[Snort-users] SQLsnake - any able to create a sig for this one?

counter.spy at ...348... counter.spy at ...348...
Wed May 22 12:28:07 EDT 2002


>On May/21, john at ...5909... wrote:
>
>> Has anyone be able to put together a sig for the scanning done bye
SQLsnake
>> (the MSSQL worm) which supposedly uses "fscan.exe" packaged as another
file.
>> A full code analysis and facts about it can be found here:
>> http://www.incidents.org/diary/diary.php?id=157.
>
>This explains why I noticed such a huge amount of probes to 1433/tcp
>these last days :-) Was I the only one?

We had those probes last night, too. 
Very funny: I go to work this morning, read my email (bugtraq),
read stuff about Spida, go to my snort attack detector console and voila -
this worm is scanning through methodically all registered networks.
I notified the site where they came from.

Cheers,
Detmar

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-users mailing list