[Snort-users] Re: spp_portscan2 and UDP

Kenton Smith ksmith at ...8120...
Tue Jan 28 13:33:02 EST 2003


Ah yes, spoke too soon. I think I'll take this to a Microsoft list. If
any of you have an brilliant ideas to solve this, please contact me
off-list.

Thanks,
Kenton

On Tue, 2003-01-28 at 12:17, ksmith at ...8132... wrote:

> OK, so I've got it licked; here's what I discovered. The version of the
> Symantec tool I was using 1.0.1.0, which I downloaded on Saturday, said
> I was not vulnerable. I went back and checked the site and they do have
> a newer version 1.0.3. This version, which does a much more thorough
> search, said that I was vulnerable, but not infected, interestingly
> enough. I then downloaded the patch for the vulnerability only, not the
> latest security roll-up, and patched the DLL's. After a reboot, this
> seems to have fixed it; nothing unusual so far anyway.
> 
> Thank-you all for your suggestions and help.
> 
> On Tue, 2003-01-28 at 10:44, Miller, Eoin wrote:
> > Yeaup, that's the port the attack takes place on (port info):
> > -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
> > http://isc.incidents.org/port_details.html?port=1434
> > 
> > Worm description:
> > -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
> > http://www.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html
> > 
> > And finally a removal tool:
> > -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
> > http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.
> > removal.tool.html
> > 
> > 
> > Good luck!
> > 
> > 
> > > -----Original Message-----
> > > From: Kenton Smith [mailto:ksmith at ...8120...] 
> > > Sent: Tuesday, January 28, 2003 11:35 AM
> > > To: snort-users at lists.sourceforge.net
> > > Subject: [Snort-users] spp_portscan2 and UDP
> > > 
> > > 
> > > I have a machine running MS SQL on my network. It is patched 
> > > against the Slammer vulnerability and checks out when I run 
> > > the Symantec fixsql tool on it. However it is sending out 
> > > packets at a consistent rate. I couldn't figure out what it 
> > > was doing until I looked at Snort and found the 300+ entries 
> > > like the following:
> > > 
> > > [**] [117:1:1] (spp_portscan2) Portscan detected from 
> > > [my.sql.server]: 6 targets 6  ports in 0 seconds [**] 
> > > 01/27-15:43:50.898738 0:50:DA:B9:75:49 -> 1:0:5E:6D:C6:FC 
> > > type:0x800 len:0x1A2 xxx.xxx.xxx.xxx:1303 -> 
> > > xxx.xxx.xxx.xxx:1434 UDP TTL:1 TOS:0x0 ID:29272 IpLen:20 
> > > DgmLen:404 Len: 384
> > > 
> > > 
> > > 01/27-15:43:50.970576  UDP src: xxx.xxx.xxx.xxx dst: xxx.xxx.xxx.xxx
> > > sport: 1303 dport: 1434 tgts: 8 ports: 8 event_id: 6
> > > 
> > > The source is my server and it's going to seemingly random 
> > > destinations. I have since disconnected it, but I think it is 
> > > infected with the worm. I've rebooted and it comes back 
> > > shortly after restart. I can't confirm what the spp_portscan2 
> > > is, can anyone tell me? Oddly none of the dports are UDP 
> > > 1433, they are all 1434.
> > > 
> > > Any thoughts?
> > > 
> > > Thanks,
> > > Kenton Smith
> > > 
> > > 
> > > 
> > > 
> > > -------------------------------------------------------
> > > This SF.NET email is sponsored by:
> > > SourceForge Enterprise Edition + IBM + LinuxWorld = Something 
> > > 2 See! http://www.vasoftware.com
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe: 
> > > https://lists.sourceforge.net/lists/listinfo/s> nort-users
> > > 
> > > Snort-users list archive: 
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > 





More information about the Snort-users mailing list