The Microsoft Database Engine (MSDE) and embedded MS SQL Server 2000 buffer overflow vulnerability & attack of 01/24-25/2003
Quotes from the note which I found especially interesting:
[3] Better patch management would not have solved thisThe moral of these quotes, I think, is that if you have any of the MSDE enabled software packages on your machine (eg. Visio), and are not protected by a personal firewall your machine could be, and probably was, recruited into this assault on the Internet.Every news article quotes an "expert" who says something about how we need to keep up with patches better.
If 100% of SQL Server 2000 systems had been patched by system administrators, the situation would not have changed one bit. I probed port 1433/tcp on attacking hosts and got a lot more RSTs than SYNACKs. This means that most hosts were infected by MSDE, not MSSQL. MSDE is "Microsoft Database Embedded", and is embedded within desktop products like Visio, network infrastructure systems from companies like Cisco, and in server applications such as McAffee's virus manager. These aren't unusual: MSDE is being included in thousands of desktop, infrastructure, and server software packages.
Patching all SQL Server would still miss MSDE.
. . .
The main problem here is not patches but hardening. Port 1434 was unnecessary to almost everyone. When application vendors embedded MSDE, why didn't they close down port 1434? Most importantly, my FIRST and LAST step in hardening a system is looking at ‘netstat' and closing down ports I don't need. My personal website http://www.robertgraham.com/ has been running on an unpatched Windows system for 5 years with no problems. I don't need to bother patching it because I have hardened it. Patches solve the "known" vulnerabilities, hardening solves the vulnerabilities that are there, but haven't been discovered yet.
. . .
Most victims were infected through MSDE 2000, a lightweight version of SQL Server installed as part of many applications from Microsoft (e.g. Viseo) as well as 3rd parties. You might have MSDE on your desktop right now. News articles comparing this to CodeRed have mentioned that most victims were corporate servers. This is wrong: CodeRed infected primarily desktops from people who didn't know that the "personal" version of IIS was installed, this worm infected primarily people who didn't know that MSDE was installed.
The problem had little to do with normal SQL Server 2000 installations.
Anti-virus software is irrelevant to the prevention of this infection. From the F-Secure web page: The worm only spreads as an in-memory process: it never writes itself to the hard drive. In this sense it is similar to the Code Red from July 2001. As the worm does not infect any files, an infected machine can be cleaned by simply rebooting the machine. However, a machine running MSDE will soon get reinfected if the machine is connected to the network without a proper firewall to protect it. For a master list for MSDE apps, see http://www.microsoft.com/technet/security/MSDEapps.asp
In addition to making sure that machines are protected by firewalls, MSDE/MS SQL server facilities, including those on home and office client machines, should be disabled or removed unless necessary to the user. If it is not feasible to disable or remove MSDE and MS SQL then it is necessary to apply the patch that eliminates the buffer overflow vulnerability in the software. (See the Microsoft link below.)
Top Slammer Links from www.grc.com
http://grc.com/worms/25-01-03.htm
http://www.eeye.com/html/Research/Flash/AL20030125.html
http://www.techie.hopto.org/sqlworm.html
If I had not been running the Zone Alarm personal firewall, and did not have MSDE disabled on my machine, I would have been infected, and my machine would have become a source of infection for other machines.
This vulnerability has been known for more than 6 months, in fact I believe patches to prevent the exploitation of the vulnerability have been available for that long. In July, 2002 well known security expert predicted that an attack exploiting this vulnerability would be the 'next big thing' in internet security breaches. Six months might seem fair enough warning, but see Robert Graham's note, cited above.
The experts and advisories cited below
did NOT anticipate the role of MSDE in the attack.
http://www.nextgenss.com/advisories/mssql-udp.txt
http://www.searchdatabase.com/qna/0,289202,sid13_gci841576,00.html
(more links at the bottom)
Probes of particular interest to me are in color.
