[Dshield] RedHat systems seem to originate a lot of port 1433 attacks

Jon R. Kibler Jon.Kibler at aset.com
Wed May 22 17:35:03 GMT 2002

Samantha Fetter wrote:
> I've been informed that an exploit came out 2 days ago called SQLSmack, a
> UNIX based remote command execution for mssql.
> Cheers,
> Samantha

This seems consistent with what we have been seeing. At least half of the systems hitting us (actually, all but a couple of the systems where someone was willing to talk to us!) were RedHat Linux systems. 

There seems to be  A LOT of denial concerning this problem. We have received several angry phone calls and emails from people who our IDS notified that they were infected -- claiming that we were falsely accusing them and that they had never heard of a SQL Server worm or virus. Several were refusing to believe us when we sent them logs or packet dumps -- with some even refusing to allow us to send them additional evidence! I have NEVER seen such a problem before... Even with Code Red people were willing to believe they had a problem even though they never heard of it! Must be getting close to the full moon or something...

Jon Kibler
Jon R. Kibler
Systems Architect
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA

More information about the list mailing list