[unisog] earlier report of SQL slapper worm

Michael Anderson mca at arlut.utexas.edu
Tue Jan 28 20:50:05 GMT 2003


I'm scanning my logs also and I'm seeing large probes for 1434 starting 
on October 20th from a German dial up.  I found another from an Italian 
dsl on October 23rd.  Anyone else see anything earlier than this.

-Mike Anderson

Peter Van Epp wrote:

>	I'm currently scanning our argus logs from months past for accesses on 
>1433 and 1434 to see if I can see probes of the 5 machines that were hit here. 
>Most of the hits on our machines occurred in the first 2 minutes of the attack 
>which makes me think that the machines were pretargetted and seeded into one 
>or more attack machines. I'd encourage anyone else with historic argus logs to 
>also look back and see what we can see ...
>
>Peter Van Epp / Operations and Technical Support 
>Simon Fraser University, Burnaby, B.C. Canada
>
>On Tue, Jan 28, 2003 at 11:30:32AM -0600, Sean Lanham wrote:
>  
>
>>We were evaluating an Intrusion Protection Device last month. One thing we
>>did see was a large SQL login attack every Tuesday during the month on
>>December at approx. 12 CST for about 10 minutes. I am interested if anyone
>>else saw a like attack.
>>
>>This very well could have been a hacker laying the ground work for the
>>recent attack.
>>
>>-----Original Message-----
>>From: Peter Van Epp [mailto:vanepp at sfu.ca] 
>>Sent: Monday, January 27, 2003 4:23 PM
>>To: unisog at sans.org
>>Subject: [unisog] earlier report of SQL slapper worm
>>
>>	Am I misremembering (I can't now find the email in previous unisog
>>saved mail but I may have deleted it) or did someone on here report a
>>limited
>>outbreak of the SQL slapper worm a few months ago? I remember scanning argus
>>logs looking for UDP port 1434 after seeing a report (I think here) and not 
>>finding anything then giving up after a week or so. There was also a comment
>>
>>that it scanned addresses in the multicast range (which the SQL slapper did 
>>here on Friday night). If so I expect whoever is searching for the source
>>will
>>be interested in the earlier report and anything that was discovered about a
>>possible source ...
>>
>>Peter Van Epp / Operations and Technical Support 
>>Simon Fraser University, Burnaby, B.C. Canada
>>    
>>




More information about the unisog mailing list