[unisog] earlier report of SQL slapper worm

Russell Fulton r.fulton at auckland.ac.nz
Wed Jan 29 20:12:12 GMT 2003


Scans may not necessarily have been for UDP 1434. We have been seeing
repeated scans for TCP 1433 for months (since the original MS SQL worm)
and think nothing of them.  If a machine is listening on TCP 1443 then
the odds are very high that it will also be listening on 1434  UPD.

What the authors may have done is scanned on TCP 1433 and used the hits
as a seed list.

I'm still convinced that this was very widely seeded, several 1000
systems at least.

One other thing that is puzzling us is that some machine that were
vulnerable and exposed escaped, yet given the probing rate and the
lenght of time before the traffic was blocked the probability of them
not getting hit is very small (assuming uniform distribution).  We
therefore conclude (reductio ad adsurdum) that the distribution was non
uniform and that we got lucky.

Cheers, Russell.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin



More information about the unisog mailing list