[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Large, constant incoming traffic

On Thu, May 13, 2004 at 07:53:33PM +0200, Kjetil Kjernsmo wrote:
> 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434:  udp 376 [ttl 1]
> 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434:  udp 376 [ttl 
> 1]
> 
> Mmmmm, I don't know what machine 217.77.34.162 is, but I wouldn't be 
> surprised if it sits in the same server room as my box... Does this 
> tell you anything.

Look like the SQL/Slammer worm. It targets UDP port 1434 (MS-SQL servers
listen there), consists of single packets that are 376 byte in size and causes
much traffic.
Seems like the machine at 217.77.34.162 is infected, so not much you can do
to stop this packet flood. May try to contact the server admin and convince
him to reboot and patch the MS-SQL server. Or ask your provider to block
incoming packets on this port for your server.

Some sites with more information about this worm:
http://www.f-secure.com/v-descs/mssqlm.shtml
http://vil.nai.com/vil/content/v_99992.htm
http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html
http://www.viruslist.com/eng/viruslist.html?id=59159


HTH,
Michel
-- 
Michel Messerschmidt           lists@michel-messerschmidt.de
antiVirusTestCenter, Computer Science, University of Hamburg
Reply to: