[Dshield] RedHat systems seem to originate a lot of port 1433 attacks

Jon R. Kibler Jon.Kibler at aset.com
Wed May 22 17:35:03 GMT 2002


Samantha Fetter wrote:
>
> I've been informed that an exploit came out 2 days ago called SQLSmack, a
> UNIX based remote command execution for mssql.
> 
> Cheers,
> Samantha
> 


This seems consistent with what we have been seeing. At least half of the systems hitting us (actually, all but a couple of the systems where someone was willing to talk to us!) were RedHat Linux systems. 

There seems to be  A LOT of denial concerning this problem. We have received several angry phone calls and emails from people who our IDS notified that they were infected -- claiming that we were falsely accusing them and that they had never heard of a SQL Server worm or virus. Several were refusing to believe us when we sent them logs or packet dumps -- with some even refusing to allow us to send them additional evidence! I have NEVER seen such a problem before... Even with Code Red people were willing to believe they had a problem even though they never heard of it! Must be getting close to the full moon or something...

Jon Kibler
--
Jon R. Kibler
Systems Architect
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA




More information about the list mailing list