Re: SQL virus?
From: Steve Thompson (stevethompson_at_nomail.please)
Date: 07/29/04
- Next message: Rockitman: "Password security"
- Previous message: Kevin McDonnell [MSFT]: "Re: XP Access problems"
- In reply to: Phil McNeill: "SQL virus?"
- Next in thread: Phil McNeill: "Re: SQL virus?"
- Reply: Phil McNeill: "Re: SQL virus?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 29 Jul 2004 13:46:08 -0400
According to one source:
port 1042 BLA trojan
And Symantec's assessment of this trojan,
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.bla.trojan.html
It appears to be fairly easy to remove. You may want to scan these devices
in case other virus are installed.
Steve
"Phil McNeill" <philm@NOSPAMhydroottawa.com> wrote in message
news:ukjc3nXdEHA.3016@tk2msftngp13.phx.gbl...
> I am not an SQL guy or even a DBA, but a lowly network admin, so please be
> gentle. :)
>
> I noticed yesterday some outgoing access attempts in my firewall log that
> look suspicious. Six different requests attempting to hit udp port 1042
and
> trying to go to an invalid address, all at the exact same second in time.
> The common thread amongst the 6 machines is that they all run MSSQL. They
> are all for separate apps that have nothing to do with each other. I see
> this twice in my logs yesterday, once at 10:41:02 and once again at
> 11:02:12. A copy of the logs for the first one are below if they are
> helpful.
>
> This obviously looks viral to me, and given that they are all SQL
machines,
> my guess would be it's an SQL infection of some type. It has not happened
> again today (yet). Anyone know what this might be, or is there some other
> possible explanation other than virus? Any help appreciated.
>
> Thanks!
>
> Phil
>
>
> 10:41:02 tEvtLgMgr 0 : CSFW [12] Rule[SRC_INTF 10] Firewall:
> [192.168.128.20:1434-192.168.2.13:1042, udp], action: Drop
>
> 10:41:02 tEvtLgMgr 0 : CSFW [12] Rule[SRC_INTF 10] Firewall:
> [192.168.128.185:1434-192.168.2.13:1042, udp], action: Drop
> 10:41:02 tEvtLgMgr 0 : CSFW [12] Rule[SRC_INTF 10] Firewall:
> [192.168.128.81:1434-192.168.2.13:1042, udp], action: Drop
>
> 10:41:02 tEvtLgMgr 0 : CSFW [12] Rule[SRC_INTF 10] Firewall:
> [192.168.135.89:1434-192.168.2.13:1042, udp], action: Drop
>
> 10:41:02 tEvtLgMgr 0 : CSFW [12] Rule[SRC_INTF 10] Firewall:
> [192.168.135.90:1434-192.168.2.13:1042, udp], action: Drop
>
> 10:41:02 tEvtLgMgr 0 : CSFW [12] Rule[SRC_INTF 10] Firewall:
> [192.168.135.18:1434-192.168.2.13:1042, udp], action: Drop
>
>
>
>
- Next message: Rockitman: "Password security"
- Previous message: Kevin McDonnell [MSFT]: "Re: XP Access problems"
- In reply to: Phil McNeill: "SQL virus?"
- Next in thread: Phil McNeill: "Re: SQL virus?"
- Reply: Phil McNeill: "Re: SQL virus?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
