Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: SQL Slammer activity SANS ISC InfoSec Forums

Special Webcast: What you need to know about the crypt32.dll vulnerability. Register Now

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SQL Slammer activity
Has anyone else seen a large number of SQL slammer attempts since the 28th? Using the ET emerging-sql.rules with Suricata I've seen approx. 761,000 events since then, printable payload looking indeed like it should and seems to be working its way through addresses in our space:

....................................................................................................B.........p.B.p.B........h...B.....1...P..5....P..Qh.dllhel32hkernQhounthickChGetTf.llQh32.dhws2_f.etQhsockf.toQhsend....B.E.P..P.E.P.E.P..P....B....=U..Qt.....B....1.QQP............Q.E.P.E.P..j.j.j...P.E.P.E.P........<a...E...@...........).......E.j..E.P1.Qf..x.Q.E.P.E.P....
lwhitworth

2 Posts
Yes, I'm seeing the same traffic (also starting on the 28th) against my perimeters as well... mostly sourced from IPs in China. da1212

69 Posts
Cheers for confirming I wasn't alone in seeing this activity. Appreciated lwhitworth

2 Posts

Sign Up for Free or Log In to start participating in the conversation!