[unisog] earlier report of SQL slapper worm
Peter Van Epp
vanepp at sfu.ca
Tue Jan 28 18:39:32 GMT 2003
I'm currently scanning our argus logs from months past for accesses on
1433 and 1434 to see if I can see probes of the 5 machines that were hit here.
Most of the hits on our machines occurred in the first 2 minutes of the attack
which makes me think that the machines were pretargetted and seeded into one
or more attack machines. I'd encourage anyone else with historic argus logs to
also look back and see what we can see ...
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
On Tue, Jan 28, 2003 at 11:30:32AM -0600, Sean Lanham wrote:
> We were evaluating an Intrusion Protection Device last month. One thing we
> did see was a large SQL login attack every Tuesday during the month on
> December at approx. 12 CST for about 10 minutes. I am interested if anyone
> else saw a like attack.
> This very well could have been a hacker laying the ground work for the
> recent attack.
> -----Original Message-----
> From: Peter Van Epp [mailto:vanepp at sfu.ca]
> Sent: Monday, January 27, 2003 4:23 PM
> To: unisog at sans.org
> Subject: [unisog] earlier report of SQL slapper worm
> Am I misremembering (I can't now find the email in previous unisog
> saved mail but I may have deleted it) or did someone on here report a
> outbreak of the SQL slapper worm a few months ago? I remember scanning argus
> logs looking for UDP port 1434 after seeing a report (I think here) and not
> finding anything then giving up after a week or so. There was also a comment
> that it scanned addresses in the multicast range (which the SQL slapper did
> here on Friday night). If so I expect whoever is searching for the source
> be interested in the earlier report and anything that was discovered about a
> possible source ...
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
More information about the unisog