[unisog] earlier report of SQL slapper worm

Peter Van Epp vanepp at sfu.ca
Wed Jan 29 16:54:47 GMT 2003

On Tue, Jan 28, 2003 at 01:36:12PM -0800, Tom Perrine wrote:
> >>>>> On Tue, 28 Jan 2003 10:39:32 -0800, Peter Van Epp <vanepp at sfu.ca> said:
>     PVE> 	I'm currently scanning our argus logs from months past for accesses on 
>     PVE> 1433 and 1434 to see if I can see probes of the 5 machines that were hit here. 
>     PVE> Most of the hits on our machines occurred in the first 2 minutes of the attack 
>     PVE> which makes me think that the machines were pretargetted and seeded into one 
>     PVE> or more attack machines. I'd encourage anyone else with historic argus logs to 
>     PVE> also look back and see what we can see ...
> Being hit in the first 2 minutes doesn't mean that yoou were in the
> "hit list".  It seems to have hit 100K+ machines in the first 5
> minutes.
> I think that CAIDA will have some analysis up Real Soon Now.
> --tep
> -- 
> Tom E. Perrine <tep at SDSC.EDU> | San Diego Supercomputer Center 
> http://www.sdsc.edu/~tep/     | 

	Looking at the logs more closely I'm coming to agree. Most of the 5
machines got hit multiple times from different machines in the first couple
of minutes which does look more like shotgun volume than targetting. I was
expecting to find the same machine poking at all 5 hosts and I didn't (or
at least it isn't obvious). The interesting one is that the first machine hit 
shows no external hits at all before it starts scanning. The first recorded hit
is a couple of minutes after it started scanning although its possible that 
argus missed the packet that compromised it. There are two connections from 
adsl machines on port 1433 earlier in the day which look  interesting however 
(preloading the exploit set to go off at 21:30 or a random 1433 scan?). 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the unisog mailing list