I know there are a number of people on this list using SQL, so the below is an FYI that you had better follow up on!
Sheldon ----- Original Message ----- From: "Russ" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, May 21, 2002 10:50 AM Subject: TCP1433 probes/attacks We're tracking two distinctly different attacks on-going since yesterday against TCP1433 (SQL). The first sends 52 bytes (seemingly a SQL ping) followed by a 210 byte packet (apparently an SA login with blank password and some scripting host stuff). The second sends a 583 byte packet alone, also logging in as SA with a blank password. Beyond that, I haven't seen a compromised machine yet so I can't confirm other reports about what it does (Trend, Dshield, and SANS are all claiming various things this "worm" does). Conflicting reports may be explained by our contention it is definitely two different worms propagating. If you have a compromised machine, won which is actually making outbound connection attempts on 1433 to unknown machine addresses, please drop me a note. More as it comes. Meanwhile; 1. Make sure you block Internet access to T1433 2. Make sure you have a password on your SA account. 3. Disable TCP/IP Network Libraries if you're not using them. 4. Drop all eXtended Procedures (XP_) if you can. Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/
