[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] WORM PROPATATION at port 1433/1434

Hi 

     Our server is cobalt raq4r. We have installed *snort* at the server .. But
today suddenly load started to increase and we found too many *httpd* processes
are running. Load went to too high. Finally we could able to stop the httpd.
Then we stopped the  *snort*.. Load came down and luckily we could able to save
the server to crash...

     We found in the *snort* log file the following messages.. It is an attempt
of /WORM PROPATATION/ . How could we save our server , we did not keep the
1434/1433 ports opened in our server. Basically we are not using these ports at
all..

      Could anyone suggest that how could we start snort - so that for snort
the system does not get effected due to load etc... But what we feel that due
to the too much traffic the load went too high. Do you think as snort was
detecting the messages - due to that reason load went
high?   
____________________________________________________________________________

 

[**] [1:499:3] ICMP Large ICMP Packet [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
11/18-11:43:53.123380 xxx.xxx.xx.aa -> 62.254.183.161
ICMP TTL:255 TOS:0x0 ID:54552 IpLen:20 DgmLen:1500
Type:0  Code:0  ID:0  Seq:0  ECHO REPLY
[Xref => http://www.whitehats.com/info/IDS246]

[**] [1:2003:2] MS-SQL Worm propagation attempt [**]
[Classification: Misc Attack] [Priority: 2]
11/18-11:46:12.287134 81.137.197.188:4010 -> xxx.xxx.xx.bb:1434
UDP TTL:103 TOS:0x0 ID:22956 IpLen:20 DgmLen:404
Len: 376
[Xref => http://vil.nai.com/vil/content/v_99992.htm][Xref =>
http://www.securityfocus.com/bid/5311][Xref =>
http://www.securityfocus.com/bid/5310]

________________________________________________________________________

Thanks in advance....

__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree