Re: W32/SQLSlammer

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 01/25/03

Next message: Jonathan Boarman: "Re: why the SQL patch didn't prevent this worm"

Previous message: Marc Maiffret: "Re: MS SQL Server Worm?"
Maybe in reply to: Russ: "W32/SQLSlammer"
Next in thread: Chris Alliey: "Re: W32/SQLSlammer"
Reply: Chris Alliey: "Re: W32/SQLSlammer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Sat, 25 Jan 2003 13:13:48 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Some additional errata;

1. Make sure you read Eric Schultze's comments in his note earlier today
titled "worm related sql patches and mssecure.xml/hfnetchk". MS02-061 is
the latest patch you should apply to prevent the worm and not apply SQL
SP3. Also note his comments about using Microsoft's XML file, for now
use Shavlik's;

mbsacli.exe /hf -x https://xml.shavlik.com/mssecure.xml

2. Here is the summary data from my router, YMMV;

12:00am - 12:59am
206 attacks from 95 unique hosts, 2.17 attacks/host, .06 attacks/sec.

1:00am - 1:59am
198 attacks from 79 unique hosts, 2.51 attacks/host, .06 attacks/sec.

2:00am - 2:59am
80 attacks from 34 unique hosts, 2.35 attacks/host, .02 attacks/sec.

3:00am - 3:59am
77 attacks from 32 unique hosts, 2.41 attacks/host, .02 attacks/sec.

4:00am - 4:59am
63 attacks from 24 unique hosts, 2.63 attacks/host, .02 attacks/sec.

5:00am - 5:59am
1474 attacks from 918 unique hosts, 1.61 attacks/host, .41 attacks/sec.

6:00am - 6:59am
5118 attacks from 1655 unique hosts, 3.09 attacks/host, 1.42
attacks/sec.

7:00am - 7:59am
4822 attacks from 1521 unique hosts, 3.17 attacks/host, 1.34
attacks/sec.

8:00am - 8:59am
4179 attacks from 1234 unique hosts, 3.39 attacks/host, 1.16
attacks/sec.

9:00am - 9:59am
2690 attacks from 654 unique hosts, 4.11 attacks/host, .75 attacks/sec.

10:00am - 10:59am
1373 attacks from 405 unique hosts, 3.39 attacks/host, .38 attacks/sec.

11:00am - 11:59am
353 attacks from 159 unique hosts, 2.22 attacks/host, .10 attacks/sec.

Cheers,
Russ - Surgeon General of TruSecure Corporation

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time

Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

Next message: Jonathan Boarman: "Re: why the SQL patch didn't prevent this worm"
Previous message: Marc Maiffret: "Re: MS SQL Server Worm?"
Maybe in reply to: Russ: "W32/SQLSlammer"
Next in thread: Chris Alliey: "Re: W32/SQLSlammer"
Reply: Chris Alliey: "Re: W32/SQLSlammer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]