Hello All, This is a follow-up to my previous email. I believe this correlates with other reports that I saw earlier last night (but did not have time to read) about a possible new SQL Slammer Worm. I am now confirming which appears to be automated compromise of systems, possibly via SQL (3306), if my read is correct on traffic. I have had 5 current RH8 servers with mysql 3.23.56 compromised and 1 Cobalt Raq4 server with an older version of mysql (that had allegedly been removed). Tell-tale signs: 1) Commands like "reboot" return "cussing" errors. 2) Presence of /usr/share/locale/sk/.sk12 directory. Directory contains at lease executable "sk" and touched file ".sniffer". 3) Infection traffic appears to be propogating over port 3306. I haven't baselined this network, so that's my first inclination, though I also see some IPX traffic out there which doesn't belong. The main reason I suspect a sql/mysql connection is because those servers running mysql appear to be the ones infected. PLEASE NOTE: chkrootkit DOES NOT DETECT this infection! I'll be happy to pull samples for anybody interested. There doesn't appear to be anything in the logs. I'm in the process of imaging a couple disks for later review before I low-level and reinstall. Would be nice to find a "fix" for this latest bug, however, before I get too far along with a rebuild. cheers, -ben ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 16:36:02 PST