Type Date Time Source Host Name Port Destination Host
Name Port Transport Reported
FWIN 12/29/02 4:20:50 AM -8:00
GMT 210.1.17.205 N/A 53 63.13.224.116 2Cust116.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/15/03 3:43:34 AM -8:00
GMT 216.77.233.111 adsl-77-233-111.clt.bellsouth.net 2440 63.13.224.35
2Cust35.VR1.PAO1.broadband.uu.net 1434 UDP Yes
FWIN 1/22/03 2:45:10 AM -8:00
GMT 67.35.162.118 adsl-35-162-118.clt.bellsouth.net 1702 63.13.224.182
2Cust182.VR1.PAO1.broadband.uu.net 1434 UDP Yes
FWIN 1/24/03 9:32:36 PM -8:00 GMT 210.125.138.54
N/A 1036 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:34:32 PM -8:00 GMT 192.107.87.15 www2.pnra.it
1494 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:36:54 PM -8:00 GMT 203.146.250.88
N/A 3478 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:38:08 PM -8:00 GMT 198.6.17.77 fix-test1.trackdata.com
1042 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:39:16 PM -8:00 GMT 64.235.226.82 N/A
1122 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:39:54 PM -8:00 GMT 216.175.120.247
user-vcauu7n.dsl.mindspring.com 4813 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/24/03 9:40:04 PM -8:00 GMT 64.94.40.50 mars.aisn.net
2219 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:40:12 PM -8:00 GMT 212.0.117.118 N/A
1084 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:41:58 PM -8:00 GMT 202.79.125.48 N/A
4662 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:42:28 PM -8:00 GMT 12.252.53.96 12-252-53-96.client.attbi.com
1258 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:45:08 PM -8:00 GMT 202.120.90.83 N/A
1955 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:45:40 PM -8:00 GMT 130.212.34.145
centplz34-145.sfsu.edu 1210 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/24/03 9:45:58 PM -8:00 GMT 129.177.162.248
N/A 3897 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:49:32 PM -8:00 GMT 62.25.2.24 seneca5.cust.asmr1.nl.energis.net
2431 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:49:46 PM -8:00 GMT 219.166.16.140
unit.p-sankoh.co.jp 2772 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/24/03 9:50:26 PM -8:00 GMT 12.42.143.11 N/A
1067 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:50:30 PM -8:00 GMT 130.191.57.84 N/A
1047 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:50:40 PM -8:00 GMT 211.91.178.205
N/A 3006 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:50:58 PM -8:00
GMT 195.178.227.66 lilja.mah.se 1377 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/24/03 9:51:20 PM -8:00 GMT 69.12.6.124 N/A
3161 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:52:10 PM -8:00
GMT 12.96.247.10 mishawakarad.hypervine.net 3103 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/24/03 9:52:26 PM -8:00 GMT 64.68.32.56 dev-sql.AdvancedAccess.Com
3172 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:53:28 PM -8:00 GMT 208.48.228.74 itsb074.itsnpt.com
3405 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:55:28 PM -8:00 GMT 24.123.127.7 rrcs-central-24-123-127-7.biz.rr.com
1350 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:56:34 PM -8:00 GMT 166.102.238.233
h233.238.102.166.ip.alltel.net 2678 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/24/03 9:56:46 PM -8:00 GMT 195.113.165.227
N/A 2518 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:57:20 PM -8:00 GMT 63.251.169.200
N/A 1040 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:57:24 PM -8:00 GMT 164.109.176.175
N/A 1776 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:59:04 PM -8:00 GMT 203.83.111.222
ip111222.hkicable.com 1118 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/24/03 10:01:00 PM -8:00 GMT 128.139.197.101
e-learn.iucc.ac.il 2350 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/24/03 10:01:04 PM -8:00 GMT 194.183.128.225
davilla.TELE.NET 2439 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/24/03 10:01:48 PM -8:00 GMT 137.189.151.3
N/A 3059 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:04:38 PM -8:00 GMT 61.97.32.30 N/A
1285 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:06:44 PM -8:00 GMT 218.47.38.86 i038086.ap.plala.or.jp
4745 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:09:10 PM -8:00 GMT 65.245.57.112
N/A 2043 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:09:44 PM -8:00 GMT 211.210.58.8 N/A
1167 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:11:18 PM -8:00 GMT 204.152.142.202
proxy.wizcom.com 38678 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/24/03 10:13:10 PM -8:00 GMT 213.138.143.194
213138143194.edelkey.net 1730 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/24/03 10:13:46 PM -8:00 GMT 212.78.71.33 N/A
4217 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:14:58 PM -8:00 GMT 195.52.218.114
N/A 1249 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:16:08 PM -8:00 GMT 65.69.103.207
N/A 2214 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:16:38 PM -8:00 GMT 209.53.90.50 sportquestdb.sport-quest.com
2826 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:17:10 PM -8:00 GMT 209.208.142.60
N/A 3079 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:17:22 PM -8:00 GMT 207.46.200.152
N/A 3337 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:17:28 PM -8:00 GMT 146.151.30.107
cole030-107.resnet.wisc.edu 2785 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/24/03 10:17:46 PM -8:00 GMT 138.49.129.21
N/A 3869 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:18:28 PM -8:00
GMT 128.63.31.44 washington.arl.army.mil 1875 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/24/03 10:19:58 PM -8:00 GMT 61.151.244.152
N/A 3256 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:20:14 PM -8:00 GMT 195.217.205.233
N/A 1355 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:21:04 PM -8:00 GMT 205.155.218.94
N/A 1285 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:22:36 PM -8:00 GMT 148.240.229.25
na-148-240-229-25.na.avantel.net.mx 4306 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/24/03 10:24:06 PM -8:00 GMT 80.82.165.4 servs.utorg.ru
