Mason, SPIDA WORM
Please see attached link for a report of scans on port 1433 (SQL Monitor) http://www.dshield.org/port_report.php?port=1433 DETAILED DESCRIPTION: The Spida worm scans for systems listening on port 1433/tcp. Once connected, it attempts to use the xp_cmdshell utility to enable and set a password for the guest user. If successful, the worm then: assigns the guest user to the local Administrator and Domain Admins groups copies itself to the victim system disables the guest account sets the sa password to the same password as the guest account executes the copy on the victim system Once the local copy is executing on the victim system, the worm begins scanning for other systems to infect. It also attempts to send a copy of the local password (SAM) database, network configuration information, and other SQL server configuration information to a fixed email address ([EMAIL PROTECTED]) via email. Hope this clears things up Regards Alex Young -----Original Message----- From: Mason Landrum [mailto:[EMAIL PROTECTED]] Sent: 25 June 2002 12:44 To: GTA Users (E-mail) Subject: [gb-users] Unknown block alarms Anyone, I have been getting the following alarms from my GnatBox several times a day for about the past six months. Can anyone shed any light as to what is happening here. I can see that it has something to do with MS SQL Server but would like more information about what someone is looking for and if it is a deliberate process or just a regular function of someone's misguided SQL Server. The source port increments one for each instance and the external alias IPs vary throughout the instances. Thanks in advance for your insight! Sincerely, Mason Landrum ---------------------------------------------------------------------------- - ALARM NO: 14 DATE: Mon 2002-06-24 15:53:54 GMT PRIORITY: 4 INTERFACE: EXTERNAL (ep2) INTERFACE TYPE: External ALARM TYPE: Block IP PACKET: TCP [194.184.159.81/2565]-->[various EXT aliases/1433] l=0 f=0x2 [194.184.159.81/2565]-->[various EXT aliases/ms-sql-s] ---------------------------------------------------------------------------- - --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/[email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/[email protected]
