[ Bloke.com || Linux || JavaScript || Java || Volleyball || Link Me ]
Free: [ Guestbook || MessageBot || Plugins || Counter || AusPrices || Advertise ]

Home - Linux - FireWall - MS-SQL Attack

MS-SQL Attack

When looking at my network graphs, I noticed a wierd increase in traffic. Looked more like an attack, but certainly a mild one.

So you can see from the graph that it's around 100k bits/second or around 10k/second.

I tried firewalling everything, shutting down all the services, but the packets kept coming. Cyber suggested tcpdump, so (as root):

tcpdump -c 10 > tcpdump.out
to get: I removed some entries
05:29:51.149736 > reserved-multicast-range-NOT-delegated.example.com.ms-sql-m:  udp 376 [ttl 1]
05:29:51.149987 >  udp 376 [ttl 1]
05:29:51.150478 >  udp 376 [ttl 1]
05:29:51.150975 >  udp 376 [ttl 1]
05:29:51.153068 >  udp 376 [ttl 1]
05:29:51.154165 >  udp 376 [ttl 1]
and a search on google (and a better search from tigert), yielded the problem. It was the SQL Slammer worm. Annoys me because this security alert was from 4 months ago, and the original patch was posted 10 months ago. Since it's relatively small on the bandwidth, I'll just ignore it for the time being.


Last Change: Monday, 10-Jan-2005 07:41:02 EST


The information provided within these pages is provided AS IS, and without any warranty. Following these directions may (but not limited to) crash your computer, delete all the information on your hard disk, open up security holes or cause your house to burn down. I made these pages to provide some information about the setup that I have done, but I did not proofread it for correctness, and in most cases did not test it. There are commands in these pages that would definately delete or corrupt all the data on your computer (especially the dualboot section). In fact it happened to me.... So you are on your own!

Cameron Gregory