could have been worse.... imagine if this had happened in 3 or 4 years time when longhorn was out there with the yukon based file system on most desktop pc's!

the more i think about this though I wonder if the telecom and ISPs werent more to blame than anyone else. I mean, I suspect part of the problem was that this is the first time ever they have experienced so many broadband lines running at 100% utilisation - and their back bones just werent fast enough to handle so many broadband connections running at full usage.

I bet most ISPs buy their backbones with the theory that there will never be more than 10% of their users demanding the full bandwidth at any one time. Today they were proved wrong and they simply werent ready for it.

"could have been worse.... imagine if this had happened in 3 or 4 years time when longhorn was out there with the yukon based file system on most desktop pc's!"

Wouldn't have made any difference at all. The Yukon based filesystem, while using SQL DB features under the hood, will not have a publicly accesible port for SQL Server administration.

As for who is to blame....that's a whole 'nother story. But there are no confirmed reports of any systems being infected at all that had properly applied the security patch released back in July.

Are the Apache org and/or Linux distribution vendors to blame for the fact that large numbers of Linux/Apache installations on the internet have not applied the necessary patches for a worm that already exists in the wild?

Is Sun to blame for the fact that an estimated 65% of Solaris/SunOS systems on the internet (still the most common server connected to the internet) haven't applied patches needed to prevent wide open root access, despite the fact that the patches were released over two years ago?

Imagine if the programmer of this virus had picked maybe one of the several security issues in BIND to exploit, or any other of the many MANY security issues of software included with most linux distributions have had in the last year.

Linux is supposedly much more efficient (if you listen to linux users - not that they are biased at all...) so that would mean even more CPU time available for the virus to make use of right? hmmm...

so what would you linux users be saying then if it was linux PC's being infected (which it VERY EASILY could have been if the author had chosen a linux exploit).

Oh and dont use the linux/unix admins wouldnt make this mistake argument again. Fact is linux and unix IS more stable. The downside of this is that there are many MANY unix boxes out there that admins havent touched (because they didnt have a reason to) in a long time which dont have updated versions of BIND etc on them.

Ah, but the inevitable response to this argument is that "Linux" is perfectly secure because the problem isn't in "Linux"....it's in BIND, or Apache, or login, or telnetd.

Funny how they never want an apples-to-apples comparison. Because if you stick to the strict definition of "Linux" as being just the kernel.....then "Linux" is completely useless as a server and can't do anything useful at all.

If we define the common usage of "Linux" to be "an entire GNU/Linux distribution including all those other pieces like Apache, etc." then Linux has just as many (if not more) security patches, holes, problems, and exploits as Windows.

If we define "Linux" as just the kernel then there is no comparison. Windows is by definition infinitely better because, by that definition, Linux can't do any of the things that Windows can (GUI interface, web server, file sharing, etc.)

"Ah, but the inevitable response to this argument is that "Linux" is perfectly secure because the problem isn't in "Linux"....it's in BIND, or Apache, or login, or telnetd."

no no no no no, there are just as many holes in Linux applications (technically it isn't Linux). The correct claim is that the fixes are available faster, and don't incur downtime to install (Unless it's a kernel bug). No OS is perfectly secure especially out of the box.

I agree.

Unfortunately, many of the "Linux advocates" seem to be unable to make that distinction.

Which has more issues: Windows or Linux? Definitely Windows.

Which has more issues: Windows or Linux + all the apps needed to duplicate the functions included in Windows? Now that's a toss up.

I do agree that being able to update a Linux app to fix a problem without having to restart the server is often a huge benefit.....I'm glad to see Microsoft trying to move that way. I don't think Microsoft will ever get 100% there becuase they use the philosophy that the performance and feature benefits acheived though shared code/tight integration are worth the penalty of having one app affect another. Both approaches have benefits and drawbacks....and both camps seem to be slowly moving towards the middle.

I don't know what you qualify as downtime, but I'm serving a web application, and I have to take the web server offline to apply a patch to it (even if I don't have to reboot the machine), that's downtime. Downtime is anytime the server is unavailable to fulfill specified requests - not just time spent rebooting.

You do realise that it is possible to patch a system like an application server or a web server without incurring a downtime? (well we'll ignore the few milliseconds). Obviously this is not possible if you only have a single app server or web server etc.

Which is more detrimental?

-- Scenario A
install update
service whatever restart

-- Scenario B
stop service
install update
(maybe) oh, stop other services too
(maybe) install update
reboot

Downtime in Scenario A will barely be noticable. Downtime in Scenario B will cause your phone to ring. Partnered servers are the way to go to eliminate that, but in the real world budgets usually don't allow for it.

