seems related to SQL 2000...see below for patches from Microsoft
(available as of 7/17/02).
FYI -
According to this article from the Associated Press:
<http://story.news.yahoo.com/news?tmpl=story2&ncid=716&e=3&u=/ap/2003012
5/ap_on_hi_te/internet_attack>
http://story.news.yahoo.com/news?tmpl=story2&ncid=716&e=3&u=/ap/20030125
/ap_on_hi_te/internet_attack
"The attack sought to exploit a software flaw discovered by researchers
in July 2002 that permits hackers to seize control of corporate database
servers. Microsoft deemed the flaw to be "critical" and offered a free
repairing patch, but it was impossible to know how many computer
administrators applied the fix."
Symptoms that may be seen, detected and may be causing alerts on Cisco
devices include, but are not limited to high CPU and traffic drops on
the input interfaces.
The Microsoft Security advisory specifies that this vulnerability is
specific to SQL 2000.
Microsoft first published the fixed patch on 7/17/2002.
Please insure that you are at the correct patch levels for all your
servers that use SQL 2000.
Microsoft Security Bulletin MS02-039
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/bulletin/MS02-039.asp
This is basically the same attack as code red using the same UDP port
numbers to for the attack. If you have applied patches for the code red
virus they are most likely covered protected. The attached link from
CNN does a nice job of explaining the similarity.
http://www.cnn.com/2003/TECH/internet/01/25/internet.attack.ap/index.htm
l
Cisco utilizes a security harden OS for servers running our services
such Call Manager 3.3. Though SQL 2000 is used by Cisco Unity and Call
Manager 3.3, it is still appropriate and best practice to keep all
servers current with the latest patches to avoid known vulnerabilities
and protect against future re-occurrences.
Cisco's Host Intrusion Detection System (HIDS) can be used on servers to
detect "unknown" attacks, as was Code Red prior to patches being
available.
Thanks,
Cisco