New MySQL worm? increased probes/traffic detected...
From: David A. Ulevitch (davidu_at_everydns.net)
Date: 07/01/03
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 30 Jun 2003 15:26:42 -0700 (PDT) To: incidents@securityfocus.com
Incidents,
Today from 12:00 -- 13:00 PDT we detected a large amount of mysql traffic
across our link, more than we've ever seen.
Our network was being sent traffic not even destined for IP space
(discovered in analysis, we'll be working with our ISP to figure out why)
however we captured 1.2 gigs of it in a few minutes and in looking through
the data the src_port of most hosts is 3306 (mysql).
Many of the src_hosts are unreachable by us, but of the few that we did
get through to, many are infact running mysql. (4.0.10 seemed to be one I
remember)
Has anyone else seen traffic like this spike in the last day or so?
the destination is in the 66.220.17/24 range. (not our network, but what
we captured)
Due to the amount of data, I haven't put it online, but if someone wants
to look at it, ping me offlist. We have a 1.2 gig pcap dump.
Thanks,
David Ulevitch
----------------------------------------------------
David A. Ulevitch -- http://david.ulevitch.com
http://everydns.net -+- http://communitycolo.net
Campus Box 6957 + Washington University in St. Louis
----------------------------------------------------
----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
