Full Disclosure mailing list archives
Re: [sean () donelan com: Symantec detected Slammer worm "hours" before]
From: Michael Scheidell <scheidell () secnap net>
Date: Thu, 13 Feb 2003 13:08:16 -0500 (EST)
Wow, Symantec is making an amazing claim. They were able to detect the slammer worm "hours" before. Did anyone receive early alerts from Symantec about the SQL slammer worm hours earlier? Academics have estimated the worm spread world-wide, and reached its maximum scanning rate in less than 10 minutes.
It might be possible that they saw some of the initial 'load' traffic, source port 69, or src port 53, dst port udp 1434, but this was mostly some code almost 100% based on the litchfield exploit. (oh, we saw it on December 19th and DID notify several IPS's and have the logs to prove it) -- Michael Scheidell, CEO SECNAP Network Security, LLC Sales: 866-SECNAPNET / (1-866-732-6276) Main: 561-368-9561 / www.secnap.net Looking for a career in Internet security? http://www.secnap.net/employment/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [sean () donelan com: Symantec detected Slammer worm "hours" before] Len Rose (Feb 13)
- Re: [sean () donelan com: Symantec detected Slammer worm "hours" before] Rick Updegrove (security) (Feb 13)
- Re: [sean () donelan com: Symantec detected Slammer worm "hours" before] Michael Scheidell (Feb 13)
- RE: [sean () donelan com: Symantec detected Slammer worm "hours" before] Jason Coombs (Feb 13)
- <Possible follow-ups>
- Re: [sean () donelan com: Symantec detected Slammer worm "hours" before] tecky (Feb 13)
- Re: [sean () donelan com: Symantec detected Slammer worm "hours" before] Ron DuFresne (Feb 13)