RE: spp_portscan2 and UDP

[Kenton Smith <ksmith () chartwelltechnology com>]

The box was patched, but the Symantec tool said it was vulnerable, and
it was. So I installed the latest version of both Service Pack 2 and the
August 14 security roll-up. Now the Symantec Tools says that it is not
vulnerable.
The patch level is showing as 8.0.534 SP2

I don't think this is what it should be for the patches that are
applied.

Am I right in that this is probably the Slammer worm?


On Tue, 2003-01-28 at 09:46, Dan Fiorito wrote:
> Did you patch the box?  confirm the patch level ...
>
>       -----Original Message----- 
>       From: Kenton Smith [mailto:ksmith () chartwelltechnology com] 
>       Sent: Tue 1/28/2003 11:34 AM 
>       To: snort-users () lists sourceforge net 
>       Cc: 
>       Subject: [Snort-users] spp_portscan2 and UDP
>       
>       
>
>       I have a machine running MS SQL on my network. It is patched against the
>       Slammer vulnerability and checks out when I run the Symantec fixsql tool
>       on it. However it is sending out packets at a consistent rate. I
>       couldn't figure out what it was doing until I looked at Snort and found
>       the 300+ entries like the following:
>       
>       [**] [117:1:1] (spp_portscan2) Portscan detected from [my.sql.server]: 6
>       targets 6  ports in 0 seconds [**]
>       01/27-15:43:50.898738 0:50:DA:B9:75:49 -> 1:0:5E:6D:C6:FC type:0x800
>       len:0x1A2 xxx.xxx.xxx.xxx:1303 -> xxx.xxx.xxx.xxx:1434 UDP TTL:1 TOS:0x0
>       ID:29272 IpLen:20 DgmLen:404 Len: 384
>       
>       
>       01/27-15:43:50.970576  UDP src: xxx.xxx.xxx.xxx dst: xxx.xxx.xxx.xxx
>       sport: 1303 dport: 1434 tgts: 8 ports: 8 event_id: 6
>       
>       The source is my server and it's going to seemingly random destinations.
>       I have since disconnected it, but I think it is infected with the worm.
>       I've rebooted and it comes back shortly after restart. I can't confirm
>       what the spp_portscan2 is, can anyone tell me? Oddly none of the dports
>       are UDP 1433, they are all 1434.
>       
>       Any thoughts?
>       
>       Thanks,
>       Kenton Smith
>       
>       
>       
>       
>       -------------------------------------------------------
>       This SF.NET email is sponsored by:
>       SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
>       http://www.vasoftware.com
>       _______________________________________________
>       Snort-users mailing list
>       Snort-users () lists sourceforge net
>       Go to this URL to change user options or unsubscribe:
>       https://lists.sourceforge.net/lists/listinfo/snort-users
>       Snort-users list archive:
>       http://www.geocrawler.com/redir-sf.php3?list=snort-users
>       
>       
Kenton Smith, GSEC
Systems Administrator
Chartwell Technology Inc.
700, 407 2 St. S.W. 
Calgary, AB T2P 2Y3 
CANADA 
P 403 261-6619 
F 403 237-5816 
E ksmith () chartwelltechnology com
W www.chartwelltechnology.com



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users