Slammer, Alive…Barely

by Jason Brimhall
Categories: News, Professional, SSC, SSSOLV
Tags: ,
Comments: 1 Comment
Published on: January 24, 2012

Slammer

By now you must have heard of the SQL Slammer worm.  It was quite an infectious little nuisance.  The harm it caused came largely due to unpatched, unprotected SQL Servers.

We are now 9 years out from the initial discovery of this worm.  The worm has made its way onto the endangered species list – but it is not yet extinct.  I don’t know if I should be surprised by that.

My initial reaction is “No way that worm is still causing problems.  Everybody knows about it.”  But yet, I just caught several infection attempts from remote hosts that were affected by Slammer.  When I take a step back, I recall that many people out there are still running on unpatched servers.  I know of many places that are running SQL 2000.  I know of a large pool of servers across different versions and editions that are not patched.  I even know of a few places that are still running SQL 6.5.

When I take all of that into account, finding that Slammer is still active does not surprise me – but it should.

So for fun, here is what I was able to trap from the recent attempts at my machine with SQL Slammer.

Time:		 1/23/2012 3:59:03 PM
Event:		 Intrusion
IP Address/User: 202.56.192.195
Message:	 Attack type: MSSQL Resolution Service Buffer Overflow (Slammer)

When I trace that IP back to its source, I get a host name of the machine.  If I search on the Host Name of the IP Address, I find this page.  If I were a hacker, I now have a lot of valuable information.  I can also assume that this particular host has many virii.

This entire little foray has made me wonder how many people out there are concerned about security.  Do you know what the patch level is of your server?  Is your AV software up to date?  Are you running any form of HIPS?  If you are in IT and your focus is Data, you may want to check those things.  After all, our focus is to protect the data.

1 Comment - Leave a comment
  1. Jason Brimhall says:
    January 24, 2012 at 16:52

    As a follow-up to this, I have monitored my logs throughout the day and continue to see various different hosts using the Slammer signature trying to invade my machine.

Leave a comment

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Calendar
January 2012
M T W T F S S
« Dec   Feb »
 1
2345678
9101112131415
16171819202122
23242526272829
3031  
Follow me on Google+
Jason Brimhall

In 253 people's circles

Add to circlesi
Content
Categories

Categories

Popular Posts

Popular Posts

Blogroll

Blogroll

Now Reading

Now Reading

Planned books:

Current books:

  • ChiRunning: A Revolutionary Approach to Effortless, Injury-Free Running

    ChiRunning: A Revolutionary Approach to Effortless, Injury-Free Running by Danny Dreyer, Katherine Dreyer

  • Advanced Marathoning – 2nd Edition

    Advanced Marathoning – 2nd Edition by Peter Pfitzinger, Scott Douglas

  • SQL Server MVP Deep Dives

    SQL Server MVP Deep Dives by Nielsen Paul, Delaney Kalen, Machanic Adam, Tripp Kimberly, Randal Paul, Low Greg

  • A World Without Heroes (Beyonders)

    A World Without Heroes (Beyonders) by Brandon Mull

Recent books:

View full Library

SQLHelp

SQLHelp


Recent Posts
  • Goals 2012 by Jason Brimhall

    As I have wanted to do each year, here is my goals post for 2012.  Last year I set out to do this very same thing but was very unsuccessful at completing the post.  Here is all I had written: Personal Family Blogging Build out my Virtual Environment Professional SSIS [...]

  • S3OLV - Get your Merge On by Jason Brimhall

    We are rapidly closing in on the February meeting for S3OLV.  You might remember reading about the upcoming meeting here. We are looking to have an excellent meeting this month.  We have had a good run on superb presentations, and Troy aims to keep us going in the right direction. [...]

  • Freedom by Jason Brimhall

    Not too long ago, I blogged about a Book called Daemon.  Freedom is the sequel to Daemon. I enjoyed reading this book.  The story continues from Daemon, but in a largely different direction.  I like the direction the book took, for the most part.  I was hoping that there would [...]

  • System Base Tables by Jason Brimhall

    On January 19th, I published a post about the Dedicated Administrator Connection.  I spoke very briefly of the system base tables in that article.  Today, I want to dive into these tables a little bit more. First, let’s get the Microsoft definition for these tables.  ”System base tables are the [...]

  • Slammer, Alive...Barely by Jason Brimhall

    Slammer By now you must have heard of the SQL Slammer worm.  It was quite an infectious little nuisance.  The harm it caused came largely due to unpatched, unprotected SQL Servers. We are now 9 years out from the initial discovery of this worm.  The worm has made its way [...]

  • S3OLV February 2012 by Jason Brimhall

    Do you recognize this person?   If you are from the Colorado Springs area, you probably do.  This is:       Troy Ketsdever (twitter) Troy will be presenting to the Las Vegas SQL User Group on February 9, 2012 @ 6:30 Pacific.  Here is his bio: Troy Ketsdever is [...]

  • S3OLV - Jan 2012 Meeting Recap by Jason Brimhall

    Last week (Jan 12, 2012), we held the user group meeting for the SQL Server Society of Las Vegas (a.k.a S3OLV or SSSOLV). Presenting at that meeting was Josh Lewis (Twitter).  Josh presented on a pretty tough topic in my opinion.  He chose to present to us the topic of [...]

  • Dedicated Administrator Connection by Jason Brimhall

    Recently you may have read my article about some hidden functions in SQL Server.  In that article you learned that those functions were in some DMOs and that you could get at them through the resource database. Today I found myself learning more about the resource database.  Due to what [...]

  • Blackout by Jason Brimhall

    What more can I say.  I disagree with the kind of legislation that is being presented via SOPA and PIPA. In support of the community, my site will be dark 18 Jan 2012 between 10:30 and 21:30 GMT-8. Normal services will return after that.   You can see support of [...]

  • A Trio of Functions by Jason Brimhall

    I found myself perusing an execution plan the other day.  I know, big surprise there.  This execution plan showed me some interesting things I had never really paid much attention to in the past.  When I started paying attention to these things, I found myself jumping down a rabbit hole. [...]

Categories
Recent Comments
  • David about Missing Indexes
    Has anyone figured out how to get this to work in a database at compatability level 80 on a 2005/2008 ...
  • jonmcrawford about S3OLV February 2012
    You know you could just call Pizza Hut and have them deliver a pizza to my door...that'd be swell of ...
  • Jason Brimhall about Missing Indexes
    @Neil - thanks for the additional script. Be careful of sp_msForeachdb. It has limitations and will throw some ...
  • Neil about Missing Indexes
    I have worked an alternative without a cursor. DECLARE @STATEMENT NVARCHAR(MAX) SET @STATEMENT = N'USE [?]'+ CHAR(13) +';' +CHAR(13) + N' SELECT SO.name , ...
  • Jason Brimhall about Slammer, Alive...Barely
    As a follow-up to this, I have monitored my logs throughout the day and continue to see various different hosts ...
  • Jason Brimhall about Missing Indexes
    Yes - that would definitely be an issue. Thanks for getting back on it.
  • david about Missing Indexes
    I found that the problem was related to the database being in compatibility mode 80. It works fine for compatibility ...
  • Jason Brimhall about Missing Indexes
    I created the script on 2008 R2. Are you using the script as is, or did you modify? ...
  • David about Missing Indexes
    does this only apply to SQL 2005? I get an error on SQL 2008 R2: Msg 102, Level 15, State ...
  • Jason Brimhall about Missing Indexes
    Yes. The higher the value, the more likely the index would be of benefit to you.
Welcome , today is Wednesday, February 22, 2012