[Dshield] RedHat systems seem to originate a lot of port 1433 attacks

Micheal Patterson micheal at cancercare.net
Wed May 22 18:06:46 GMT 2002

That's precisely why I stopped attempting to notify remote networks of
suspicious behavior. Many don't want to accept that they're passing infected
files/packages through their network. Others in various countries see it as
an insult to their abilities to manage their network if you simply inform
them that there may be an infected system within their network. I've been
doing this for some time now and I've always been of the mindset that even
though I've never had a breached system that I maintain, I always assume
that it will happen. If it does, I'll be prepared. If it doesn't, then I'm
still prepared.


Micheal Patterson
Network Administration
Cancer Care Network

----- Original Message -----
From: "Jon R. Kibler" <Jon.Kibler at aset.com>
To: <list at dshield.org>
Cc: "Samantha Fetter" <sama at enteract.com>
Sent: Wednesday, May 22, 2002 12:35 PM
Subject: [Dshield] RedHat systems seem to originate a lot of port 1433

> Samantha Fetter wrote:
> >
> > I've been informed that an exploit came out 2 days ago called SQLSmack,
> > UNIX based remote command execution for mssql.
> >
> > Cheers,
> > Samantha
> >
> This seems consistent with what we have been seeing. At least half of the
systems hitting us (actually, all but a couple of the systems where someone
was willing to talk to us!) were RedHat Linux systems.
> There seems to be  A LOT of denial concerning this problem. We have
received several angry phone calls and emails from people who our IDS
notified that they were infected -- claiming that we were falsely accusing
them and that they had never heard of a SQL Server worm or virus. Several
were refusing to believe us when we sent them logs or packet dumps -- with
some even refusing to allow us to send them additional evidence! I have
NEVER seen such a problem before... Even with Code Red people were willing
to believe they had a problem even though they never heard of it! Must be
getting close to the full moon or something...
> Jon Kibler
> --
> Jon R. Kibler
> Systems Architect
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC  USA
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:

More information about the list mailing list