Results 1 to 4 of 4

Thread: SQL worm propagation ?

  1. #1
    Senior Member
    Join Date
    Aug 2003
    Posts
    185

    SQL worm propagation ?

    i found a IDS alert telling me that someone tries to propagate a sql worm.
    it's coming from a nonexisting LAN ip.
    so my question :
    should i switch off this rule?
    i'm not running any sql server.
    or should i have a look for where it comes from ?
    how can i?

    (for information: i'm running w2k behind a firewall/gateway server using clarkconnect 2.1 with snort installed)

    thx
    Industry Kills Music.

  2. #2
    Senior Member
    Join Date
    Mar 2003
    Posts
    452
    Hmm, is your firewall telling you that you are being scanned from the inside or outside. You can determine this, by the ip address the packets came from. It's important to find this information out first, because if it's coming from inside, that means you already have one computer that's compromised. If it's comming from outside, don't worry about it, there's always gonna be stuff from outside, trying to get in (that's where your firewall comes into play)

    The last sql worm that I'm aware of, is the slammer worm (I could be wrong) ensure that all your systems are up to date with the latest patches, and AV definitions.


    --PuRe
    Like this post? Visit PuRe\'s Information Technology Community. We\'ve also got some kick ass Technology Forums. Shop for books and dvds on LiveWebShop.com

  3. #3
    Senior Member
    Join Date
    Aug 2003
    Posts
    185
    I'm sure it's coming from the outside.
    I'm also sure that this happens when i'm connecting to a specific server.(but wich one?)
    ...and i think it's something like the slammer...
    i found a tool in a security-archiv that is able to DoS(or was it overflow,sry i'm not at home at moment)a sqlserver on port 1434 with a faked IP.
    i will ask someone to try this tool from the outside on my IP
    hoping that it will generate the same message .
    thx,PuRe
    Industry Kills Music.

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    It's probably Slammer. Please note that slammer isn't limited to infecting SQL Server but also MSDE. You can find more info here:

    http://vil.nai.com/vil/content/v_99992.htm
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •