From: Jamie Riden (jamie.riden@gmail.com)
Date: Thu Dec 21 2006 - 23:15:26 EST
On 22/12/06, Richards, Jim <jim.richards@dot.state.wi.us> wrote:
> Isn't that the admin port for sql-server
>
[resend, bounced due to nonsubcribed address]
Nearly. Slammer exploited a flaw in SQL server on 1434/udp. SQL server
also uses 1433/tcp IIRC.
"The worm targeting SQL Server computers is self-propagating malicious
code that exploits the vulnerability described in VU#484891
(CAN-2002-0649). This vulnerability allows for the execution of
arbitrary code on the SQL Server computer due to a stack buffer
overflow.
Once the worm compromises a machine, it will try to propagate itself.
The worm will craft packets of 376-bytes and send them to randomly
chosen IP addresses on port 1434/udp. If the packet is sent to a
vulnerable machine, this victim machine will become infected and will
also begin to propagate. Beyond the scanning activity for new hosts,
the current variant of this worm has no other payload." --
http://www.cert.org/advisories/CA-2003-04.html
cheers,
Jamie
-- Jamie Riden, CISSP / jamesr@europe.com / jamie.riden@gmail.com NZ Honeynet project - http://www.nz-honeynet.org/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:29 EDT