RE: strange attacks - flood udp packets from 1030 to msql

From: Drew, Dale (Dale.Drew@Level3.com)
Date: 01/25/03

  • Next message: Sam Evans: "Re: Increased activity on UDP/1434"
    Date: Sat, 25 Jan 2003 08:15:43 -0700
    From: "Drew, Dale" <Dale.Drew@Level3.com>
    To: "Uwe Dippel" <udippel@yahoo.com>, <incidents@securityfocus.com>
    
    

    Some of us have been dealing with this since 10:30pm yesterday... :)

    Alerts:
    http://www.ngssoftware.com/vna/ms-sql.txt
    http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21824

    Code:
    http://www.digitaloffense.net/worms/mssql_udp_worm/
    http://packetstormsecurity.org/0211-exploits/sql2.cpp

    Dale

    ======================================
    "SUCCESS THROUGH TEAMWORK"
    Dale Drew
    Director, Global Security/AAA Engineering & Architecture
    Level(3) Communications, LLC
    720-888-2963 | dale.drew@level3.com

     

    -----Original Message-----
    From: Uwe Dippel [mailto:udippel@yahoo.com]
    Sent: Saturday, January 25, 2003 4:52 AM
    To: incidents@securityfocus.com
    Subject: strange attacks - flood udp packets from 1030 to msql

    The subject says it.
    Strange behaviour and no clue here why.
    A server floods random (??) IP-addresses with udp-packets from iad1 to
    1434 (msql), overflowing the external router,yadayadayada. DoS, in
    short.
    Anyone seen this before ??

    Uwe

    __________________________________________________
    Do you Yahoo!?
    Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
    http://mailplus.yahoo.com

    ------------------------------------------------------------------------

    ----
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    


    Relevant Pages

    • RE: PDL anti-spam blacklist
      ... >:> This list is provided by the SecurityFocus ARIS analyzer service. ... >:> For more information on this free incident handling, management ... >:> and tracking system please see: http://aris.securityfocus.com ...
      (Incidents)
    • Re: Linux Kernel Exploits / ABFrag
      ... There have been lots of rumors ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
      (Incidents)
    • Re: Bind 9.2.X exploit???
      ... >>> This list is provided by the SecurityFocus ARIS analyzer service. ... >>> For more information on this free incident handling, management ... >>> and tracking system please see: http://aris.securityfocus.com ...
      (Incidents)
    • RE: "Code Red" worm questions
      ... but from other research we think the worm only tries to attack ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: ...
      (Incidents)
    • RE: Ip spoof from 0.0.0.0
      ... > This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ...
      (Incidents)