Symptoms:
The following system changes may indicate the presence of this malware:
- Heavy outbound traffic across UDP port 1434
- Infected computers could experience local and remote denial of service conditions. Computers that are patched with the latest service packs available are protected against Slammer.
Prevention steps:
The appropriate version of SQL 2000 SP4 (recommended but minimum of SP3a mandatory)
How to detect what version of SQL(http://support.microsoft.com/kb/321185)
Confirm Microsoft patches are installed:
MS08-040 (as a minimum) or re-released MS09-004 , which should display “sqlservr.exe” as version 2000.8.00.2039/ 8.00.2050 or greater.
http://www.microsoft.com/technet/security/bulletin/MS08-040.mspx
http://www.microsoft.com/technet/security/bulletin/MS09-004.mspx
MSDE 2000 is also vulnerable and endpoints should have MS02-061 installed (this superseded MS02-039)
http://www.microsoft.com/technet/security/bulletin/MS02-061.mspx
Retrieve SQL updates from:
http://microsoft.com/downloads/details.aspx?FamilyId=689832DB-297B-489F-9E87-8FD78AEEE64F
Any groups that have SQL in their DEV environment should make sure to verify their SQL level and use these steps, if they are not at the above mentioned level.
Confirm minimum Anti-Virus protection is in place:
Trend OSCE and Server Protect AV service levels:
Latest Pattern File 5.969.00 minimum
Latest Scan Engine 8.913
McAfee protection:
DAT file: 5249 (released 03/11/2008)
Minimum Engine: 5100
Remediation:
If detected, immediately take offline, where appropriate business communication has been performed
Please run manual (ODS) scan with AV software. Validate removal of virus by verifying AV logs. As this virus is a memory resident, it will not be detected via “real-time scan”.
Perform the application of patches and confirm version of SQL software (update to newest version if possible).
If errors applying SQL patches or system does not update: Follow instruction detailed below pertaining to the issue you are facing
System must be rebooted to remove the virus.
——————————————————————————————————————–
Applying MS SQL Server Hotfix MS08-040
This is a quick checklist for installing the MS08-040 hotfix.
Pre-installation Tasks
This hotfix resolves four privately disclosed vulnerabilities. The more serious of the vulnerabilities could allow an attacker to run code and to take complete control of an affected system. An authenticated attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. The security update addresses the vulnerabilities by modifying the way that SQL Server manages page reuse, allocating more memory for the convert function, validating on-disk files before loading them, and validating insert statements.
If the database server is also running reporting services (SSRS), a registry hack may be needed as the MS08-040 hotfix seems to cause problems with the SSRS service. The SSRS service times out trying to restart after the hotfix is applied. Applying the registry hack seems to resolve this problem (see Troubleshooting Errors section at end of this document for more information).
Use the directory layout below to locate the correct EXE to install:
SQL 7.0
Execute the following to upgrade to 7.00.1152
SQL70-KB948113-v7.00.1152-x86-ENU.exe
SQL 2000
For versions 8.00.2039 thru 8.00.2049, execute the following to upgrade to 8.00.2050
SQL2000-KB948110-v8.00.2050-x86×64-ENU.exe
For versions 8.00.2148 thru 8.00.2272, execute the following to upgrade to 8.00.2273
SQL2000-KB948111-v8.00.2273-x86×64-ENU.exe
SQL 2005
For versions 9.00.3042 thru 9.00.3067, execute the following to upgrade to 9.0.3068
64-bit
SQLServer2005-KB948109-x64-ENU.exe
32-bit
SQLServer2005-KB948108-x86-ENU.exe
For versions 9.00.3150 thru 9.00.3230, execute the following to upgrade to 9.0.3233
64-bit
SQLServer2005-KB948108-x64-ENU.exe
32-bit
SQLServer2005-KB948108-x86-ENU.exe
Installation
Identify the pre-upgrade version by running a select @@version.
Open computer properties to identify whether a 64-bit or 32-bit upgrade should be run
Run appropriate installation file. You will be prompted for below steps
Open File – Security Warning, “Do you want to run this file?”. Click run.
Welcome. Click next.
License Terms. Select the “I accept the agreement” radio button and click next.
Feature Selection. Use defaults. Click next.
Error and Usage reporting. Leave unchecked. Click next.
Running Processes. Leave processes running. Click next.
Ready to Install. Click install.
Wait a long time
Installation complete. Click next.
View Summary of what was updated. Click next.
Additional Information. Click finish.
