[Dshield] SQLSnake

John Sage jsage at finchhaven.com
Wed Jul 10 16:19:50 GMT 2002

On Tue, Jul 09, 2002 at 03:03:36PM -0400, Jon R. Kibler wrote:
> To All:
> It amazes me how many times each day we are still getting hit with SQLsnake probes. Given the nature of this worm -- as I understand it, it exploits the lack of a password on a server admin account -- I would think that someone would have developed a 'snake killer' that would simply shut down the infected system. That is, the program would also take advantage of the lack of proper passwords to issue the command(s) to shut down the server.
> Is this indeed possible? (If not, what am I missing?) Has such a program been developed and from where is it available?

I think that this sort of activty (unleashing a countermeasure that
attacks attacking systems..) has been generally discussed, the
discussion then breaking down into two camps:

1) If you introduce an agent that "shuts down the infected system" you
are really doing nothing different than the original blackhat, with
the possible exception that you think what *you* are doing is


2) Screw 'em - they've been hacked, and if they're too dumb to prevent
it, they deserve whatever they get.

Legally, I think most opinions seem to be that someone cannot
generally introduce a countermeasure that "..shuts down an infected
system.." without suffering legal liability for trespass, damages, etc

- John
"Obviously, we do not want to leave zombies around."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 

More information about the list mailing list