falconcybersecret.com
Date: Thu Apr 03 2003 - 07:01:22 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello All,

This is a follow-up to my previous email. I believe
this correlates with other reports that I saw earlier
last night (but did not have time to read) about a
possible new SQL Slammer Worm.

I am now confirming which appears to be automated
compromise of systems, possibly via SQL (3306), if my
read is correct on traffic. I have had 5 current RH8
servers with mysql 3.23.56 compromised and 1 Cobalt
Raq4 server with an older version of mysql (that had
allegedly been removed).

Tell-tale signs:
1) Commands like "reboot" return "cussing" errors.
2) Presence of /usr/share/locale/sk/.sk12 directory.
Directory contains at lease executable "sk" and touched
file ".sniffer".
3) Infection traffic appears to be propogating over
port 3306. I haven't baselined this network, so that's
my first inclination, though I also see some IPX
traffic out there which doesn't belong. The main
reason I suspect a sql/mysql connection is because
those servers running mysql appear to be the ones
infected.

PLEASE NOTE: chkrootkit DOES NOT DETECT this infection!

I'll be happy to pull samples for anybody interested.
There doesn't appear to be anything in the logs. I'm
in the process of imaging a couple disks for later
review before I low-level and reinstall. Would be nice
to find a "fix" for this latest bug, however, before I
get too far along with a rebuild.

cheers,

-ben

----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]