[unisog] new virus?

James Riden j.riden at massey.ac.nz
Wed Feb 23 22:44:21 GMT 2005


"BACHAND, Dave (Info. Tech. Services)" <BachandD at easternct.edu> writes:

> We've recently had a minor outbreak (if there is such a thing) of a
> virus that I'm having a hard to putting my finger on.  
>
> McAfee shows it as being an SDBOT variant.  But, it only attacks SQL
> servers.  it seems to be doing some sort of a login attempt/attack.  My
> SQL sysadmin swears that the SA password wasn't blank, and there were no
> SQL patches missing.

Got any logs of IRC traffic to/from infected machines? Some bot
variants will run a scan on a particular network for any of several
vulnerabilities - ms04-011 being the most popular, but mssql is also
an option - eg:

#(3 - 402620) [2004-12-05 05:56:00.653] [snort/1000168]  
IPv4: x.x.x.x -> y.y.y.y
      hlen=5 TOS=0 dlen=90 ID=18268 flags=0 offset=0 TTL=128 chksum=45644
TCP:  port=2582 -> dport: 5003  flags=***AP*** seq=841379601
      ack=879810496 off=5 res=0 win=15250 urp=0 chksum=21479
Payload:  length = 50

000 : 50 52 49 56 4D 53 47 20 23 XX XX XX XX XX XX 20   PRIVMSG #XXXXXX 
010 : 3A 6D 73 73 71 6C 3A 20 65 78 70 6C 6F 69 74 65   :mssql: exploite
020 : 64 20 28 zz zz zz 2E zz zz zz 2E zz 2E zz zz 29   d (zzz.zzz.z.zz)
030 : 0D 0A    

cheers,
 Jamie
-- 
James Riden / j.riden at massey.ac.nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/





More information about the unisog mailing list