-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I'm at a DARPA meeting this week. An airforce guy from AFCERT claimed > that they saw & reported it first, about 5 minutes ahead of Symantec. > Symantec is giving it the catchy name W32.SQLExp.Worm > so I can see why people are calling it "slammer" :) I read (and my ISS associates tell me) that ISS reported it first. The first story I read about it, Saturday morning cited the ISS alert. However, eEye claimed to have been tracking it from Friday night. I never heard a peep from Symantec until Sunday. I can see it now: Survior: Bugtraq Outreport, Outhack, Out-Press Release! > Fitting the entire exploit into a single UDP datagram is definitely a > cute hack. Allegedly the thing swamped the Internet in 4 minutes, posing > a serious threat to the idea of coordinated response to worms, and > validating Paxon & Staniford's Warhol Worm conjecture > <http://www.cs.berkeley.edu/%7Enweaver/warhol.html> Yeah, it was a crafty little bugger. It was so damn small it slipped through a lot of IDSs as well. The Snort lists had sigs out pretty fast. I saw the first Snort sig at like 11:00 am on Saturday. I tried to put up an unpatched SQL box on Sunday to see how different IDSs would report it. But my ISP had already filtered it out. Damn them! - ------------------------------------ Andrew Plato, CISSP President / Principal Consultant Anitian Corporation (503) 644-5656 office (503) 201-0821 cell http://www.anitian.com - ------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.13 Comment: For info see http://www.gnupg.org iEYEARECAAYFAj42MU8ACgkQRFTPAXEeGWlhkgCfVQAhh9qbJcdw4yxAiFiJm5Dj L3kAn0raBr5RGDKY2dgz0J7vOZrV01Mi=lnXK -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 23:55:54 PST