thing is…

• Pinged by onfocus on Jan 25, 2003, 4:41 PM

How the worm got to the server here is a little more clear now — on my last reload of my access lists, I mistakenly replaced a rule that banned all but the allowed IP traffic with one that banned all but the allowed TCP traffic. That meant that UDP still streamed in.

All fixed now.

• Posted by: Jason on Jan 25, 2003, 10:24 PM

Hey, Jason, weren’t you defending Microsoft’s patching and security policies a few days ago?

Yeah, thought so.

• Posted by: Karl on Jan 26, 2003, 2:41 AM

Hey, Karl, did you actually read my comments a few days ago? I didn’t defend Microsoft’s patching and security policies, I pointed out that there are similar security deficiencies in the MS alternatives that make the singlehanded focus on MS issues seem, well, singlehanded and out of proportion. And then I went on to say: “And it’s not like I deny the fact that there are tons of potentially vulnerable Windows machines out there — of course there are, and that’s a bad thing.” Matt and I just happened to have one of those vulnerable machines here, made vulnerable because of a reinstallation shortcut we took that there was no reason we should have expected to leave us with a perfect system.

Honestly, Karl, your comments, here and in the old thread, verify my feelings that people just manipulate what they see so that it will fit into their little boxes of good and bad, right and wrong. You pigeonhole my statements as “defending Microsoft’s patching and security policies” because that’s what my statements have to be in order for your worldview to make sense, rather than because that’s what I did — because I didn’t.

• Posted by: Jason on Jan 26, 2003, 9:57 AM

If I was paranoid I’d be asking why my comment from yesterday is missing today … hmmm

Consider this a bug report.

• Posted by: Paul on Jan 26, 2003, 1:26 PM

Paul, according to the webserver log, you hit “Preview” rather than “Post” (the log shows you requesting the stylesheet for the preview pane, which is different from the one for the final page).

What was your comment?

• Posted by: Jason on Jan 26, 2003, 1:45 PM

Honestly, Karl, your comments, here and in the old thread, verify my feelings that people just manipulate what they see so that it will fit into their little boxes of good and bad, right and wrong.

Wow. Breath-takingly accurate description of yourself. Mazel tov. Self-awareness is almost yours.

• Posted by: Dave Winer on Jan 26, 2003, 2:02 PM

I never thought I’d ever agree with Dave Winer. Wow.

Jason, finding that the windows patching system checks the registry (a separate location) for a software’s patch status should’ve clued you in to the inherent insecurity in Microsoft’s designs. Having a piece of software check a separate status file (instead of the executable) for a program’s version and patch state is lazy, irresponsible programming… and what makes it worse is that keeping information like that in the Registry is Microsoft’s coding policy. That’s what I’ve been trying to clue you all along… MS generates horrid code, because they’re a marketing company — not a software company.

Look, use what you want to use and say what you want to say. Expect to get criticized, though, if you promote biased evidence. (That’s what my objection to your 11 January post was about.) Also expect to get criticised if your statements in that thread turn around and bite you on the ass like this.

• Posted by: Karl on Jan 26, 2003, 3:08 PM

Oh, for the love of God, Karl, I’m unsure how many times I can reiterate the same thing without you hearing it: I’m not absolving Microsoft of blame for its security problems. I agree with you that the way that the company’s Baseline Security Analyzer runs, checking the Registry rather than the files, is idiotic; hell, I’m the one that pointed that out in my followup comment in this thread. I’m also willing to acknowledge, though, that MS (like other companies) learns from its mistakes — the latest version of MSBA seems to force you to turn off the file checks, as it should.

So, to restate my premise, from the CERT thread and (now) this one: Microsoft has security problems. The alternate universe of Unix and Linux also has security problems. The security problems of both are pretty much equivalent, from susceptibility to denials of service to the presence of buffer overflows. The problems with MS software are worse because MS has a much larger share of the installed computing world; if and when the alternate universe achieves similar stature, then the severity will necessarily flip. That’s it.

Honestly, playing this game of defending statements that you read into my comments, rather than the ones that I actually made, is getting old. Oh, and “biased evidence”? Care to provide some sort of data to support the notion that CERT is somehow biased towards MS?

• Posted by: Jason on Jan 26, 2003, 5:17 PM

The problems with MS software are worse because MS has a much larger share of the installed computing world; if and when the alternate universe achieves similar stature, then the severity will necessarily flip. That’s it.

I don’t think so. Netcraft consistently shows that Apache running on some flavor on *nix has a much greater share of the Web sphere server market than Windows does. Which makes your argument a bit flawed in this respect, given that Microsoft software is running on a minority of Internet’s servers, yet still causes the majority of Internet outages (like this one) and hiccups.

