SQL Worm Scanner
Results 1 to 7 of 7

Thread: SQL Worm Scanner

  1. #1

    SQL Worm Scanner

    So much commotion has been going on lately about the SQL Sapphire Worm (which has been sending out "random" packets in a DDoS-ish attack from MS SQL Servers), that finding a scanner for it was needed.

    You can download the scanner from:
    http://www.eeye.com/html/Research/To...pphireSQL.html


    For more details about the Sapphire SQL Worm:
    http://www.eeye.com/html/Research/Flash/AL20030125.html

    Hope this will help out MS Admins!

    Not a repost. The information about the attacks is old, as I said in my post. But no where in the three AO posts have I seen anything about the scanner for the worm, which will help you see if you are infected with it. (BTW, two of those three other posts were in the wrong forums.)

    So stop negging me. I just got away from that friggin' 'pain in the ass' message, and this time, I didn't screw up. So don't punish me for it.

  2. #2
    Kwiep
    Join Date
    Aug 2001
    Posts
    924
    I posted the same thing: http://www.antionline.com/showthread...0&pagenumber=4 before you if that's were your bitching about. Thanks to bugtraq. You could've posted in one of those 3 AO posts you read, now there are 4. I didn't neg you, but cut of the whining part, for your own good.
    About the posting in wrong forums, the vulnerability itself is a microsoft one, but it still affects dns servers etc. who got flooded and any other sql server who get's a load of those packets will slow down. Many sites wich didn't have anything to do with microsoft got "hit", so to speak.
    Besides that (not as a flame) I don't think it would be a help to an admin if he didn't patch and lockdown his server yet, if you did that properly the worm can't run anymore, so it'll "die" in most cases. If you know you are infected and you know you still are after takeing the right precoutions, the scanner is useless, because you already know you have it. You have to remove it.
    Double Dutch

  3. #3
    Member
    Join Date
    Aug 2002
    Posts
    88
    This denial of service attack shows the need for a good firewall. I know a commercial sql servers firewall needs are different from a home computer users the following is quoted from the eEye descriptin.

    "Corrective Action:
    We recommend that people immediately firewall SQL service ports at all of their gateways. The worm uses only UDP port 1434 (SQL Monitor Port) to spread itself to a new system; however, it is safe practice to filter all SQL traffic at all gateways"

    A firewall would have plugged that port.

    FWIN,2003/01/26,10:00:56 -5:00 GMT,157.169.10.115:4901,12.xxx.xxx.xxx:1434,UDP
    FWIN,2003/01/26,10:05:56 -5:00 GMT,195.19.38.72:4957,12.xxx.xxx.xxx:1434,UDP
    FWIN,2003/01/26,10:08:30 -5:00 GMT,65.112.133.140:1044,12.xxx.xxx.xxx:1434,UDP

    The entries shown above show that it is still spreading.

  4. #4
    Neel, the reason many people want to use a tool like the scanner is because, even if they close off all the right ports and are sure they've done everything right...the worm may do other things that they don't know about yet.

    The worm may be able to recieve instruction on a certain port, and begin attacking differently.

  5. #5
    Kwiep
    Join Date
    Aug 2001
    Posts
    924
    Neel, the reason many people want to use a tool like the scanner is because, even if they close off all the right ports and are sure they've done everything right...the worm may do other things that they don't know about yet.

    The worm may be able to recieve instruction on a certain port, and begin attacking differently.
    I know that, I was discussing (giving my opinion about) the scanner you gave a link to, not about you and not about the worm. The scanner in this case detects the worm, a few variants. It gives you the link to the patches. Point is, if your system is patched you don't need the scanner for it isn't there. In fact you don't need a scanner, because you know when your infected, if your not a lazy admin who doesn't check logs etc. You will even notice it when there are 100 of variants, because they all do bassicly the same, infecting your server and doing what a worm does: spreading itself.

    Also I didn't want to start a flame really, altough I did it seems.

    **** you. ^Mobius^
    So just stfu with yer whining about a mailinglist copy (a good admin could've found this by himself) and go bother some other people. I at least gave you some response.
    Double Dutch

  6. #6
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Originally posted here by ^Mobius^
    Neel, the reason many people want to use a tool like the scanner is because, even if they close off all the right ports and are sure they've done everything right...the worm may do other things that they don't know about yet.

    The worm may be able to recieve instruction on a certain port, and begin attacking differently.

    The worm has already been analysed (see links in the other sql worm threads) and it has been determined that it has no payload other than propagating itself.

    Ammo
    Credit travels up, blame travels down -- The Boss

  7. #7
    quote:

    **** you. ^Mobius^


    What the hell is that? I make it a point not to flame/curse people out online. Doing so would be quite stupid, and only winds up with me being flamed back, and no one's happy. ::Grins:: What thread did I "post" that in?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •