Slammer
By now you must have heard of the SQL Slammer worm. It was quite an infectious little nuisance. The harm it caused came largely due to unpatched, unprotected SQL Servers.
We are now 9 years out from the initial discovery of this worm. The worm has made its way onto the endangered species list – but it is not yet extinct. I don’t know if I should be surprised by that.
My initial reaction is “No way that worm is still causing problems. Everybody knows about it.” But yet, I just caught several infection attempts from remote hosts that were affected by Slammer. When I take a step back, I recall that many people out there are still running on unpatched servers. I know of many places that are running SQL 2000. I know of a large pool of servers across different versions and editions that are not patched. I even know of a few places that are still running SQL 6.5.
When I take all of that into account, finding that Slammer is still active does not surprise me – but it should.
So for fun, here is what I was able to trap from the recent attempts at my machine with SQL Slammer.
Time: 1/23/2012 3:59:03 PM Event: Intrusion IP Address/User: 202.56.192.195 Message: Attack type: MSSQL Resolution Service Buffer Overflow (Slammer)
When I trace that IP back to its source, I get a host name of the machine. If I search on the Host Name of the IP Address, I find this page (now defunct – https://ipdb.at/ip/202.56.192.195 ). If I were a hacker, I now have a lot of valuable information. I can also assume that this particular host has many virii.
This entire little foray has made me wonder how many people out there are concerned about security. Do you know what the patch level is of your server? Is your AV software up to date? Are you running any form of HIPS? If you are in IT and your focus is Data, you may want to check those things. After all, our focus is to protect the data.