[unisog] earlier report of SQL slapper worm

Sean Lanham slanham at uta.edu
Tue Jan 28 17:30:32 GMT 2003


We were evaluating an Intrusion Protection Device last month. One thing we
did see was a large SQL login attack every Tuesday during the month on
December at approx. 12 CST for about 10 minutes. I am interested if anyone
else saw a like attack.

This very well could have been a hacker laying the ground work for the
recent attack.

-----Original Message-----
From: Peter Van Epp [mailto:vanepp at sfu.ca] 
Sent: Monday, January 27, 2003 4:23 PM
To: unisog at sans.org
Subject: [unisog] earlier report of SQL slapper worm

	Am I misremembering (I can't now find the email in previous unisog
saved mail but I may have deleted it) or did someone on here report a
limited
outbreak of the SQL slapper worm a few months ago? I remember scanning argus
logs looking for UDP port 1434 after seeing a report (I think here) and not 
finding anything then giving up after a week or so. There was also a comment

that it scanned addresses in the multicast range (which the SQL slapper did 
here on Friday night). If so I expect whoever is searching for the source
will
be interested in the earlier report and anything that was discovered about a
possible source ...

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



More information about the unisog mailing list