Copy the system database files to the DBA_ARCHIVE directory and append the new MS08-040 version number (see table below). Version information can also be found by running a select @@version command. Copies of the system databases are taken so SQL can easily be brought back up after a tape restore.
Reboot server
Verify all services have restarted.
Note: This hotfix appears to update non-cluster aware resources, such as SSIS and Reporting Services, on both nodes of the cluster. It isn’t necessary to run this update on both nodes of the cluster unlike SP1 and the base install. This probably assumes the non-cluster aware resource is installed on the controlling node where the update is applied.
How to determine whether SQL Server was successfully updated:
No information was found in the security documentation, but it is assumed the same verification process can be used as for the MS08-040 security patch listed below.
Find the version number of the instance or the instances of SQL Server. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
321185 (http://support.microsoft.com/kb/321185/) How to identify your SQL Server version and edition
The SQL Server update is successful if the query analyzer returns a version of the Sqlserver.exe file that is listed in the following table.
|
Product
|
Version
|
|
SQL Server 2005 GDR
|
9.00.3068
|
|
SQL Server 2005 QFE
|
9.00.3233
|
|
SQL Server 2000 GDR
|
8.00.2050
|
|
SQL Server 2000 QFE
|
8.00.2273
|
|
SQL Server 7.0
|
7.00.1152
|
Alternatively, you can review the installation log for a “Success” message. The installation log file is typically in one of the following folders.
|
Product
|
Location
|
|
SQL Server 2000
|
%WINDIR%
|
|
SQL Server 2005
|
%PROGRAMFILES%\Microsoft SQL Server\90\Setup Bootstrap\LOG\Hotfix
|
For a successful installation, a message that resembles either of the following is logged at the end of the log file.
Message 1
Success, Reboot Required
Exit Code Returned: 3010
Message 2
101.063: SQL DLL: Instance Status Summary
101.063: SQL DLL: Instance Status: MSSQLServer - Success
101.063: SQL DLL: Instance Status: SQLTools - Success
101.063: SQL DLL: SuccessInstallation() returned 0
To revert to a pre-MS08-040 version of SQL Server
Once SQL Server MS08-040 has been applied, it can be removed from the Add/Remove Programs menu. A separate program entry will be listed for each database engine component that was updated, but uninstalling one will uninstall all components. It may be necessary to check the ‘show updates’ box to display the hotfixes that have been applied.
Start à Control Panel à Add or Remove Programs
Check the ‘show updates’ box if hotfixes aren’t listed
Left-click on one of the hotfix components and select remove
Instances to uninstall à Click next
Note: It doesn’t appear to support backing out only one instance
Error and Usage reporting. Leave unchecked. Click next.
Running processes. Click next.
Ready to uninstall. Click uninstall.
Wait.
Next. Next. Finish.
Reboot is usually needed as indicated on summary.
Troubleshooting Errors:
Error: The SQL Server Reporting Services service fails to restart. The service did not respond to the start or control request in a timely fashion.
Fix: Perform the following:
Click Start, click Run, type regedit, and then click OK
Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
In the right pane, locate the ServicesPipeTimeout entry. Note: If the ServicesPipeTimeout entry does not exist, you must create it using the following steps:
On the Edit menu, point to New, and then click DWORD Value.
Type ServicesPipeTimeout, and then press ENTER.
Right-click ServicesPipeTimeout, and then click Modify.
Click Decimal, type 60000, and then click OK.
This value represents the time in milliseconds before a service times out.
Restart the computer.
Here are links to two articles describing the above:
http://forums.microsoft.com/msdn/ShowPost.aspx?PostID=3606861&SiteID=1
http://support.microsoft.com/kb/922918
————————————————————————————————————-
Applying MS SQL Server 2000 Service Pack 4
This is a quick checklist for installing SQL 2000 SP4 Standard Edition. It is still necessary to review the read.me file for the service pack for replication, log shipping, and cluster considerations.
Pre-installation Tasks
Replication still requires the distributor and publisher to be updated first
Replication databases must be in read-write
Review Q811168 for clusters
Octopus requires breaking mirroring and separately upgrading the SQL Servers
Olap servers are updated independently and are not documented here
Olap SP3 requires a SP3 client (not verified for SP4)
Full-Text index rebuilds are started during the upgrade (not verified for SP4)
Installation
Identify the pre-upgrade version by running a select @@version.
Stop the MSSQLServer service.
Copy the distibution, master, model and msdb .mdf and .ldf files to DBA_ARCHIVE and add extension .v@@version to the files. It may be necessary to delete duplicate versions of these files.
