[unisog] earlier report of SQL slapper worm

Russell Fulton r.fulton at auckland.ac.nz
Tue Jan 28 20:56:27 GMT 2003


On Wed, 2003-01-29 at 07:39, Peter Van Epp wrote:
> 	I'm currently scanning our argus logs from months past for accesses on 
> 1433 and 1434 to see if I can see probes of the 5 machines that were hit here. 
> Most of the hits on our machines occurred in the first 2 minutes of the attack 
> which makes me think that the machines were pretargetted and seeded into one 
> or more attack machines. I'd encourage anyone else with historic argus logs to 
> also look back and see what we can see ...

>From looking at our network logs (argus) I am convinced that the the
worm was very widely seeded.  We picked up 1000s of machines scanning in
the first two minutes of the attack, there was no exponential rise, it
was just straight up (well within the granularity of my time
measurements anyway). 

I'm guessing that the attackers had a seeding version of the worm that
had a large target list (in the order of tens of thousands of vulnerable
hosts) which it delivered its payload to.


-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin



More information about the unisog mailing list