httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J. Greenlees" <>
Subject Re: [users@httpd] Sapphire Virus and Mysql
Date Tue, 28 Jan 2003 12:20:43 GMT wrote:
> On saturday around 5 am GMT our system almost ground to a halt. Stopping 
> apache improved system performance but restarting apache then killed the 
> performance again. Typically entering the 'stop apache' command would take 2 
> minutes to take effect. 
> Rebooting cleared all problems.
> Now I have read abouot sapphire/sql slammer virus which was effectibe 
> worldwide at this time and the above problems and cure seems indicative of it.
> My problem is that we run Linux/Apache/php/mysql. No microsoft software at 
> all yet my reading indicates that only SQL servers should have been affected.
> I can understand that web server delivery would be poor if the internet in 
> general was overloaded but then a reboot wouldn't solve that. 
> Anyone else share this problem or have any observations?
while you were not vulnerable to the saphire/slapper virus,
it was pinging on port 1434 to any sql servers it could find with a 
random url.
mysql is an sql server.
all infected ms sql2000 servers were randomply pinging and getting 
talkback pings from all sql servers
easiest way to avoid this is to close port 1434 and 1433
( some servers reported a heavy traffic flow on 1433 during this time )

the attack started with an estimated 22 thousand infected servers, and 
by monday am that had increased to an estimated 110 thousand servers.
I'll post the SANS CVA advisory about it under this thread in a minute.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message