[Dshield] SQLSnake

Johannes Ullrich jullrich at sans.org
Tue Jul 9 20:05:34 GMT 2002


> Is this indeed possible? (If not, what am I missing?) Has such a
> program been developed and from where is it available? Thanks!

Before it starts scanning, the worm will setup a random admin
password on the system (and it emails the new password to the
worm 'writer'). So there is no easy way to fix it. Also: doing
so would be illegal without consent from the owner.

The number of sources is getting smaller (down from 5000 to
about 2500 over the last 30 days:
http://isc.incidents.org/port_details.html?port=1433&recax=1&tarax=1&srcax=2
).

It also looks from this graph that there is a 7 day cycle to it,
which kind of indicates a good chunk of dialup / parttime users.
They are hard to find for ISPs.

-- 
---------------------------------------------------------------
jullrich at sans.org             Collaborative Intrusion Detection
                                    join http://www.dshield.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20020709/e968333f/attachment.bin


More information about the list mailing list