[unisog] new virus?
j.riden at massey.ac.nz
Wed Feb 23 22:44:21 GMT 2005
"BACHAND, Dave (Info. Tech. Services)" <BachandD at easternct.edu> writes:
> We've recently had a minor outbreak (if there is such a thing) of a
> virus that I'm having a hard to putting my finger on.
> McAfee shows it as being an SDBOT variant. But, it only attacks SQL
> servers. it seems to be doing some sort of a login attempt/attack. My
> SQL sysadmin swears that the SA password wasn't blank, and there were no
> SQL patches missing.
Got any logs of IRC traffic to/from infected machines? Some bot
variants will run a scan on a particular network for any of several
vulnerabilities - ms04-011 being the most popular, but mssql is also
an option - eg:
#(3 - 402620) [2004-12-05 05:56:00.653] [snort/1000168]
IPv4: x.x.x.x -> y.y.y.y
hlen=5 TOS=0 dlen=90 ID=18268 flags=0 offset=0 TTL=128 chksum=45644
TCP: port=2582 -> dport: 5003 flags=***AP*** seq=841379601
ack=879810496 off=5 res=0 win=15250 urp=0 chksum=21479
Payload: length = 50
000 : 50 52 49 56 4D 53 47 20 23 XX XX XX XX XX XX 20 PRIVMSG #XXXXXX
010 : 3A 6D 73 73 71 6C 3A 20 65 78 70 6C 6F 69 74 65 :mssql: exploite
020 : 64 20 28 zz zz zz 2E zz zz zz 2E zz 2E zz zz 29 d (zzz.zzz.z.zz)
030 : 0D 0A
James Riden / j.riden at massey.ac.nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/
More information about the unisog