>MS-SQL Slammer/Sapphire Worm at TRIUMF

Updating Windows Security (for TRIUMF users)

MS-SQL Slammer/Sapphire Worm at TRIUMF

Starting at 9:29:26.39 pm on Friday January 24th the MS-SQL worm spread extremely rapidly on the Internet, infecting two Windows servers onsite within 2 minutes.

These were taken offline early Saturday morning, but the worm continued to have a severe impact on our network connections.

This worm affects MS-SQL Server and Components of it installed by other applications such as HP Openview, MS-Visual Studio, etc... If you're not sure about your system being vulnerable do the following:

Go to Command Prompt (the DOS Prompt).

Type: netstat -p udp -a and press the Enter key.

If there is a line with text similar to: UDP (Srever_name>:ms-sql-m) you need to install MS-Security Bulletin MS02-039 patch.

As of January 2003, TRIUMF has two connections, one via BCNet to CA*Net, ESnet, CERN etc., and another via UBC to everything else, including Telus ADSL and Shaw cable. At the time of writing (15:21 Saturday Jan 25 2003), the CA*net connection is up but the UBC one is not.

The TRIUMF modem pool (56k dialup) is unaffected.

The current state of some offsite links may be seen here (sitka.triumf.ca)

Any concerns about the network should be reported to the control room at +1 604-222-7333 outside normal hours, or to Steve McDonald or myself during the week.

eEye analysis
Graph of worm spread (SANS)
Network delay to TRIUMF from Shaw
Packet loss from TRIUMF
Ping data to TRIUMF from Shaw.ca
Worm spread seen from TRIUMF
TRIUMF had some network outage and monitoring failures which can be seen in the graphs
Worm middle period (time in PST = -0800)
Worm end period
Selected scatterplots
Scatterplot MPEG (18Mb), first 1Mb (time in PST)
Output traffic from infected machines
Effect on Mbone

Andrew Daviel
andrew@daviel.org (offsite)