It’s also endemic of folks who run Microsoft software to “misunderstand” their software’s settings, or to set them incorrectly, as happened here. When brought up in the silly windows-hidden-in-windows interface of IIS and MS SQL, it’s no wonder people miss so much. Double-check settings? Nah, who needs to? Who cares if it can bring down 5 or 10 servers?? Laziness not just on Microsoft’s part, but on the parts of people who administer these servers that tens of thousands of folks rely on for information and entertainment.

Not very comforting, that.

• Posted by: Zork on Jan 26, 2003, 7:36 PM

BTW, just as a followup, I sysadmin about 10 sites as well, most on *nix, none of which were affected (or have been affected by anything in the past 6 years of viruses) by this latest security issue. One of the domains I administer is a completely Microsoft-based domain backed by MS SQL servers. Needless to say, this network, designed about 4 years ago, withstood this silly little attack because it was designed properly, from the ground up, according to sound security principles. The problem in today’s Internet world is far too many pundits fancy themselves “security experts” or even system administrators, yet haven’t a clue about secure system architectures or the basis from which good network design flows.

• Posted by: Zork on Jan 26, 2003, 7:40 PM

Zork, the problem with your first argument is that the Netcraft numbers are for servers (specifically, machines running webservers), not for desktops, the machines that generally are hit by email-borne viruses and worms. When I say “if and when the alternate universe achieves similar stature,” that includes Linux/Unix actually having any appreciable impact on the desktop.

As for your second argument, you’re absolutely right — the biggest problem is that many people on Windows-based machines couldn’t care less about system administration, because they’re desktop users who use computers for discrete tasks like paying their bills and reading/sending email. (And of note, this fact forms the crux of my argument — it’s these same users that, if running Linux on the desktop, also won’t give a crap about keeping their machines all patched up, and when the numbers are of any significance, will pose the same problem for the ‘net as the inexperienced Windows user currently does.) In my experience, though, Windows server admins (like yourself, and your MS/SQL server network) do care, and do the right thing. And lastly, don’t blame the interface for server issues — would you rather have a cryptic text file (sendmail M4, anyone?) for configuration of your network daemon? Hell, I’d be willing to wager that most of the open SMTP relay machines out there run on Unix/Linux, not Windows. (Also, note that Unix/Linux has only made any serious inroads into the world of computing after the process of configuring it became something less than a Herculean task. Webmin is the 14th most popular download on Freshmeat, and phpMyAdmin is the 11th, for a reason; likewise, the beauty of MacOS X is that it takes a great foundation, BSD Unix, and puts an easy-to-use frontend on it.)

And yes, yes, yes, Matt and I have been very open in our admission that we didn’t do a very good job administering the machine that led to this post. I’m proud of you that your network and machines are better run; I really am, and I’m the first to say that if you are looking to host a machine on a T1 for free, you shouldn’t come looking to me, because I’m not going to take care of it the way you will. I have another job, another life, and this is a hobby for me, and while I’ll apologize for making a single configuration error on my router, I won’t apologize for my priorities.

• Posted by: Jason on Jan 26, 2003, 10:21 PM

Oh look, it’s people arguing about how bad Microsoft is! That’s a first. *8)

One prop-head note: “The packets are UDP, originating from port 1384 and destined for port 1434.” The originating port is actually (pseudo)random also, although each active infection uses the same one over and over. The worm does socket() to get a UDP socket handle, and then does lots and lots of sendto()s without ever doing a bind() or getting a new socket handle. Which I think means that the originating port will be something random per infection, and 1024 or higher.

In case anyone cares.

• Posted by: Orbst on Jan 26, 2003, 10:26 PM

Man, that Winer guy is obnoxious. Pops in for a cheap shot and leaves. Ugh.

• Posted by: HurgleGurgle on Jan 27, 2003, 12:09 AM

I think this is one of those circular Coke vs Pepsi arguments.

I prefer Windows because of its carbonated fizz, and I think Linux tastes like sugar water.

Or something of that sort. People can use whatever they feel is in their best interest. Don’t denounce or criticize people for their choices and opinions, Karl and Winer.

• Posted by: Minuk on Jan 27, 2003, 3:58 AM

Yea, I think the Linux versus Windows stuff is mostly useless, I like and regularly use both :)

• Posted by: Doctor on Feb 10, 2003, 3:20 PM
Please note that comments automatically close after 60 days; the comment spammers love to use the older, rarely-viewed pages to work their magic. If comments are closed and you want to let me know something, feel free to use the contact page!