Snort mailing list archives
Re: spp_portscan2 and UDP
From: Kenton Smith <ksmith () chartwelltechnology com>
Date: 28 Jan 2003 14:33:19 -0700
Ah yes, spoke too soon. I think I'll take this to a Microsoft list. If any of you have an brilliant ideas to solve this, please contact me off-list. Thanks, Kenton On Tue, 2003-01-28 at 12:17, ksmith () chartwelltechology com wrote:
OK, so I've got it licked; here's what I discovered. The version of the Symantec tool I was using 1.0.1.0, which I downloaded on Saturday, said I was not vulnerable. I went back and checked the site and they do have a newer version 1.0.3. This version, which does a much more thorough search, said that I was vulnerable, but not infected, interestingly enough. I then downloaded the patch for the vulnerability only, not the latest security roll-up, and patched the DLL's. After a reboot, this seems to have fixed it; nothing unusual so far anyway. Thank-you all for your suggestions and help. On Tue, 2003-01-28 at 10:44, Miller, Eoin wrote:Yeaup, that's the port the attack takes place on (port info): -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* http://isc.incidents.org/port_details.html?port=1434 Worm description: -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* http://www.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html And finally a removal tool: -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm. removal.tool.html Good luck!-----Original Message----- From: Kenton Smith [mailto:ksmith () chartwelltechnology com] Sent: Tuesday, January 28, 2003 11:35 AM To: snort-users () lists sourceforge net Subject: [Snort-users] spp_portscan2 and UDP I have a machine running MS SQL on my network. It is patched against the Slammer vulnerability and checks out when I run the Symantec fixsql tool on it. However it is sending out packets at a consistent rate. I couldn't figure out what it was doing until I looked at Snort and found the 300+ entries like the following: [**] [117:1:1] (spp_portscan2) Portscan detected from [my.sql.server]: 6 targets 6 ports in 0 seconds [**] 01/27-15:43:50.898738 0:50:DA:B9:75:49 -> 1:0:5E:6D:C6:FC type:0x800 len:0x1A2 xxx.xxx.xxx.xxx:1303 -> xxx.xxx.xxx.xxx:1434 UDP TTL:1 TOS:0x0 ID:29272 IpLen:20 DgmLen:404 Len: 384 01/27-15:43:50.970576 UDP src: xxx.xxx.xxx.xxx dst: xxx.xxx.xxx.xxx sport: 1303 dport: 1434 tgts: 8 ports: 8 event_id: 6 The source is my server and it's going to seemingly random destinations. I have since disconnected it, but I think it is infected with the worm. I've rebooted and it comes back shortly after restart. I can't confirm what the spp_portscan2 is, can anyone tell me? Oddly none of the dports are UDP 1433, they are all 1434. Any thoughts? Thanks, Kenton Smith ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/s> nort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_portscan2 and UDP Kenton Smith (Jan 28)
- <Possible follow-ups>
- RE: spp_portscan2 and UDP Kenton Smith (Jan 28)
- RE: spp_portscan2 and UDP Miller, Eoin (Jan 28)
- RE: spp_portscan2 and UDP Kenton Smith (Jan 28)
- Re: spp_portscan2 and UDP Kenton Smith (Jan 28)