[55231] in North American Network Operators' Group
How to find the first occurrance of the worm.
daemon@ATHENA.MIT.EDU (Ray Burkholder)
Sat Jan 25 21:14:55 2003
Date: Sat, 25 Jan 2003 16:13:00 -0500
From: "Ray Burkholder" <ray@oneunified.net>
To: <nanog@nanog.org>
Errors-To: owner-nanog-outgoing@merit.edu
Ray Burkholder
-----Original Message-----
From: McDonald, Dan [mailto:Dan.McDonald@austinenergy.com]=20
Sent: January 25, 2003 17:05
To: 'flow-tools@splintered.net'
Subject: [flow-tools] w32.sqlexp.worm
In case anyone needs it, here is the flow-tools nfilter that I've found
to
match the worm that hit us...
filter-primitive mssql
type ip-port
permit 1434
default deny
filter-primitive wormsize
type counter
permit eq 404
default deny
filter theworm
match src-ip-port mssql
match octets wormsize
that with a flow-print -f 5 gave me the time of the first infection...
Daniel J McDonald, CCIE #2495, CNX
Lan/Wan Integrator
Austin Energy
1.512.322.6739
dan.mcdonald@austinenergy.com
_______________________________________________
flow-tools@splintered.net
http://www.splintered.net/sw/flow-tools
