• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Cisco/SNORT ACL & Sig for MS-SQL 'Sapphire' Worm

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
packetd
Just Arrived
Just Arrived


Joined: 25 Jan 2003
Posts: 0


Offline

PostPosted: Sat Jan 25, 2003 9:38 pm    Post subject: Cisco/SNORT ACL & Sig for MS-SQL 'Sapphire' Worm Reply with quote

Posted Cisco ACL and SNORT sig for the SQL worm to:

http://www.packetdefense.com
Back to top
View user's profile Send private message Visit poster's website
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Sun Jan 26, 2003 5:22 pm    Post subject: Reply with quote

The scanner is non-intrusive, wont crash your servers, in identifying vulnerable systems. It WILL NOT identify already infected systems. Because of the nature of the worm it keeps any valid data from getting to the victim system. We suggest using sniffers and IDS's to determine already infected machines.

You can download the scanner from:
http://www.eeye.com/html/Research/Tools/SapphireSQL.html

For more details about the Sapphire SQL Worm:
http://www.eeye.com/html/Research/Flash/AL20030125.html

Analysis here: http://www.techie.hopto.org/sqlworm.html
Back to top
View user's profile Send private message Visit poster's website
browolf
Trusted SF Member
Trusted SF Member


Joined: 19 Apr 2002
Posts: 1


Offline

PostPosted: Mon Jan 27, 2003 4:53 pm    Post subject: Reply with quote

sorry i missed this thread. too many threads about the same thing. Wink

i found this page which has links to neat places likes dshield that show levels of 'internet carnage' and various net traffic places.
worth bookmarking for when this happens again.

http://www.shmoo.com/~tbird/metaweather.html


surely it's only a matter of time b4 someone adapts it to target home users. then we'll all be in a world of That IS POO! Very Happy
Back to top
View user's profile Send private message
Posideon
Just Arrived
Just Arrived


Joined: 10 Jan 2003
Posts: 1
Location: UK Baby!!!

Offline

PostPosted: Mon Jan 27, 2003 5:35 pm    Post subject: Reply with quote

Similar to Shaolins other post located at:

http://www.security-forums.com/forum/viewtopic.php?t=3172

But with more detail in yours.
Back to top
View user's profile Send private message Send e-mail Visit poster's website Yahoo Messenger MSN Messenger
tutaepaki
Trusted SF Member
Trusted SF Member


Joined: 02 May 2002
Posts: 3
Location: New Zealand

Offline

PostPosted: Wed Jan 29, 2003 10:49 pm    Post subject: Reply with quote

In case it's useful for anyone....here is an better nessus script to test for the vulnerability. (The existing one was a bit clunky) Just save the code to a <name>.nasl file in your plugins directory. (usually /usr/local/lib/nessus/plugins) and restart the nessusd server) It will appear in the "windows" family.

Code:
if(description)
{
 script_version ("$Revision: 1.1 $");
 script_cve_id("CAN-2002-0649");
 name["english"] = "Microsoft's SQL Slammer worm";
 script_name(english:name["english"]);

 desc["english"] = "
Microsoft SQL Server 2000 is vulnerable to a buffer overflow attack
in the SQL monitor. An worm called 'Saphire' or 'Slammer' is
aggressively exploiting this vulnerability in the wild.

Risk factor : High

Solution : Apply Microsoft standalone patch for MS02-039 or
apply SQL 2000 Service Pack 3";


 script_description(english:desc["english"]);

 summary["english"] = "SQL Slammer worm";
 script_summary(english:summary["english"]);

 script_category(ACT_GATHER_INFO);
 family["english"] = "Windows";
 script_family(english:family["english"]);
 script_dependencies("mssql_ping.nasl");
 script_require_keys("mssql/udp/1434");
 exit(0);
}

#
# The script code starts here
#

key = get_kb_item("mssql/udp/1434");
if(!key)exit(0);


# HD Moore's sql_ping function
function sql_ping() {
       req = raw_string(0x02);
       if(!get_udp_port_state(1434))exit(0);
        soc = open_sock_udp(1434);
        if(soc) {
             send(socket:soc, data:req);
             r  = recv(socket:soc, length:4096);
             close(soc);
           if(r)return(r);
        }
}

myret = sql_ping();
if (myret) {
        if ("Version;8" >< myret) {
     if ("8.00.760" >< myret) { exit(0); }
     if ("8.00.686" >< myret) { exit(0); }
     if ("8.00.679" >< myret) { exit(0); }
     if ("8.00.667" >< myret) { exit(0); }
     security_hole(port:1434, proto:"udp");
     exit(0);
     }
}

exit(0);
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register