Snort mailing list archives

Re: SQLsnake - any able to create a sig for this one?

From: counter.spy () gmx de
Date: Wed, 22 May 2002 21:27:30 +0200 (MEST)

On May/21, john () dndlabs net wrote:

Has anyone be able to put together a sig for the scanning done bye

SQLsnake

(the MSSQL worm) which supposedly uses "fscan.exe" packaged as another

file.

A full code analysis and facts about it can be found here:
http://www.incidents.org/diary/diary.php?id=157.


This explains why I noticed such a huge amount of probes to 1433/tcp
these last days :-) Was I the only one?


We had those probes last night, too. 
Very funny: I go to work this morning, read my email (bugtraq),
read stuff about Spida, go to my snort attack detector console and voila -
this worm is scanning through methodically all registered networks.
I notified the site where they came from.

Cheers,
Detmar

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

SQLsnake - any able to create a sig for this one? john (May 21)
- Re: SQLsnake - any able to create a sig for this one? Roberto Suarez Soto (May 22)
  - Re: SQLsnake - any able to create a sig for this one? Matt Kettler (May 22)
- <Possible follow-ups>
- SQLsnake - any able to create a sig for this one? john (May 21)
- Re: SQLsnake - any able to create a sig for this one? counter . spy (May 22)