Re: Slammer variant?

From: Greg Dunlap (greg_at_buzzbait.com)
Date: 08/24/04

• Next message: Peter Thelin: "RE: Best Security Template for a Member Server level SQL server in"
• Previous message: Sue Hoegemeier: "Re: How can I grant user run cmdexec"
• In reply to: Kevin McDonnell [MSFT]: "RE: Slammer variant?"
• Next in thread: Kevin McDonnell [MSFT]: "Re: Slammer variant?"
• Reply: Kevin McDonnell [MSFT]: "Re: Slammer variant?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 23 Aug 2004 20:58:00 -0700

> Are you using Standard Security or Integrated Security?

Standard

> Is your server behind a firewall?

No unfortunately there is no firewall on this server. I am looking
into at least doing some simple IP filtering. I'm looking into setting
up an IPSec policy for that server, but I've not delved into that area
before and its taking some time to get up to speed.

I should also point out that I absolutely do not have a blank sa
password.

> 1433 is one of the most actively probed ports on the internet.

You will note in the netstat log I pasted, that this server was doing
the probing, not being probed (although if your point is to press that
firewalling is important for blocking this activity it is well taken.)
 
> Run the following command from SQL:
>
> select * from master..sysprocesses
>
> compare it to the output from running netstat -an

I did this but I'm not really seeing any correlation there. What
should I be looking for?
 
> Slammer used UDP 1434. Running a network trace will show you the activity
> as well.

Yes this worm I have does not use UDP and it does not attack 1434
although it is still sourced from 1433 and disappears when the SQL
Server is restarted, which is what makes me think its something else.

---

• Next message: Peter Thelin: "RE: Best Security Template for a Member Server level SQL server in"
• Previous message: Sue Hoegemeier: "Re: How can I grant user run cmdexec"
• In reply to: Kevin McDonnell [MSFT]: "RE: Slammer variant?"
• Next in thread: Kevin McDonnell [MSFT]: "Re: Slammer variant?"
• Reply: Kevin McDonnell [MSFT]: "Re: Slammer variant?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: CEICW fails at firewall config ... Do you or do you not have ISA 2000 or ISA 2004 installed on the SBS server? ... Do you have 2 NICs in the SBS? ... CEICW fails on firewall configuration every time. ... >>> Call to Creating the protected networks access rule returned ok. ... (microsoft.public.windows.server.sbs) Re: Recycler security issues on IIS server ... > latest upates to the server. ... > like to see the server put behind our firewall, ... other software, install all patches, IISlockdown, URLscan, use the correct ... the procedures you follow may vary depending on your security needs. ... (microsoft.public.inetserver.iis.security) Re: ISA SERVER NOT STARTING ... I delete the nat/basic firewall and stop and started the RRAS an tried to ... There were no critical events in the DNS Server Log in the last 24 hours. ... An error occurred during logon ... Caller User Name: - ... (microsoft.public.windows.server.sbs) Re: bind() udp behavior 2.6.8.1 ... Allowing a high numbered udp port to remain ... The firewall should allow traffic from the same ip:port to the other ... ip:port and from no other server on the net. ... You new session is totally ... (Linux-Kernel) Re: For Microsoft Partners and Customers Who Cant Download or Access ... to reconfigure the firewall, but to use a static IP on your client ... and to make sure that the DNS server entries on the client are ... Microsoft for msdn2.microsoft.com. ... use a static IP and set the DNS server addresses to the DNS ... (microsoft.public.dotnet.general)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.sqlserver.security  > 2004-08