RE: A few quick questions about the SQL Sapphire Worm

["Marc Maiffret" <marc () eeye com>]

1. Its not even bad enough that people are not firewalling... they are not
patching.

2. Yes there are proof of concept exploits out there for the vulnerability
that Sapphire uses.

One of those was by lion () cnhonker net. You can check it out on:
http://www.cnhonker.net/index.php

http://www.cnhonker.net/Files/show.php?id=167


Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

| -----Original Message-----
| From: full-disclosure-admin () lists netsys com
| [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Richard M.
| Smith
| Sent: Saturday, January 25, 2003 8:51 AM
| To: 'Full-Disclosure'; 'Richard M. Smith'
| Subject: [Full-disclosure] A few quick questions about the SQL Sapphire
| Worm
|
|
| Hi,
|
| I have a few quick questions about this new SQL Sapphire worm:
|
| 1.  The worm spreads via UDP port 1434.  Shouldn't
|     all firewalls already be blocking this port?
|
| 2.  Did anyone ever publish sample exploit code for the
|     MS02-039 security hole that the Sapphire worm uses?
|     If so, what's the URL for the sample code?
|
| Thanks,
| Richard M. Smith
| http://www.ComputerBytesMan.com
|
| _______________________________________________
| Full-Disclosure - We believe in it.
| Charter: http://lists.netsys.com/full-disclosure-charter.html
|

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html