Field Report: New Worm

[falcon () cybersecret com]

Hello All,

This is a follow-up to my previous email.  I believe
this correlates with other reports that I saw earlier
last night (but did not have time to read) about a
possible new SQL Slammer Worm.

I am now confirming which appears to be automated
compromise of systems, possibly via SQL (3306), if my
read is correct on traffic.  I have had 5 current RH8
servers with mysql 3.23.56 compromised and 1 Cobalt
Raq4 server with an older version of mysql (that had
allegedly been removed).

Tell-tale signs:
1) Commands like "reboot" return "cussing" errors.
2) Presence of /usr/share/locale/sk/.sk12 directory. 
Directory contains at lease executable "sk" and touched
file ".sniffer".
3) Infection traffic appears to be propogating over
port 3306.  I haven't baselined this network, so that's
my first inclination, though I also see some IPX
traffic out there which doesn't belong.  The main
reason I suspect a sql/mysql connection is because
those servers running mysql appear to be the ones
infected.

PLEASE NOTE: chkrootkit DOES NOT DETECT this infection!

I'll be happy to pull samples for anybody interested. 
There doesn't appear to be anything in the logs.  I'm
in the process of imaging a couple disks for later
review before I low-level and reinstall.  Would be nice
to find a "fix" for this latest bug, however, before I
get too far along with a rebuild.

cheers,

-ben

----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents