Free Weekly Tech Newsletter

Great_One · 05-30-2002, 12:26 PM

Digispid.B.Worm is a worm which spreads to computers that are running Microsoft SQL Server and which have a blank SQL administrator password. It copies files to the infected computer and changes the SQL administrator password to a string of four random characters.

the gory detail are here:

http://securityresponse.symantec.com...id.b.worm.html

it's said that port 1433 has taken over from port 80 as the number one scanned port.

after looking at our firewall log, i believe it

deny inbound (no xlate) tcp src outside:66.120.71.58/1626 dst outside:64.240.94.216/1433 3 5/29/2002 09:33:59
deny inbound (no xlate) tcp src outside:66.120.71.58/1639 dst outside:64.240.94.229/1433 3 5/29/2002 09:34:29
deny inbound (no xlate) tcp src outside:66.120.71.58/1627 dst outside:64.240.94.217/1433 3 5/29/2002 09:34:59
deny inbound (no xlate) tcp src outside:66.120.71.58/1625 dst outside:64.240.94.215/1433 3 5/29/2002 09:35:00
deny inbound (no xlate) tcp src outside:66.120.71.58/1665 dst outside:64.240.94.250/1433 3 5/29/2002 09:35:00
deny inbound (no xlate) tcp src outside:66.120.71.58/1666 dst outside:64.240.94.251/1433 3 5/29/2002 09:35:00
deny inbound (no xlate) tcp src outside:66.120.71.58/1667 dst outside:64.240.94.252/1433 3 5/29/2002 09:35:25
deny inbound (no xlate) tcp src outside:61.43.46.61/3406 dst outside:64.240.94.241/1433 3 5/29/2002 09:35:25
deny inbound (no xlate) tcp src outside:66.120.71.58/1669 dst outside:64.240.94.254/1433 3 5/29/2002 09:35:35
deny inbound (no xlate) tcp src outside:66.120.71.58/1668 dst outside:64.240.94.253/1433 3 5/29/2002 09:35:41
deny inbound (no xlate) tcp src outside:66.120.71.58/1641 dst outside:64.240.94.231/1433 3 5/29/2002 09:35:43
deny inbound (no xlate) tcp src outside:61.43.46.61/3382 dst outside:64.240.94.217/1433 3 5/29/2002 09:35:45
deny inbound (no xlate) tcp src outside:66.120.71.58/1632 dst outside:64.240.94.222/1433 3 5/29/2002 09:35:51
deny inbound (no xlate) tcp src outside:66.120.71.58/1642 dst outside:64.240.94.232/1433 3 5/29/2002 09:35:51
deny inbound (no xlate) tcp src outside:66.120.71.58/1633 dst outside:64.240.94.223/1433 3 5/29/2002 09:35:52
deny inbound (no xlate) tcp src outside:66.120.71.58/1630 dst outside:64.240.94.220/1433 3 5/29/2002 09:35:55
deny inbound (no xlate) tcp src outside:66.120.71.58/1640 dst outside:64.240.94.230/1433 3 5/29/2002 09:36:01
deny inbound (no xlate) tcp src outside:66.120.71.58/1634 dst outside:64.240.94.224/1433 3 5/29/2002 09:36:02
deny inbound (no xlate) tcp src outside:66.120.71.58/1631 dst outside:64.240.94.221/1433 3 5/29/2002 09:36:03
deny inbound (no xlate) tcp src outside:61.43.46.61/3410 dst outside:64.240.94.245/1433 3 5/29/2002 09:36:30
deny inbound (no xlate) tcp src outside:66.120.71.58/1645 dst outside:64.240.94.235/1433

a sample of some of the thousands of hits that we took yesterday
alone.

doctorgonzo · 05-30-2002, 12:31 PM

Man, if people didn't do stupid things like leave passwords blank, just think of all the virii we would NOT have to deal with!

05-30-2002, 12:26 PM	#1
Great_One Member (9 bit) Join Date: May 2000 Location: Lexington, Michigan Posts: 353	Latest sql virus Digispid.B.Worm is a worm which spreads to computers that are running Microsoft SQL Server and which have a blank SQL administrator password. It copies files to the infected computer and changes the SQL administrator password to a string of four random characters. the gory detail are here: http://securityresponse.symantec.com...id.b.worm.html it's said that port 1433 has taken over from port 80 as the number one scanned port. after looking at our firewall log, i believe it deny inbound (no xlate) tcp src outside:66.120.71.58/1626 dst outside:64.240.94.216/1433 3 5/29/2002 09:33:59 deny inbound (no xlate) tcp src outside:66.120.71.58/1639 dst outside:64.240.94.229/1433 3 5/29/2002 09:34:29 deny inbound (no xlate) tcp src outside:66.120.71.58/1627 dst outside:64.240.94.217/1433 3 5/29/2002 09:34:59 deny inbound (no xlate) tcp src outside:66.120.71.58/1625 dst outside:64.240.94.215/1433 3 5/29/2002 09:35:00 deny inbound (no xlate) tcp src outside:66.120.71.58/1665 dst outside:64.240.94.250/1433 3 5/29/2002 09:35:00 deny inbound (no xlate) tcp src outside:66.120.71.58/1666 dst outside:64.240.94.251/1433 3 5/29/2002 09:35:00 deny inbound (no xlate) tcp src outside:66.120.71.58/1667 dst outside:64.240.94.252/1433 3 5/29/2002 09:35:25 deny inbound (no xlate) tcp src outside:61.43.46.61/3406 dst outside:64.240.94.241/1433 3 5/29/2002 09:35:25 deny inbound (no xlate) tcp src outside:66.120.71.58/1669 dst outside:64.240.94.254/1433 3 5/29/2002 09:35:35 deny inbound (no xlate) tcp src outside:66.120.71.58/1668 dst outside:64.240.94.253/1433 3 5/29/2002 09:35:41 deny inbound (no xlate) tcp src outside:66.120.71.58/1641 dst outside:64.240.94.231/1433 3 5/29/2002 09:35:43 deny inbound (no xlate) tcp src outside:61.43.46.61/3382 dst outside:64.240.94.217/1433 3 5/29/2002 09:35:45 deny inbound (no xlate) tcp src outside:66.120.71.58/1632 dst outside:64.240.94.222/1433 3 5/29/2002 09:35:51 deny inbound (no xlate) tcp src outside:66.120.71.58/1642 dst outside:64.240.94.232/1433 3 5/29/2002 09:35:51 deny inbound (no xlate) tcp src outside:66.120.71.58/1633 dst outside:64.240.94.223/1433 3 5/29/2002 09:35:52 deny inbound (no xlate) tcp src outside:66.120.71.58/1630 dst outside:64.240.94.220/1433 3 5/29/2002 09:35:55 deny inbound (no xlate) tcp src outside:66.120.71.58/1640 dst outside:64.240.94.230/1433 3 5/29/2002 09:36:01 deny inbound (no xlate) tcp src outside:66.120.71.58/1634 dst outside:64.240.94.224/1433 3 5/29/2002 09:36:02 deny inbound (no xlate) tcp src outside:66.120.71.58/1631 dst outside:64.240.94.221/1433 3 5/29/2002 09:36:03 deny inbound (no xlate) tcp src outside:61.43.46.61/3410 dst outside:64.240.94.245/1433 3 5/29/2002 09:36:30 deny inbound (no xlate) tcp src outside:66.120.71.58/1645 dst outside:64.240.94.235/1433 a sample of some of the thousands of hits that we took yesterday alone. Share Share this post on Digg Del.icio.us Technorati Twitter __________________ Certifiable =========================================== Cisco CCNA,CCDA CompTIA A+, Network+,Inet+,Security+ CIW Associate IBM AIX certified IBM Certified Specialist - p5 and pSeries Administration and Support for AIX 5L V5.3 IBM Certified Systems Expert - p5 and pSeries Enterprise Technical Support AIX 5L V5.3

05-30-2002, 12:31 PM	#2
doctorgonzo Professional gadfly Join Date: Jan 2002 Location: Minneapolis, MN Posts: 6,364	Man, if people didn't do stupid things like leave passwords blank, just think of all the virii we would NOT have to deal with! Share Share this post on Digg Del.icio.us Technorati Twitter

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread:

Need Some Help? Type Your Keywords Here:

Still Need Help? Type Your Keywords Here:

Free Weekly Tech Newsletter

Subscribe to THE INSIDER

Need Some Help? Type Your Keywords Here:

Still Need Help? Type Your Keywords Here:

Free Weekly Tech Newsletter