Run the following:
Sql server 2000 service pack 4 setup.exe from installation CD
Welcome>Next; Software License Agreement>Yes; Instance Name>Enter Appropriate; Connect to Server>Next (use default of Windows authentication);
Setup>Check Upgrade Microsoft Search… and click continue
Error Reporting> OK (do not enable by default as network traffic is a concern)
Start copying files>Next
Setup Complete>click I will restart computer later and click finish
Copy the system databases identified above to the DBA_ARCHIVE directory and append the version number (8.00.2039). This is done so SQL can easily be brought back up after a tape restore
Reboot server
Verify all services have started.
To revert to a pre-SP4 version of SQL Server
- Detach all user databases.
- Uninstall SQL Server. In Control Panel, double-click Add/Remove Programs, select the instance of SQL Server that you want to uninstall, and click Remove.
- Reinstall SQL Server 2000 from the CD-ROM or from the location where you originally installed SQL Server.
- Apply any service packs and hotfixes that were installed before Database Components SP4.
- Restore the databases master, msdb, and model from the last backup that was created before you installed. If the location of the data files has not changed, this restoration automatically attaches any user databases that were attached at the time the backup was created.
- Attach any user databases that were created after the last backup of the master database.
- Configure replication if necessary.
Warning When you revert to the pre-SP4 version of SQL Server 2000, all changes made to the databases master, msdb, and model since applying SP4 are lost.
—————————————————————————————————————-
Applying MS SQL Server 2000 Service Pack 4 – CLUSTER INSTALL
This is a quick checklist for installing SQL 2000 SP4 Standard Edition. It is still necessary to review the README file for the service pack for replication and log shipping considerations.
Pre-installation Tasks
Replication still requires the distributor and publisher to be updated first
Replication databases must be in read-write
Octopus requires breaking mirroring and separately upgrading the SQL Servers
Olap servers are updated independently and are not documented here
Olap SP3 requires a SP3 client (not verified for SP4)
Full-Text index rebuilds are started during the upgrade (not verified for SP4)
Installation
Open cluster administrator and confirm there is an MSDTC resource defined.
Confirm SQL is listening on Named Pipes.
Test a failover before you begin any SP4 install work. If you have problems with SQL not coming online on the secondary node, see “Common Errors on Carrollton Servers” at the end of this document.
SP4 must be run from the controlling node (referenced as node1. The non-controlling node will be referenced as node2). Log onto the server controlling the SQL instance you wish to run SP4 on.
Identify the pre-upgrade version by running a select @@version or checking the properties in Enterprise Manager.
Through Cluster Administrator, take SQL offline.
Copy the distibution, master, model and msdb .mdf and .ldf files to DBA_ARCHIVE and add extension .v@@version to the files. It may be necessary to delete duplicate versions of these files or add an alternative file extention (Example. “8.00.818.pre_sp4”).
Through Cluster Administrator, bring SQL back online.
Run SQL Server 2000 Service Pack 4 setup.exe and follow below steps to complete the installation.
Welcome>Next; Software License Agreement>Yes; Instance Name>Enter Appropriate; Connect to Server>Next (use default of Windows authentication); Setup>Check Upgrade Microsoft Search… and click continue
Error Reporting> OK (do not enable by default as network traffic is a concern); Remote Information>Enter a valid account that has local administrator permissions on both nodes (your M account or the service account)
Start copying files>Next
Setup Complete>click I will restart computer later and click finish
Search the C:\<system root>\sqlspX.log file for any “Process Exit Code” that is non-zero (where <system root> = WINNT or WINDOWS, and X = an incremental digit (0, 1, 2, etc)). If you find the “file not found” issue referring to the “SearchStp.exe” file for MS Full Text Search, you can probably ignore that error unless your server is using MS Full Text Search. Otherwise that issue should be addressed by rerunning SP4. Any other issues should be addressed. You should also check the last line of the log file to verify the “Installation Succeeded” vs. “Installation Failed”.
Copy the system databases identified above to the DBA_ARCHIVE directory and append the version number (8.00.2039). Take SQL service offline through Cluster Administrator if necessary.
Bring SQL online on node1 (the node you log onto to install SP4).
Reboot node2 (the NON-controlling server).
Once node2 is back online, fail everything over to node2.
Through Cluster Administrator, verify all services have come online.
Reboot node1 (which should be the primary node, the one you originally logged onto to run SP4).
Once node1 is back online, fail everything over to node1.
Through Cluster Administrator, verify all services have come online.
Repeat steps 1-21 for each SQL instance running on the cluster (no matter if it’s active-active or active-passive).
Disable Named Pipes if it was Enabled in step 2 above????????
