Signature Detail

Short Name	SMTP:MSSQL-WORM-EMAIL
Severity	Critical
Recommended	No
Recommended Action	Drop
Category	SMTP
Release Date	2003/04/22
Update Number	1213
Supported Platforms	di-5.3+, idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

SMTP: MS-SQL Worm Email

This signature detects attempts to send an e-mail to ixltd@postone.com. This can indicate the presence of SQLsnake, a MSSQL worm. SQLsnake infects Microsoft SQL Servers that have SA (administrative) accounts without passwords. The worm sends a password list and other system information through email to ixltd@postone.com, then begins scanning for vulnerable hosts listening on TCP/1433.

Extended Description

SQLsnake is a worm that infects vulnerable Microsoft SQL Servers. It takes advantage of weak SQL server passwords to propagate. The worm e-mails the system user and SQL Server data to ixtld@postone.com.

References

URL: http://www.giac.org/practical/GSEC/Cecelia_Walton_GSEC.pdf
URL: http://www.securityfocus.com/news/429
URL: http://research.eeye.com/html/advisories/published/AL20020522.html

Signature Detail

Short Name

Severity

Recommended

Recommended Action

Category

Release Date

Update Number

Supported Platforms

SMTP: MS-SQL Worm Email

Extended Description

References