It happened once before and now again. Why don't these admins learn a thing and stop using this insecure Microsoft bloatware for serious tasks like runing a server. Windows is just not up to the job. Especialy with those lazy and stupid Windows admins.

This isn't just a Windows problem. The same thing happens any time admins don't take care to protect against known (and unknown) threats. You can't just say its MS. Alot of products out there, including those which you might consider for a 'serious server' have just as potentially dangerous flaws. Just because someone has written a worm to exploit one and not the other doesn't mean that either one is any better at providing security. You might as well stick your head in the sand.

exactly. sooner or later someone WILL write a worm that exploits one of the many holes in some common GPL software out there. wonder what the unix admins and linux kiddies will say then? Im far from convinced all unix boxes are kept up to date like some people in here claim.

Not "sooner or later": such worms exist *now*. Search Google for "openssl worm" for one example.

Oh, you are absolutly right. Not all Unix machines are kept up to date. Neither are windows machines. There's morons on both sides of the fence. However records from Symantec about rate of infection, and total number of machines, show that the number of windows machines vulnerable in worms like this is much higher than the number of Unix machines affected, by say, slapper, the ramen worm, or any of the other Unix worms out in the wild. There have been some major bind exploits over the years as well, some almost as severe as this worm. However note that you've never once heard about a massive Unix outbreak on the same scale.

Let's keep in mind that much of this weekend's headaches resulted from Internet port scanning and/or flooding. Had ALL computers connected been running Linux or UNIX at the time of the attacks, we still would've experienced some of the straining effects.

"However note that you've never once heard about a massive Unix outbreak on the same scale."

And THERE'S the key. "...you've never once heard about...."

It's not that they haven't happened....they have. (Heck, the Morris worm back in 1988 completely shut down 10% of ALL machines connected to the Internet....this worm caused slowdowns, but shut down almost none)

The difference is how they are reported. The press far more readily reports security problems/issues involving Microsoft and Windows than they do with say RedHat and Linux or Sun and Solaris because far more of their readers have heard of Microsoft and Windows than have ever heard of RedHat, Linux, Sun, or Solaris.

A great example was the sadmind/IIS worm back in 2001. It completely root exploited Solaris systems and left them completely wide open to the entire world, then instead of modifying the web pages on the Solaris systems themselves, it simply used the Solaris systems to scan for and modify web pages on Windows servers running IIS.

How did the press report it? As a Microsoft/IIS problem. Never mind the fact that Microsoft had issued a patch seven months earlier and that Sun had fixed their problem TWO YEARS earlier......the press reported it as an OS security probelm and blamed it on Microsoft, hardly bothering to mention Sun or the fact that both companies had already provided patches to prevent the problem.

All of cingular was down today because they run ms sql server.

"All of cingular was down today because they run ms sql server. "

No. Not at all.

All of cingular was down because they made mission critical database servers publicly available on the internet and then also failed to apply necessary security patches or even take the most basic, elementary security precautions. (like blocking server admin port numbers from incoming public access)

I heard more than half the ISP's in South Korea and china were offline for a number of hours. Funny because since then, I haven't received a single spam. :)

k3vmo, you are very correct. Not much spam over this way either.

Someone should write a malicious program that targets spam E-Mail servers.

Oops... I can't believe I said that.

Blaming people/companies/worm authors ultimatly is pointless. Why not just secure the systems in question?

Windows bugs causing mass destruction again? Format, install linux. (Warning: This may cause data loss).

Personally I'm getting just a little sick of MS's bad code/security, and the end user's stupidity, clogging my backbones. This is like the 5th time in as many years (Code Red, Nimda, ILoveYou, Melissa, and now, this)

Ah here comes the Linux crowd that claims again that their OS is secure as hell. As someone said before, all admins of the affected systems missed to install a 1/2 year old patch. So guess WHOSE FAULT it is.

"One such administrator told BetaNews that a tool offered by Microsoft to confirm all hot fixes were applied, HFNetChk, did not correctly identify the missing patch. "

To their credit, it's hard for admins to apply a patch they either don't know about or think has already been applied.

It is pathetic that the software was set up in such a way that this could even happen. If Microsoft hadn't been so stupid as to make a server send a reply that is identical to a request, this wouldn't happen.

So, it seems Microsoft is at fault on two counts - poor programming of the actual server and then poor programming of the tool to check for missing patches.

