Possibly Historical Document - Last Updated Thu Oct 27 15:19:53 2005

MS-SQL Slammer/Sapphire Worm at TRIUMF

Starting at 9:29:26.39 pm on Friday January 24th the MS-SQL worm spread extremely rapidly on the Internet, infecting two Windows servers onsite within 2 minutes.

These were taken offline early Saturday morning, but the worm continued to have a severe impact on our network connections.

This worm affects MS-SQL Server and Components of it installed by other applications such as HP Openview, MS-Visual Studio, etc... If you're not sure about your system being vulnerable do the following:

  • Go to Command Prompt (the DOS Prompt).
  • Type: netstat -p udp -a and press the Enter key.
  • If there is a line with text similar to: UDP (Srever_name>:ms-sql-m) you need to install MS-Security Bulletin MS02-039 patch.

    As of January 2003, TRIUMF has two connections, one via BCNet to CA*Net, ESnet, CERN etc., and another via UBC to everything else, including Telus ADSL and Shaw cable. At the time of writing (15:21 Saturday Jan 25 2003), the CA*net connection is up but the UBC one is not.

    The TRIUMF modem pool (56k dialup) is unaffected.

    The current state of some offsite links may be seen here (sitka.triumf.ca)

    Any concerns about the network should be reported to the control room at +1 604-222-7333 outside normal hours, or to Steve McDonald or myself during the week.

    Andrew Daviel
    andrew@daviel.org (offsite)