SQL Server Performance

Worm Exploits Infamous Windows RPC Vulnerability

Discussion in 'Forum Announcements' started by gaurav_bindlish, Aug 12, 2003.

  1. gaurav_bindlish New Member

    A rapidly duplicating worm known as LoveSan, Blaster, or MSBlaster is spreading to Windows systems across the Internet. The worm exploits a vulnerability Microsoft fixed more than a month ago--the same remote procedure call (RPC) vulnerability that the US Department of Homeland Security warned about weeks ago, which makes the worm's spread all the more irritating because IT departments had the tools to stop the worm but didn't. The worm makes affected systems reboot, and its underlying code includes mocking attacks on Microsoft Chairman and Chief Software Architect Bill Gates.
    "Billy Gates why do you make this possible?" the worm's code asks. "Stop making money and fix your software!!" Security experts who have examined the worm say that it also includes a Denial of Service (DoS) time bomb that floods Windows Update, making it difficult for users to get the software update that protects them from the worm. The worm
    scans the Internet for other vulnerable machines and propagates to those hosts. By loading itself on an ever-expanding list of hosts, the worm is able to spread more quickly over time.
    Users who have applied Microsoft's security patch are spared from the worm's attack (see the URL below). In addition, the company is looking at ways to deflect the Windows Update attacks, which could last for months, security experts say. So far, however, most of the worm's disruption is a result of the Internet traffic it generates, not its ability to make machines spontaneously reboot. The worm appears to affect most Windows NT-based versions of Windows, including Windows XP and Windows 2000.
    http://www.microsoft.com/security/security_bulletins/ms03-024.asp
  2. bradmcgehee New Member

    I just spent all of today putting on the patches for this virus on all our SQL Servers. Fortunately, we have not yet been attached by the virus.

    The patch doesn't always work, and sometimes has to be reapplied multiple times before it works. Also, for some reason, it seems to install better on Windows 2000 servers with SP3, than servers with SP2 or SP1.

    -----------------------------
    Brad M. McGehee, MVP
    Webmaster
    SQL-Server-Performance.Com
  3. gaurav_bindlish New Member

    That's a very valuable information Brad. Thanks!

    Gaurav
    Moderator
    Man thrives, oddly enough, only in the presence of a challenging environment- L. Ron Hubbard
  4. SQL_Guess New Member

    Is this the Deborm.m worm , or another (yet another!) one using RPC vulnerability ?
  5. SQL_Guess New Member

    Hmmm .

    We are fortunate enough to have WormBlaster and Deborm (Debrom.r) running around in our building. They say they've closed the firewall, and we had to apply patches. What with about 6000 PC's in the building , they're having issues trying to shut it down tho ... Deborm has been running around our network for weeks. *sigh*

    The wormblaser was nasty - didn' actually re-boot our server's, but forced us to do it. No problems since the patches were applied yesterday afternoon .... hold thumbs !!
  6. gaurav_bindlish New Member

  7. satya Moderator

    We haven't affected but one of the service was affected after applying the patch due to Network guys inability.

    And always always make sure to reboot the machine to affect the changes and that would fix the issue too though SQL hotfixes doesn't require a reboot. But for OS fixes it is must and should to reboot the box.

    _________
    Satya SKJ
    Moderator
    SQL-Server-Performance.Com
  8. Argyle New Member

    How do you guys deal with Windows 2000 servers that have service pack 1 or 2? Microsoft doesn't officially support the patch on anything else than Windows 2000 SP3 and SP4.<br /><br />An example of current setup:<br />Windows 2000 cluster with SP2 + SQL 2000 with SP3a<br />and redundant fiber switches using compaq secure path<br /><br />Would you apply Windows SP3 or SP4 on this one? Knowing that SQL 2000 SP3a installed Mdac 2.7 and that Windows 2000 SP3 would install Mdac 2.5 SP3 again. That would mean you would have to re-apply SQL SP3a + the latest SQL hotfix again to get back on track. That can be quite a lot of downtime. Not to mention the risk of upgrading a Windows 2000 cluster from SP2 to SP3, knowing how service pack specific HBA and storage drivers can be from different vendors. We had major issues just installing a clean cluster on compaq hardware with SP3 and Secure Path (was hotfix related).<br /><br />Would you even take the route to upgrade a live SQL cluster running Windows SP2 to SP3 or SP4? For me the choice was to apply the patch on SP2 even though it's not officially supported. <br /><br />I think that even with Windows 2000, patches on operating system level is a pain in the butt when dealing with SQL clusters. I sometimes feel you are better of to install a new clean cluster and migrate the data than try and do a live upgrade <img src='/community/emoticons/emotion-4.gif' alt=':p' /><br /><br />/Argyle
  9. satya Moderator

    If the patch pre-requisite is latest service pack (say if its SP3) then its always and must to follow, otherwise as you stated its not supported if you land into major issues with the service.

    So in that case I would go installing SP for OS intially, test the connection and service.
    Then go for SQL SP to apply for the upgrade.

    And moreover, SP application to the cluster is well addressed under README file for that service pack.

    HTH

    _________
    Satya SKJ
    Moderator
    SQL-Server-Performance.Com
  10. gaurav_bindlish New Member

    I think during the patch application process, there should not be any problems of Old MDAC replacing new MDAC. Microsoft chaps should be smart enough to replace the files only if older version exits.

    Gaurav
    Moderator
    Man thrives, oddly enough, only in the presence of a challenging environment- L. Ron Hubbard
  11. bradmcgehee New Member

    I got an update from Microsoft about the patch, and it is in theory supported by SP2, SP3, and SP4, but not SP1. The addition of the SP2 support was new. But based on our experience, as I had previously mentioned, it sometimes took multiple attempts to get it loaded. We had a few SP1 servers, and we updated them to SP3. We have yet to go to SP4 yet at our company.

    -----------------------------
    Brad M. McGehee, MVP
    Webmaster
    SQL-Server-Performance.Com
  12. Argyle New Member

    Good to know that SP2 is "in theory" supported [<img src='/community/emoticons/emotion-5.gif' alt=';)' />]<br /><br />The problem for me is not how to apply a service pack. That's pretty straight forward. The problem I have is with dependancies to things like storage drivers. That's always a sensitive area.<br /><br />/Argyle

Share This Page