Don't blame the linux crowd for windows "admins" failing to apply a patch; that isn't our fault. While most people think Unix's biggest downfall is that it's hard to use, there's a lot of Unix admins that think it's actually the best thing about it: it keeps the morons off the platform. Yes, Unix has it's problems as well, and it's own security issues, however on average, Unix system admins know twice as much about how their system works than their windows counterparts. People who know their systems are more likely to keep them UP TO DATE which is the ISSUE here. Check your facts.

quote from the microsoft site:

"MBSA and HFNetChk were developed for Microsoft by Shavlik Technologies LLC"

(just so you get your facts straight).

however on this occasion I think it was microsofts fault as I believe they maintain the xml file with the lists of patches in that HFNetChk uses.

>>Format, install linux.

I've known they didn't write that tool - they just control it. However they provide the patch file listing, they missed it, they are to blame. My facts are straight.

Yeah, Linux is good, i use it from time to time, but for your general user ( as for now ) can be a major pain in the a** for doin some tasks that should be very simple. Granted installation of software has become easier, there are just some things that can be a pain.

"poor programming of the tool to check for missing patches."

ooooooooooook.................

"As someone said before, all admins of the affected systems missed to install a 1/2 year old patch."

Bulls***, one of my patched systems was infected! SERVICE PACK 3 was needed to really fix it, which I was forced to install WITHOUT TESTING!

"Bulls***, one of my patched systems was infected!"

Yeah, right. I strongly suspect it was an "I'm pretty sure it was patched" system. There have been absolutely zero reports of infection on systems where the patch was properly installed.

"SERVICE PACK 3 was needed to really fix it, which I was forced to install WITHOUT TESTING!"

NO (and I do mean NO) version of the patch requires SP3 in order to prevent this particular attack/infection. It does (as the documentation says) require SQL2K SP2 to be properly installed first, but SP3 is not needed in any manner. (Though the patch itself is also included in SP3)

I am surprised that one of your systems was infected though. You know way too much about network security to have actually had a database server machine publicly accesible on the Internet without blocking critical ports from external access.

"Check your facts."

I have. An estimated 65% of all Solaris/SunOS systems on the internet have still not had a patch applied in order to prevent wide open root shell access. A patch that was made available two years ago. An esitmated 45% have still not had a patch applied to prevent the root exploit used by the sadmind/IIS worm. A patch that was released FOUR years ago.

This is not a trivial matter. Solaris/SunOS is still the most common server platform for internet-connected servers.

"People who know their systems are more likely to keep them UP TO DATE which is the ISSUE here."

This is a true statement. Unfortunately your generalization that Unix/Linux/etc. admins are more likely to know their systems and therefore more likely to keep then up to date is wrong. The facts show otherwise. Perhaps as FunkyFred3k suggested, part of the problem is that Unix/Linux sysadmins are so used to their systems being stable that they get complacent about keeping them updated.

My servers aren't on the internet, they are intranet only. It didn't have to be though unfortunately once someone elses had it. I'm 100% sure that server was patched, I patched it myself, then rebooted and had another admin verify the timestamps on the patch Saturday, then Sunday morning when I checked it again it was infected.

I didn't though use the "rereleased" patch that included the installer, I enjoyed the manual process of copying files and executing SQL statements instead. LOL

OK, if you went through all of that I'll apologize and retract my claim.

I thought perhaps you were just throwing out a knee jerk reaction without having checked the details.

Sorry.

As far as getting it via someone else's machine....the same logic applies and they should be beaten about the head and shoulders with the biggest book on "common sense network security" that you can find.

We missed a patch. We had software controlling our doors with stand along ms sql that we did not realize was in the software.

We sent out enough traffic to cripple small websites. We found it fast, but sometimes things get very complicated on networks.

Watch those slide card access doors.

You should seriously take your vendor to task over this.

Part of supporting their product/solution includes the responsibility for supporting/maintaining/patching any tools (like SQL Server) that they used as part of the solution.

"Internet traffic slowed to a crawl early Saturday morning as a virus-like worm exploited a known flaw in Microsoft SQL Server 2000 and flooded the world's digital backbones."

Should read:

"Internet traffic slowed to a crawl early Saturday morning as a virus-like worm exploited a flaw in MS SQL Server Admins, who failed to apply a patch available since June 2002, and flooded the world's digital backbones."

End of story

TowerDave

I'm just wondering how many vendor products offer stand alone ms sql that haven't released updates.

I don't agree with JUST blaming sys admins. They are only part of a larger problem.

Fact is. Anyone who leaves their database server open to the public internet deseves to be infected. No matter what the bug was targeting. Be it MS-SQL, Oracle, Postegres, DB2, hell even MYSQL. A database should not be in the "wild".