Cisco/SNORT ACL & Sig for MS-SQL 'Sapphire' Worm

Networking/Security Forums -> Exploits // System Weaknesses

Author: packetd PostPosted: Sat Jan 25, 2003 9:38 pm    Post subject: Cisco/SNORT ACL & Sig for MS-SQL 'Sapphire' Worm
Posted Cisco ACL and SNORT sig for the SQL worm to:

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Sun Jan 26, 2003 5:22 pm    Post subject:
The scanner is non-intrusive, wont crash your servers, in identifying vulnerable systems. It WILL NOT identify already infected systems. Because of the nature of the worm it keeps any valid data from getting to the victim system. We suggest using sniffers and IDS's to determine already infected machines.

You can download the scanner from:

For more details about the Sapphire SQL Worm:

Analysis here:

Author: browolf PostPosted: Mon Jan 27, 2003 4:53 pm    Post subject:
sorry i missed this thread. too many threads about the same thing. Wink

i found this page which has links to neat places likes dshield that show levels of 'internet carnage' and various net traffic places.
worth bookmarking for when this happens again.

surely it's only a matter of time b4 someone adapts it to target home users. then we'll all be in a world of That IS POO! Very Happy

Author: PosideonLocation: UK Baby!!! PostPosted: Mon Jan 27, 2003 5:35 pm    Post subject:
Similar to Shaolins other post located at:

But with more detail in yours.

Author: tutaepakiLocation: New Zealand PostPosted: Wed Jan 29, 2003 10:49 pm    Post subject:
In case it's useful for is an better nessus script to test for the vulnerability. (The existing one was a bit clunky) Just save the code to a <name>.nasl file in your plugins directory. (usually /usr/local/lib/nessus/plugins) and restart the nessusd server) It will appear in the "windows" family.

 script_version ("$Revision: 1.1 $");
 name["english"] = "Microsoft's SQL Slammer worm";

 desc["english"] = "
Microsoft SQL Server 2000 is vulnerable to a buffer overflow attack
in the SQL monitor. An worm called 'Saphire' or 'Slammer' is
aggressively exploiting this vulnerability in the wild.

Risk factor : High

Solution : Apply Microsoft standalone patch for MS02-039 or
apply SQL 2000 Service Pack 3";


 summary["english"] = "SQL Slammer worm";

 family["english"] = "Windows";

# The script code starts here

key = get_kb_item("mssql/udp/1434");

# HD Moore's sql_ping function
function sql_ping() {
       req = raw_string(0x02);
        soc = open_sock_udp(1434);
        if(soc) {
             send(socket:soc, data:req);
             r  = recv(socket:soc, length:4096);

myret = sql_ping();
if (myret) {
        if ("Version;8" >< myret) {
     if ("8.00.760" >< myret) { exit(0); }
     if ("8.00.686" >< myret) { exit(0); }
     if ("8.00.679" >< myret) { exit(0); }
     if ("8.00.667" >< myret) { exit(0); }
     security_hole(port:1434, proto:"udp");


Networking/Security Forums -> Exploits // System Weaknesses

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group