Whilst i was online in this forum an attack which was stopped by my firewall occured, the attack came from:IP: 67.174.56.109
DNS: c-67-174-56-109.client.comcast.net
More information on this attack is as follows:
The SQL Slammer worm, also known as W32/SQLSlam-A, Sapphire, New SQL, Worm.SQL, and Helkern, propagates by exploiting a buffer overflow vulnerability in the Resolution Service in Microsoft SQL Server 2000 or Microsoft Desktop Engine (MSDE) 2000 installations. The main function of the Slammer worm is to continue propagation. No Distributed Denial of Service (DDoS) or backdoor functionality is incorporated into the worm. Infection can be removed with a reboot, however without protection in place, it is likely that vulnerable servers will be quickly re-infected.
The Slammer worm loads Kernel32.dll and WS2_32.dll and then calls GetTickCount, which is used as a seed for a random IP address routine. This routine then continuously sends 376 bytes of exploit and propagation code across port 1434/UDP until the SQL Server process is shut down. The Slammer worm does not prefer to scan local subnet addresses like the Nimda worm. This will limit the speed of propagation across local networks, but this scanning method generates large amounts of traffic that can overwhelm networks.
The Slammer worm seeks to replicate itself and does not try to further compromise servers or retain access to compromised hosts. The Slammer worm does not infect or modify files, it only exists in memory. For more information refer to Internet Security Systems Security Alert, January 25, 2003. See References.
Note: The Slammer worm may also affect Cisco CallManager version 3.3(x), Cisco Unity versions 3.x and 4.x, and Cisco Building Broadband Service Manager versions 5.0 and 5.1, which incorporate the use of either SQL Server 2000 or MSDE 2000.
Although it doesn't sound too dangerous, I would say
if this server is infected by this worm/virus then i'd advise all contributors/diy'ers to virus check their systems asap.
I felt this was a serious enough event to warrant a repeat in a post on it's own.
DNS: c-67-174-56-109.client.comcast.net
More information on this attack is as follows:
The SQL Slammer worm, also known as W32/SQLSlam-A, Sapphire, New SQL, Worm.SQL, and Helkern, propagates by exploiting a buffer overflow vulnerability in the Resolution Service in Microsoft SQL Server 2000 or Microsoft Desktop Engine (MSDE) 2000 installations. The main function of the Slammer worm is to continue propagation. No Distributed Denial of Service (DDoS) or backdoor functionality is incorporated into the worm. Infection can be removed with a reboot, however without protection in place, it is likely that vulnerable servers will be quickly re-infected.
The Slammer worm loads Kernel32.dll and WS2_32.dll and then calls GetTickCount, which is used as a seed for a random IP address routine. This routine then continuously sends 376 bytes of exploit and propagation code across port 1434/UDP until the SQL Server process is shut down. The Slammer worm does not prefer to scan local subnet addresses like the Nimda worm. This will limit the speed of propagation across local networks, but this scanning method generates large amounts of traffic that can overwhelm networks.
The Slammer worm seeks to replicate itself and does not try to further compromise servers or retain access to compromised hosts. The Slammer worm does not infect or modify files, it only exists in memory. For more information refer to Internet Security Systems Security Alert, January 25, 2003. See References.
Note: The Slammer worm may also affect Cisco CallManager version 3.3(x), Cisco Unity versions 3.x and 4.x, and Cisco Building Broadband Service Manager versions 5.0 and 5.1, which incorporate the use of either SQL Server 2000 or MSDE 2000.
Although it doesn't sound too dangerous, I would say
if this server is infected by this worm/virus then i'd advise all contributors/diy'ers to virus check their systems asap.
I felt this was a serious enough event to warrant a repeat in a post on it's own.