[Dshield] Increasing number of SQL_Slammer_Worm

Jeff Kell jeff-kell at utc.edu
Sat Aug 13 17:46:34 GMT 2005


Joel Esler wrote:
> Using RealSecure eh?
 > 
> On 8/12/05, Henderson, Henry <Henry.Henderson at oa.mo.gov> wrote:
> 
>>In the last couple of days we have been seeing a increasing number of
>>SQL_Slammer_Worm attempts against our public sites.

There is (almost) always a degree of udp/1434 "background noise" since Slammer.  We block it outright at the edge so I never bother to analyze it anymore.  As I've noted before [if not here, somewhere] almost every time I update our ingress filters (momentarily exposing us) I get a few Slammer hits on the IDS, and they are usually the genuine article (fully articulated Slammer).  

However... I had a case Friday of an internal Windows server that started spewing out udp/1434 to random addresses in a common /16 address block (first two octets were constant).  Source port was constant (1850 in this case), destination port udp/1434, payload always exactly one byte - 0x0A.

I found a writeup for SQL Ping, which is used to locate SQL servers, but it uses a payload of 0x02.

This one is 0x0A, which fires off the bleeding-snort rule 2000381 (MS-SQL DOS bouncing packets), and indeed the reference says SQL will bounce back the 0x0A to the sender, and so on.  Their reference is listed as http://www.nextgenss.com/papers/tp-SQL2000.pdf.

I didn't have physical access to the server in question, so shutdown it's port for the weekend.  Won't have any forensics until next week.

The timing of the hits and scattered destinations of the traffic looked just like a bot scan, but I've never seen SQL udp traffic out of a bot before.

Jeff


More information about the list mailing list