March 3rd, 2004 08:28 PM
SQL worm propagation ?
i found a IDS alert telling me that someone tries to propagate a sql worm.
it's coming from a nonexisting LAN ip.
so my question :
should i switch off this rule?
i'm not running any sql server.
or should i have a look for where it comes from ?
how can i?
(for information: i'm running w2k behind a firewall/gateway server using clarkconnect 2.1 with snort installed)
March 3rd, 2004 11:50 PM
Hmm, is your firewall telling you that you are being scanned from the inside or outside. You can determine this, by the ip address the packets came from. It's important to find this information out first, because if it's coming from inside, that means you already have one computer that's compromised. If it's comming from outside, don't worry about it, there's always gonna be stuff from outside, trying to get in (that's where your firewall comes into play)
The last sql worm that I'm aware of, is the slammer worm (I could be wrong) ensure that all your systems are up to date with the latest patches, and AV definitions.
March 4th, 2004 04:12 PM
I'm sure it's coming from the outside.
I'm also sure that this happens when i'm connecting to a specific server.(but wich one?)
...and i think it's something like the slammer...
i found a tool in a security-archiv that is able to DoS(or was it overflow,sry i'm not at home at moment)a sqlserver on port 1434 with a faked IP.
i will ask someone to try this tool from the outside on my IP
hoping that it will generate the same message .
March 5th, 2004 02:25 PM
It's probably Slammer. Please note that slammer isn't limited to infecting SQL Server but also MSDE. You can find more info here:
Experience is something you don't get until just after you need it.