[Dshield] SQLSnake

Thomas Liston tliston at premmag.com
Wed Jul 10 19:13:41 GMT 2002


Compromising someone else's machine, even if it is for "benevolent" 
reasons, is crossing the line.  That being said, I don't believe that 
there is a single person in the security field who hasn't wrestled 
with the idea.

If you want to *do* something about SQLSnake et. al. and not have to 
worry about legal issues, I would humbly suggest downloading LaBrea 
(http://www.hackbusters.net) and setting up a tarpit.

SQLSnake's initial port 1433 scan is slowed, and because LaBrea 
virtual machines respond, it is lured back to play with all of the 
open MSSQL "servers" that it finds.  When it does that, it stays for 
good...

Then you can contact the hosts and get them shut down and patched, or 
let DShield do it for you...

-TL

On Tue, Jul 09, 2002 at 03:03:36PM -0400, Jon R. Kibler wrote:

> To All:
> 
> It amazes me how many times each day we are still getting hit with SQLsnake probes. Given the nature of this worm -- as I understand it, it exploits the lack of a password on a server admin account -- I would think that someone would have developed a 'snake killer' that would simply shut down 
the infected system. That is, the program would also take advantage of the lack of proper passwords to issue the command(s) to shut down the server. 
> 
> Is this indeed possible? (If not, what am I missing?) Has such a program been developed and from where is it available?

Tom Liston, GSEC
Network Administrator
Prem Magnetics, Inc.
tliston at premmag.com
tliston at hackbusters.net




More information about the list mailing list