This content has been marked as final. Show 8 replies
Update all SQL Server 2000 / MSDE to SP3a.
find out the intruder IP address and apply the patch too.
You may download a Slammer removal tool from Symantec
Hope it helps.
I've got win xp sp2 running with mcafee enterprise edition and keep getting the sqlslammer virus warning. I have tried downloading different removal software but it doesn't find the program, but it must be there as there is massive slowdown with my connection and no spyware or adware found. I did a full system restore on my system to try to get rid of the thing but no success. GGGGRRRRRRRR this thing is driving me mad!!! If anyone has got any ideas they are more than welcome!!!!!
On a slightly more positive note: Happy New Year all!!!
yup! I have the above same problem. Ironicaly, is just a WinXP SP2 without any SQL service running.
I have good and bad news about this issue...
It's a bug in the SQLSlammer NIPS signature. When DNS query uses port 1143 the inbound packet causes the signature to trigger.
The good news is, it's fixed. The bad news is, I don't know when/how it will be released.
Thanks for posting your findings, that's really interesting... I've seen slammer IDS alerts non-stop since implementing the MDF, and always assumed it was nothing more than Internet background virus traffic... most viruses never completely vanish, there will always be a few machines locked away that become infected but no admin realises.
I'm sorry for opening an old conversation but it somewhat applies. (I think)
I've installed HIPS on about 30 pilot users and two of them have received an Intrusion Attack of IPS signature MSSQL Resolution Service Buffer Overflow (Slammer), ID 3720.
One of these users has the SQL Enterprise Management tools only, the other does not. The source address has changed on both occations and there is no application listed in the activity logs.
From what I read, this is only for server 2000 or the MSDE which neither have. Is this a false positive or what am I looking at and how do I avoid the alert to pop up for others when this goes live for the rest of the company?
Have you determoined the source of the slammer packet?
Is the source infected?
I wouldn't turn off that signature until you're sure the network isn't infected.
The source has been two different addresses, both outside of our network. Also, the destination IP that both computers report are different than the computers real IP address. Makes no sense to me.