Through Cluster Administrator, ensure the following resources are set to not “affect the group”. Right click the resource à “Properties” à “Advanced” à uncheck the ‘Affect the group’ checkbox.
- TSM Cluster Service
- SQL Server Agent
- any of our file shares (DA, DBA_ARCHIVE, etc.)
To revert to a pre-SP4 version of SQL Server
- Detach all user databases.
- Uninstall SQL Server. In Control Panel, double-click Add/Remove Programs, select the instance of SQL Server that you want to uninstall, and click Remove.
- Reinstall SQL Server 2000 from the CD-ROM or from the location where you originally installed SQL Server.
- Apply any service packs and hotfixes that were installed before Database Components SP4.
- Restore the databases master, msdb, and model from the last backup that was created before you installed. If the location of the data files has not changed, this restoration automatically attaches any user databases that were attached at the time the backup was created.
- Attach any user databases that were created after the last backup of the master database.
- Configure replication if necessary.
Warning When you revert to the pre-SP4 version of SQL Server 2000, all changes made to the databases master, msdb, and model since applying SP4 are lost.
Common Errors on Carrollton Servers
You receive this error when you try to connect to the SQL instance (using EM or Query Analyzer).
Server: Msg 11004, Level 16, State 1
[Microsoft][ODBC SQL Server Driver]Cannot generate SSPI context
Edit the local host file using notepad to add an entry for the SQL instance (C:\WINNT\system32\drivers\etc\host).
Example entry: 164.57.107.165 riasatrsvcq01\riasatrsvcq01
See the following KB article for more information: http://support.microsoft.com/kb/843248/
2) I never documented the specific error, so I apologize for that. The fix was to add a network client alias for the SQL instance. The issue was that SQL wouldn’t come online either after it was taken offline in cluster administrator or after a failover to the secondary node. The event logs had a SQL error something to the effect of “an ODBC error in the sqldbconn.dll”, or something like that. Another common error message was something like “Unable to connect to SQL Server”.
Adding a network client alias fixed the issue.
Open the “Client Network Utility”. “Start” à “Programs” à “Microsoft SQL Server” à “Client Network Utility”.
Roll the “Aliases” tab forward
Add an entry for the SQL instance
Hit the “Add” button
Select “TCP\IP” for the ‘Network Library’
In the ‘Server alias’ text box, entry the name of the SQL instance
In the “Connection Parameters” area, enter the SQL instance name (example: riadalvcq01\riadalvcq01), and the port number.
Hit ‘OK’
Hit ‘OK’
3) SP4 install fails. Log files found on the primary node, sqlsp.log and sqlsp<n>.log, indicate that the SP4 install was successful on the primary node but failed on the secondary node. The sqlsp<n>.log on the secondary node contains the following:
00:22:01 Setup is installing Microsoft Data Access Components (MDAC) …
00:22:08 ExitCode: -1
00:22:08 Installation of the Microsoft Data Access Components package failed. (-1)
00:22:08 Installation Failed.
The following steps resolved this issue:
Download the MDAC 2.8 SP1 executable which is the same version level installed with SP4.
Run the MDAC 2.8 SP1 executable on the secondary node.
Rerun SP4 install from the primary node.
The SP4 install should complete successfully.
Continue on with steps 15-23 above.
—————————————————————————————————————————
SQL Failing during installation:
The script that continued failing during the install was replsys.sql. There are a number of articles about this failure. Below is a link to an article that helped walk me through it.
http://www.eggheadcafe.com/forumarchives/SQLServersetup/Jul2005/post23409196.asp
In step two, it says to delete the LCP key. The ACL’s on this key prevented me from deleting it. I had to use REGEDT32 and take ownership of the tree starting at SuperSocketNetLib, and then grant full access. Once I did that, I could delete the key and proceed with the install on the stand alone server.
On the cluster, the exact error is:
Buffer overrun detected!
Program (username)\LOCALS~1\Temp\_ISTMP1.DIR\_IN55576._MP
A buffer overrun has been detected which has corrupted the programs internal state. The program cannot safely continue execution and must now be terminated.
There are a number of articles on the web about this error as well. They describe issues with the domain controllers name being greater than 12 characters, the SQL server instance name being greater than 12 characters, MSTDC running in the virtual server that SQL is running in and needing to be moved, and that a bad version of SQLsui.dll was failing. I followed the procedures for all of the different articles, and I even attempted to load SP3a instead of SP4. None of them worked in our instance, so we are retiring the server and moving the database to another newer server. This may require a call to Microsoft to make work.
Powered by itechtalk, itechtalk blog