[unisog] earlier report of SQL slapper worm

Laurie Zirkle lat at cns.vt.edu
Wed Jan 29 13:01:03 GMT 2003


I saw some small scans as far back as 2001:
Jan 16 23:14:08 213.96.78.198:59887 -> z.y.x.98:1434 SYN ******S*
Jan 16 23:25:13 213.96.78.198:35891 -> z.y.x.98:1434 SYN ******S*
Jan 16 23:34:44 213.96.78.198:35900 -> z.y.x.98:1434 SYN ******S*
Jan 16 23:39:43 213.96.78.198:35903 -> z.y.x.98:1434 SYN ******S*
May 29 09:05:05 62.155.251.2:36408 -> 198.82.161.28:1434 SYN ******S*
May 31 02:44:56 24.113.162.104:51218 -> a.b.c.62:1434 SYN ******S*
May 31 04:00:10 24.113.162.104:51219 -> a.b.e.48:1434 SYN ******S*
May 31 04:03:02 24.113.162.104:51222 -> a.b.e.48:1434 SYN ******S*
May 31 04:57:11 24.113.162.104:51219 -> a.b.e.229:1434 SYN ******S*
May 31 05:00:03 24.113.162.104:51222 -> a.b.e.229:1434 SYN ******S*
May 31 05:42:54 24.113.162.104:51219 -> a.b.f.133:1434 SYN ******S*
May 31 05:45:46 24.113.162.104:51222 -> a.b.f.133:1434 SYN ******S*
Oct 24 23:32:34 62.149.163.98:1057 -> a.b.c.62:1434 SYN ******S*


Then in 2002 I only saw:
Apr 28 21:40:08 24.226.255.7:3325 -> z.y.x.34:1434 SYN ******S*
Jun 25 11:54:36 213.221.130.100:61017 -> a.b.w.62:1434 SYN ******S*
Jun 27 11:55:57 213.221.130.100:61255 -> a.b.w.62:1434 SYN ******S*
Jun 27 12:28:35 213.221.130.100:63516 -> a.b.c.49:1434 SYN ******S*
Jun 28 07:00:29 213.221.130.100:61488 -> a.b.w.62:1434 SYN ******S*
Jun 28 07:26:19 213.221.130.100:63353 -> a.b.c.49:1434 SYN ******S*

And in 2003:
Jan 11 05:06:56 host /kernel: Connection attempt to UDP a.b.w.62:1434 from 64.225.119.200:2075
Jan 16 03:21:49 host /kernel: Connection attempt to UDP a.b.w.62:1434 from 64.225.119.200:3861

which was it until the 25th.

--
Laurie

>From the fingers of Michael Anderson:
> I'm scanning my logs also and I'm seeing large probes for 1434 starting 
> on October 20th from a German dial up.  I found another from an Italian 
> dsl on October 23rd.  Anyone else see anything earlier than this.
> 
> -Mike Anderson
> 
> Peter Van Epp wrote:
> 
> >	I'm currently scanning our argus logs from months past for accesses 
> >	on 1433 and 1434 to see if I can see probes of the 5 machines that were 
> >hit here. Most of the hits on our machines occurred in the first 2 minutes 
> >of the attack which makes me think that the machines were pretargetted and 
> >seeded into one or more attack machines. I'd encourage anyone else with 
> >historic argus logs to also look back and see what we can see ...
> >



More information about the unisog mailing list