Field Report: New Worm

From: <falcon(at)cybersecret.com>
Date: Thu Apr 03 2003 - 08:01:22 EST

Hello All,

This is a follow-up to my previous email. I believe this correlates with other reports that I saw earlier last night (but did not have time to read) about a possible new SQL Slammer Worm.

I am now confirming which appears to be automated compromise of systems, possibly via SQL (3306), if my read is correct on traffic. I have had 5 current RH8 servers with mysql 3.23.56 compromised and 1 Cobalt Raq4 server with an older version of mysql (that had allegedly been removed).

Tell-tale signs:
1) Commands like "reboot" return "cussing" errors. 2) Presence of /usr/share/locale/sk/.sk12 directory. Directory contains at lease executable "sk" and touched file ".sniffer".
3) Infection traffic appears to be propogating over port 3306. I haven't baselined this network, so that's my first inclination, though I also see some IPX traffic out there which doesn't belong. The main reason I suspect a sql/mysql connection is because those servers running mysql appear to be the ones infected.

PLEASE NOTE: chkrootkit DOES NOT DETECT this infection!

I'll be happy to pull samples for anybody interested. There doesn't appear to be anything in the logs. I'm in the process of imaging a couple disks for later review before I low-level and reinstall. Would be nice to find a "fix" for this latest bug, however, before I get too far along with a rebuild.

cheers,

-ben

---

Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents Received on Thu Apr 3 19:39:36 2003