Cisco/SNORT ACL & Sig for MS-SQL 'Sapphire' Worm

Networking/Security Forums -> Exploits // System Weaknesses

Author: packetd PostPosted: Sat Jan 25, 2003 9:38 pm    Post subject: Cisco/SNORT ACL & Sig for MS-SQL 'Sapphire' Worm
    ----
Posted Cisco ACL and SNORT sig for the SQL worm to:

http://www.packetdefense.com

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Sun Jan 26, 2003 5:22 pm    Post subject:
    ----
The scanner is non-intrusive, wont crash your servers, in identifying vulnerable systems. It WILL NOT identify already infected systems. Because of the nature of the worm it keeps any valid data from getting to the victim system. We suggest using sniffers and IDS's to determine already infected machines.

You can download the scanner from:
http://www.eeye.com/html/Research/Tools/SapphireSQL.html

For more details about the Sapphire SQL Worm:
http://www.eeye.com/html/Research/Flash/AL20030125.html

Analysis here: http://www.techie.hopto.org/sqlworm.html

Author: browolf PostPosted: Mon Jan 27, 2003 4:53 pm    Post subject:
    ----
sorry i missed this thread. too many threads about the same thing. Wink

i found this page which has links to neat places likes dshield that show levels of 'internet carnage' and various net traffic places.
worth bookmarking for when this happens again.

http://www.shmoo.com/~tbird/metaweather.html


surely it's only a matter of time b4 someone adapts it to target home users. then we'll all be in a world of That IS POO! Very Happy

Author: PosideonLocation: UK Baby!!! PostPosted: Mon Jan 27, 2003 5:35 pm    Post subject:
    ----
Similar to Shaolins other post located at:

http://www.security-forums.com/forum/viewtopic.php?t=3172

But with more detail in yours.

Author: tutaepakiLocation: New Zealand PostPosted: Wed Jan 29, 2003 10:49 pm    Post subject:
    ----
In case it's useful for anyone....here is an better nessus script to test for the vulnerability. (The existing one was a bit clunky) Just save the code to a <name>.nasl file in your plugins directory. (usually /usr/local/lib/nessus/plugins) and restart the nessusd server) It will appear in the "windows" family.

Code:
if(description)
{
 script_version ("$Revision: 1.1 $");
 script_cve_id("CAN-2002-0649");
 name["english"] = "Microsoft's SQL Slammer worm";
 script_name(english:name["english"]);

 desc["english"] = "
Microsoft SQL Server 2000 is vulnerable to a buffer overflow attack
in the SQL monitor. An worm called 'Saphire' or 'Slammer' is
aggressively exploiting this vulnerability in the wild.

Risk factor : High

Solution : Apply Microsoft standalone patch for MS02-039 or
apply SQL 2000 Service Pack 3";


 script_description(english:desc["english"]);

 summary["english"] = "SQL Slammer worm";
 script_summary(english:summary["english"]);

 script_category(ACT_GATHER_INFO);
 family["english"] = "Windows";
 script_family(english:family["english"]);
 script_dependencies("mssql_ping.nasl");
 script_require_keys("mssql/udp/1434");
 exit(0);
}

#
# The script code starts here
#

key = get_kb_item("mssql/udp/1434");
if(!key)exit(0);


# HD Moore's sql_ping function
function sql_ping() {
       req = raw_string(0x02);
       if(!get_udp_port_state(1434))exit(0);
        soc = open_sock_udp(1434);
        if(soc) {
             send(socket:soc, data:req);
             r  = recv(socket:soc, length:4096);
             close(soc);
           if(r)return(r);
        }
}

myret = sql_ping();
if (myret) {
        if ("Version;8" >< myret) {
     if ("8.00.760" >< myret) { exit(0); }
     if ("8.00.686" >< myret) { exit(0); }
     if ("8.00.679" >< myret) { exit(0); }
     if ("8.00.667" >< myret) { exit(0); }
     security_hole(port:1434, proto:"udp");
     exit(0);
     }
}

exit(0);



Networking/Security Forums -> Exploits // System Weaknesses


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group