8 Replies Latest reply on Aug 26, 2008 12:37 PM by RozO

    SqlSlammer outbreak?

      For the last week I have been having SqlSlammer errors. First, McAfeeAV 8.0i indicated the firepacket.cap as a virus. It no longer does after indication from Mcafee support.

      info: VSE 8.0i 4400/4477/ DF 8.5/260/101 OS/Server03/

      However, Mcafee firewall still produces every single day:


      Time: 4/23/2005 3:41:20 PM
      Event: Intrusion
      Message: Attack type: SqlSlammer

      Time: 4/24/2005 9:04:31 AM
      Event: Intrusion
      Message: Attack type: SqlSlammer

      Time: 4/25/2005 3:24:09 PM
      Event: Intrusion
      Message: Attack type: SqlSlammer

      Time: 4/26/2005 10:00:45 PM
      Event: Intrusion
      Message: Attack type: SqlSlammer

      Time: 4/27/2005 10:07:05 AM
      Event: Intrusion
      Message: Attack type: SqlSlammer

      and so on.,

      McAfee support is still to get back with us, to offer any solution to this problem. They indicated that the new version I am running 8.5 may detect these as a slammer event and produce reports. However, I am now frequently getting this error and am curious as to whether this is an escalation of sqlslammer incidents, and whether the newer Virusscan engine(4400), also has vulnerability as the earlier one which may produce buffer error as slammers. Just reporting, incase someone here has a brainstorm.
        • 1. RE: SqlSlammer outbreak?
          Update all SQL Server 2000 / MSDE to SP3a.
          find out the intruder IP address and apply the patch too.

          You may download a Slammer removal tool from Symantec

          Hope it helps.
          • 2. Sql Slammer - FirePacket.cap
            I've got win xp sp2 running with mcafee enterprise edition and keep getting the sqlslammer virus warning. I have tried downloading different removal software but it doesn't find the program, but it must be there as there is massive slowdown with my connection and no spyware or adware found. I did a full system restore on my system to try to get rid of the thing but no success. GGGGRRRRRRRR this thing is driving me mad!!! If anyone has got any ideas they are more than welcome!!!!!

            On a slightly more positive note: Happy New Year all!!!
            • 3. RE: SqlSlammer outbreak?
              yup! I have the above same problem. Ironicaly, is just a WinXP SP2 without any SQL service running.
              • 4. RE: SqlSlammer outbreak?
                I have good and bad news about this issue...

                It's a bug in the SQLSlammer NIPS signature. When DNS query uses port 1143 the inbound packet causes the signature to trigger.

                The good news is, it's fixed. The bad news is, I don't know when/how it will be released.
                • 5. RE: SqlSlammer outbreak?
                  Thanks for posting your findings, that's really interesting... I've seen slammer IDS alerts non-stop since implementing the MDF, and always assumed it was nothing more than Internet background virus traffic... most viruses never completely vanish, there will always be a few machines locked away that become infected but no admin realises.
                  • 6. SQL Slammer
                    I'm sorry for opening an old conversation but it somewhat applies. (I think)

                    I've installed HIPS on about 30 pilot users and two of them have received an Intrusion Attack of IPS signature MSSQL Resolution Service Buffer Overflow (Slammer), ID 3720.

                    One of these users has the SQL Enterprise Management tools only, the other does not. The source address has changed on both occations and there is no application listed in the activity logs.

                    From what I read, this is only for server 2000 or the MSDE which neither have. Is this a false positive or what am I looking at and how do I avoid the alert to pop up for others when this goes live for the rest of the company?
                    • 7. RE: SQL Slammer
                      Have you determoined the source of the slammer packet?
                      Is the source infected?
                      I wouldn't turn off that signature until you're sure the network isn't infected.

                      • 8. SQL Slammer
                        The source has been two different addresses, both outside of our network. Also, the destination IP that both computers report are different than the computers real IP address. Makes no sense to me.