Re: W32/SQLSlammer

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 01/25/03

  • Next message: Jonathan Boarman: "Re: why the SQL patch didn't prevent this worm"
    Date:         Sat, 25 Jan 2003 13:13:48 -0500
    From: Russ <Russ.Cooper@RC.ON.CA>
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Some additional errata;

    1. Make sure you read Eric Schultze's comments in his note earlier today
    titled "worm related sql patches and mssecure.xml/hfnetchk". MS02-061 is
    the latest patch you should apply to prevent the worm and not apply SQL
    SP3. Also note his comments about using Microsoft's XML file, for now
    use Shavlik's;

    mbsacli.exe /hf -x https://xml.shavlik.com/mssecure.xml

    2. Here is the summary data from my router, YMMV;

    12:00am - 12:59am
    206 attacks from 95 unique hosts, 2.17 attacks/host, .06 attacks/sec.

    1:00am - 1:59am
    198 attacks from 79 unique hosts, 2.51 attacks/host, .06 attacks/sec.

    2:00am - 2:59am
    80 attacks from 34 unique hosts, 2.35 attacks/host, .02 attacks/sec.

    3:00am - 3:59am
    77 attacks from 32 unique hosts, 2.41 attacks/host, .02 attacks/sec.

    4:00am - 4:59am
    63 attacks from 24 unique hosts, 2.63 attacks/host, .02 attacks/sec.

    5:00am - 5:59am
    1474 attacks from 918 unique hosts, 1.61 attacks/host, .41 attacks/sec.

    6:00am - 6:59am
    5118 attacks from 1655 unique hosts, 3.09 attacks/host, 1.42
    attacks/sec.

    7:00am - 7:59am
    4822 attacks from 1521 unique hosts, 3.17 attacks/host, 1.34
    attacks/sec.

    8:00am - 8:59am
    4179 attacks from 1234 unique hosts, 3.39 attacks/host, 1.16
    attacks/sec.

    9:00am - 9:59am
    2690 attacks from 654 unique hosts, 4.11 attacks/host, .75 attacks/sec.

    10:00am - 10:59am
    1373 attacks from 405 unique hosts, 3.39 attacks/host, .38 attacks/sec.

    11:00am - 11:59am
    353 attacks from 159 unique hosts, 2.22 attacks/host, .10 attacks/sec.

    Cheers,
    Russ - Surgeon General of TruSecure Corporation

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo