cancel
Showing results for 
Search instead for 
Did you mean: 
Jowhatever
Level 7

SqlSlammer outbreak?

For the last week I have been having SqlSlammer errors. First, McAfeeAV 8.0i indicated the firepacket.cap as a virus. It no longer does after indication from Mcafee support.

info: VSE 8.0i 4400/4477/ DF 8.5/260/101 OS/Server03/

However, Mcafee firewall still produces every single day:

EDITED REPORT:

Time: 4/23/2005 3:41:20 PM
Event: Intrusion
Address: 61.185.8.16
Message: Attack type: SqlSlammer

Time: 4/24/2005 9:04:31 AM
Event: Intrusion
Address: 61.159.15.2
Message: Attack type: SqlSlammer

Time: 4/25/2005 3:24:09 PM
Event: Intrusion
Address: 63.208.120.232
Message: Attack type: SqlSlammer

Time: 4/26/2005 10:00:45 PM
Event: Intrusion
Address: 202.97.174.226
Message: Attack type: SqlSlammer

Time: 4/27/2005 10:07:05 AM
Event: Intrusion
Address: 61.182.212.98
Message: Attack type: SqlSlammer

and so on.,

McAfee support is still to get back with us, to offer any solution to this problem. They indicated that the new version I am running 8.5 may detect these as a slammer event and produce reports. However, I am now frequently getting this error and am curious as to whether this is an escalation of sqlslammer incidents, and whether the newer Virusscan engine(4400), also has vulnerability as the earlier one which may produce buffer error as slammers. Just reporting, incase someone here has a brainstorm.
0 Kudos
8 Replies
KsLT
Level 7

RE: SqlSlammer outbreak?

Update all SQL Server 2000 / MSDE to SP3a.
find out the intruder IP address and apply the patch too.

You may download a Slammer removal tool from Symantec
http://securityresponse.symantec.com/avcenter/FixSQLex.exe

Hope it helps.
0 Kudos
jamesbutt84
Level 7

Sql Slammer - FirePacket.cap

I've got win xp sp2 running with mcafee enterprise edition and keep getting the sqlslammer virus warning. I have tried downloading different removal software but it doesn't find the program, but it must be there as there is massive slowdown with my connection and no spyware or adware found. I did a full system restore on my system to try to get rid of the thing but no success. GGGGRRRRRRRR this thing is driving me mad!!! If anyone has got any ideas they are more than welcome!!!!!

On a slightly more positive note: Happy New Year all!!!
0 Kudos
LooseCannon
Level 7

RE: SqlSlammer outbreak?

yup! I have the above same problem. Ironicaly, is just a WinXP SP2 without any SQL service running.
0 Kudos
Raja
Level 9

RE: SqlSlammer outbreak?

I have good and bad news about this issue...

It's a bug in the SQLSlammer NIPS signature. When DNS query uses port 1143 the inbound packet causes the signature to trigger.

The good news is, it's fixed. The bad news is, I don't know when/how it will be released.
0 Kudos
JonR
Level 7

RE: SqlSlammer outbreak?

Thanks for posting your findings, that's really interesting... I've seen slammer IDS alerts non-stop since implementing the MDF, and always assumed it was nothing more than Internet background virus traffic... most viruses never completely vanish, there will always be a few machines locked away that become infected but no admin realises.
0 Kudos
RozO
Level 7

SQL Slammer

I'm sorry for opening an old conversation but it somewhat applies. (I think)

I've installed HIPS on about 30 pilot users and two of them have received an Intrusion Attack of IPS signature MSSQL Resolution Service Buffer Overflow (Slammer), ID 3720.

One of these users has the SQL Enterprise Management tools only, the other does not. The source address has changed on both occations and there is no application listed in the activity logs.

From what I read, this is only for server 2000 or the MSDE which neither have. Is this a false positive or what am I looking at and how do I avoid the alert to pop up for others when this goes live for the rest of the company?
0 Kudos
Firewall-Joe
Level 9

RE: SQL Slammer

Have you determoined the source of the slammer packet?
Is the source infected?
I wouldn't turn off that signature until you're sure the network isn't infected.

Joe
0 Kudos
RozO
Level 7

SQL Slammer

The source has been two different addresses, both outside of our network. Also, the destination IP that both computers report are different than the computers real IP address. Makes no sense to me.
0 Kudos