[Dshield] SQLSlammer & Netsky.E

Doug White doug at clickdoug.com
Thu Mar 18 02:50:46 GMT 2004


I think if you want to pick up the SQL Slammer infection just merely expose an
unpatched version of SQL2k to the internet on Port 1433 for a very short time,
and you will find it compromised.  This worm was not propagated via email, etc.
such as the latest onslaught has been.  There is sufficient port 1433 probes
going on that infection should occur within a very short time, possibly minutes
after the database is made available.  For this infection, user intervention is
not required.
Careful monitoring will be needed to take this machine offline as soon as it
receives the worm, to prevent it contributing to the madness by spreading itself
around.  You should have your material for your case study then.

======================================
Stop spam on your domain, Anti-spam solutions
http://www.clickdoug.com/mailfilter.cfm
For hosting solutions http://www.clickdoug.com
======================================
If you woke up breathing, congratulations! You have been given another chance!



----- Original Message ----- 
From: "Benjamin M.A. Robson" <ben at robson.ph>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Wednesday, March 17, 2004 6:19 PM
Subject: RE: [Dshield] SQLSlammer & Netsky.E


: Doug,
:
: In this particular case, no I couldn't.
:
: The attack vector for the test is to insert the SQLSlammer worm in to
: their environment via an 'upload' function within their web portal.  The
: intention being to upload the file to their semi-public area, and to
: have it in such a way as to either convince one of their 'authorised'
: customers to execute it thus infecting the customer (remember this is a
: non-production system so this wasn't going to actually happen) or for an
: operator (or a system they use) to execute it and thus inject it in to
: their internal systems.
:
: All of this is to be done from outside of their environment with no more
: than a username and password granted for the web portal (acting as if I
: am a pissed off customer or the like).  As such a commandline style
: scanner would not do the job.
:
: Thanks for mentioning the tool however.
:
: BenR
:
:
:
: On Thu, 2004-03-18 at 05:39, Doug Goss wrote:
: > You could use scanslam
: > http://www.robertgraham.com/tools/scanslam/
: > Doug Goss
: >
: >
: > Benjamin M.A. Robson wrote:
: >
: > >I know this is going to be controversial but...
: > >
: > >The desire for Netsky.E could (and was) served by Eicar.  But I want
: > >SQLSlammer as the intention of this test is to actually perform a
: > >destructive test with the objective of causing systems to fail.
: > >
: >
#############################################################################
: > Notice:
: > This e-mail message is only intended to be read by the named recipient.  It
: > may contain information which is confidential, proprietary or the subject of
: > legal privilege.  If you are not the intended recipient please notify the
: > sender immediately and delete this e-mail.  You may not use any information
: > contained in it.  Legal privilege is not waived because you have read this
: > e-mail.
: >
: > For further information on the Beca Group of Companies, visit our web page
: > http://www.beca.co.nz
: >
#############################################################################
: >
: > _______________________________________________
: > list mailing list
: > list at dshield.org
: > To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
:
: _______________________________________________
: list mailing list
: list at dshield.org
: To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
:
:




More information about the list mailing list