[Snort-users] spp_portscan2 and UDP

Miller, Eoin Miller at ...6968...
Tue Jan 28 09:46:02 EST 2003


Yeaup, that's the port the attack takes place on (port info):
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
http://isc.incidents.org/port_details.html?port=1434

Worm description:
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
http://www.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html

And finally a removal tool:
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.
removal.tool.html


Good luck!


> -----Original Message-----
> From: Kenton Smith [mailto:ksmith at ...8120...] 
> Sent: Tuesday, January 28, 2003 11:35 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] spp_portscan2 and UDP
> 
> 
> I have a machine running MS SQL on my network. It is patched 
> against the Slammer vulnerability and checks out when I run 
> the Symantec fixsql tool on it. However it is sending out 
> packets at a consistent rate. I couldn't figure out what it 
> was doing until I looked at Snort and found the 300+ entries 
> like the following:
> 
> [**] [117:1:1] (spp_portscan2) Portscan detected from 
> [my.sql.server]: 6 targets 6  ports in 0 seconds [**] 
> 01/27-15:43:50.898738 0:50:DA:B9:75:49 -> 1:0:5E:6D:C6:FC 
> type:0x800 len:0x1A2 xxx.xxx.xxx.xxx:1303 -> 
> xxx.xxx.xxx.xxx:1434 UDP TTL:1 TOS:0x0 ID:29272 IpLen:20 
> DgmLen:404 Len: 384
> 
> 
> 01/27-15:43:50.970576  UDP src: xxx.xxx.xxx.xxx dst: xxx.xxx.xxx.xxx
> sport: 1303 dport: 1434 tgts: 8 ports: 8 event_id: 6
> 
> The source is my server and it's going to seemingly random 
> destinations. I have since disconnected it, but I think it is 
> infected with the worm. I've rebooted and it comes back 
> shortly after restart. I can't confirm what the spp_portscan2 
> is, can anyone tell me? Oddly none of the dports are UDP 
> 1433, they are all 1434.
> 
> Any thoughts?
> 
> Thanks,
> Kenton Smith
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 
> 2 See! http://www.vasoftware.com 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/s> nort-users
> 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list