On Thu, May 13, 2004 at 07:53:33PM +0200, Kjetil Kjernsmo wrote: > 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434: udp 376 [ttl 1] > 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434: udp 376 [ttl > 1] > > Mmmmm, I don't know what machine 217.77.34.162 is, but I wouldn't be > surprised if it sits in the same server room as my box... Does this > tell you anything.
Look like the SQL/Slammer worm. It targets UDP port 1434 (MS-SQL servers listen there), consists of single packets that are 376 byte in size and causes much traffic. Seems like the machine at 217.77.34.162 is infected, so not much you can do to stop this packet flood. May try to contact the server admin and convince him to reboot and patch the MS-SQL server. Or ask your provider to block incoming packets on this port for your server. Some sites with more information about this worm: http://www.f-secure.com/v-descs/mssqlm.shtml http://vil.nai.com/vil/content/v_99992.htm http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html http://www.viruslist.com/eng/viruslist.html?id=59159 HTH, Michel -- Michel Messerschmidt [EMAIL PROTECTED] antiVirusTestCenter, Computer Science, University of Hamburg