SQL Server 2000
is a Powerful Tool
for Business. If not Updated,
it may be Shut Down by
the Slammer / Sapphire Worm.
This information
is for Windows computer users only; Linux and Macintosh users
would find this document only of passing interest at this point
in time.
The Slammer/Sapphire worm (a type of computer
virus), found appearing around 1/24/03, was a major wake-up call
to the IT world. This worm was the first SQL Server-specific
virus to have a serious impact. Due to the nature of the attack,
the worm was not detectable by any traditional anti-virus
system.
Tired of Viruses?
So are we. End the problem.
Please see our proposal:
Whole Office
Anti-Virus Protection
And see our information on:
Virus Defense Suggestions
Need a Free
Anti-Virus Solution?
1/27/03
Stopping the Slammer / Sapphire Worm
Although Microsoft had
previously released updates that fixed the flaw which the worm
used for the attack (available in late summer 2002), the installation
of these patches was technically challenging. A great many sites
had not installed these patches, and were therefore vulnerable-
and affected. The effect of the worm was to overwhelm machines
which were infected, and to cause them to fail. A surprizing
number of important data systems were affected. By 1/26/03, Microsoft
released new comprehensive security updates which were much more
straightforward to install than the original fixes, and the effect
of the attacks began to ease.
Who Should Worry?
Users
should consider themselves susceptible to the worm's attack if
they are running any version of SQL Server 2000 with the below
characteristics:
Version SP2 or lower. (Check with Query
Analyzer; run "Select @@VERSION", and paste result
into word processor to see all the text.)
Exposing UDP on TCP/IP port 1434 (SQL
Server's default port for Internet monitoring.) This the port
the worm attacks on from the Internet.
SOLUTIONS:
The worm can be stopped by updating your SQL
Server 2000 system to Service Pack 3 or higher, or by installing
patches specific for the worm. The preferred solution is to upgrade
to Service Pack 3 (SP3). SP3 is comprehensive, incorporating
all SP1 and SP2 upgrades, so you don't need to first apply earlier
fixes.
As a stopgap measure, uninfected systems can
be protected by blocking incoming and outgoing UDP traffic via
TCP/IP on Port 1434. This should only be considered an emergency
measure. This block will limit the ability of outside systems
(both other SQL Server installations and clients) to communicate
over the Internet and will not cure the problem which could take
other forms.
To Install the SP3 Update:
If you are running Windows NT, please see Microsoft's
SQL Server SP3 web site for special instructions. Windows NT
running SP6a or higher may be required.
If you are running Windows 2000, apparently
you need to be updated to SP3 for Windows 2000 as well. (This
is a reasonable precaution in any case.) This will require a
reboot. Use Windows Update to update Windows 2000 to SP3 or higher.
Failure to do this will probably cause the
update to "roll backwards" just before completion as
Windows File Protection comes in and "restores the damaged
DLL's." You have been warned! Do not force off Windows File
Protection; instead update your Windows 2000 system to SP3 or
higher.
The SQL Server 2000 SP3 download
site is at:
http://www.microsoft.com/sql/downloads/2000/sp3.asp
Download and extract the appropriate updates
to their respective folders.
In the MSI
folder in the extracted SP3 update folder there should be copies
of the most recent Windows Setup software updaters. Running the
appropriate installer to update your copy of Windows Setup may
be required; a reboot may be needed after this.
Although Microsoft
suggests setting SQL Server services on Manual and restarting
before the upgrade process (a reasonable precaution), it turns
out that the SP3 Setup program does a pretty good job of stopping
applicable SQL Server services before installing itself. However,
we still suggest that it is better to:
- First shut down the services
with the Service Manager.
- Then go to Start Menu>Control
Panel>Administrative Tools>Services and set the appropriate
Microsoft SQL services on Manual from Automatic. This way, if
critical files need to be updated as the machine restarts, there
will not be a "race" between the updating of these
files and the startup of SQL Server.
- After the update, please remember
to set these services back on Automatic, under "Services".
(SQL Server and (most likely) the SQL Server agent.)
We have found
that running the SP3 update requires the use of the SA password.
SP3 Setup may need attribute switches added, so it may need to
be run from a command line or batch file. Below is a simple batch
file that will run the update for the DESKTOP version; it should
be simple to adapt it for the other SP3 update flavors. It references
the default folder the SP3 Desktop patch installed; the path
and SA password info ("SAPWD") will need to be updated
for your system.
REM SQLSP3.BAT:
CD C:\sql2ksp3\MSDE
setup INSTANCENAME=MSQL$SERVER SAPWD=#####
The InstanceName is important;
the default is "MSQLSERVER". For the desktop version,
I needed "MSQL$SERVER" to avoid an error. ("Incorrect
Instance Name" errors.) (SQL Server 2000's desktop version
runs on Windows 2000 Pro, Windows 9x, etc.)
After installing the SP3 update, another reboot
is required.
Don't want to install SQL
Server 2000 SP3?
If
you only want to block the vulnerability used by the Slammer/Sapphire
worm, please see Microsoft's info at:
http://www.microsoft.com/Downloads/details.aspx
?displaylang=en&FamilyID=DCFDCBE9-B4EB-4446-9BE7-2DE45CFA6A89
Additional info on the port vulnerability
is available from: http://www.nextgenss.com/advisories/mssql-udp.txt |