4854 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:24:18 PM -8:00 GMT 209.117.145.151
votna.com 1168 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP
No
FWIN 1/24/03 10:30:44 PM -8:00 GMT 209.242.56.66
N/A 3334 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:31:10 PM -8:00 GMT 61.192.75.138
zaq3dc04b8a.zaq.ne.jp 1075 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/24/03 10:32:10 PM -8:00 GMT 216.120.45.155
N/A 2020 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:32:50 PM -8:00 GMT 12.146.138.246
N/A 1040 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:34:18 PM -8:00 GMT 64.70.191.74 74-191-70-64.primarydns.com
1046 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:36:08 PM -8:00 GMT 63.253.97.115
A010-0369.MLE2.splitrock.net 1153 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/24/03 10:37:42 PM -8:00 GMT 211.139.140.41
N/A 1398 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:37:58 PM -8:00 GMT 211.43.243.230
N/A 1758 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:40:36 PM -8:00 GMT 152.66.251.40
vukk.aut.bme.hu 4311 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434
UDP No
FWIN 1/24/03 10:43:20 PM -8:00 GMT 217.204.40.13
N/A 3791 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:44:44 PM -8:00 GMT 216.41.186.2 mail.vitalent.com
2994 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:46:02 PM -8:00 GMT 207.46.200.141
N/A 4878 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:46:16 PM -8:00 GMT 65.217.111.36
N/A 1443 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:46:32 PM -8:00 GMT 202.49.144.80
subnetix.com 33786 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434
UDP No
FWIN 1/24/03 10:46:58 PM -8:00 GMT 216.205.95.130
N/A 1424 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:47:22 PM -8:00 GMT 217.208.173.10
h10n2c2o299.bredband.skanova.com 3765 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/24/03 10:48:34 PM -8:00 GMT 66.114.0.22 server02.computron.net
2887 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:49:10 PM -8:00 GMT 67.115.46.17 teamleads17.teamleads.net
2817 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:49:32 PM -8:00 GMT 202.52.161.103
N/A 2852 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:50:14 PM -8:00 GMT 64.247.0.168 N/A
1379 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:51:34 PM -8:00 GMT 216.218.230.66
N/A 1047 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:51:36 PM -8:00 GMT 159.178.60.213
clintrac.shands.ufl.edu 3633 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/24/03 10:51:42 PM -8:00 GMT 216.119.107.10
N/A 1242 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:52:58 PM -8:00 GMT 202.166.143.2
N/A 4075 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:53:28 PM -8:00 GMT 128.40.32.159
ecrc.geog.ucl.ac.uk 1637 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/24/03 10:53:40 PM -8:00
GMT 164.223.1.115 N/A 3567 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net
1434 UDP No (nuwc.navy.mil)
FWIN 1/24/03 10:54:34 PM -8:00
GMT 128.103.190.46 ksgbudsvr.harvard.edu 1677 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/24/03 10:56:38 PM -8:00 GMT 209.158.140.19
blackboard.aacps.org 1628 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/24/03 10:56:52 PM -8:00 GMT 212.80.184.254
gic-184-254.genotec.ch 1810 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/24/03 10:57:34 PM -8:00 GMT 216.174.248.3
ohama.net10.net 2383 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434
UDP No
FWIN 1/24/03 10:58:42 PM -8:00 GMT 210.50.4.250 jasmine.narcus.com.au
2790 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:58:44 PM -8:00 GMT 216.34.194.231
N/A 2943 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:58:56 PM -8:00 GMT 161.58.176.235
N/A 1149 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 11:01:04 PM -8:00 GMT 202.79.66.8 N/A
1735 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 11:02:18 PM -8:00 GMT 213.239.134.27
www.unitedmotors.net 2497 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/24/03 11:02:34 PM -8:00 GMT 195.111.96.234
www.ekvivalencia.hu 61150 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/24/03 11:05:02 PM -8:00 GMT 210.118.193.65
N/A 4966 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 12:20:34 AM -8:00 GMT 65.170.82.66 mail.cardiotheater.com
33556 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 12:20:48 AM -8:00 GMT 211.161.159.41
N/A 4676 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 12:23:12 AM -8:00 GMT 65.83.69.16 N/A
4837 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 12:26:36 AM -8:00 GMT 211.94.193.67
N/A 3549 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 12:28:16 AM -8:00 GMT 168.156.127.12
N/A 2345 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 12:31:36 AM -8:00 GMT 130.230.20.159
gfeps.ce.tut.fi 2905 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434
UDP No
FWIN 1/25/03 12:31:54 AM -8:00 GMT 68.22.238.34 68-22-238-34.ded.ameritech.net
4158 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 12:35:04 AM -8:00 GMT 130.39.184.67
tree-sms.lsu-tree.lsu.edu 2283 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net
1434 UDP No
FWIN 1/25/03 12:36:30 AM -8:00 GMT 217.111.11.170
asklepios.com 2530 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434
UDP No
FWIN 1/25/03 12:41:08 AM -8:00 GMT 207.191.27.133
N/A 1686 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 1:51:36 AM -8:00 GMT 216.19.223.70 toaster.getnet.net
4077 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 3:33:38 AM -8:00 GMT 203.131.78.3 N/A
2761 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 7:06:16 AM -8:00 GMT 160.193.163.81
N/A 1172 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 8:38:18 AM -8:00 GMT 216.41.186.2 mail.vitalent.com
2994 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
ZoneAlarm Logging Client v3.1.395
Windows 98-4.10.1998- -SP
type date time
source destination transport
FWIN 2002/12/29
4:20:50 AM -8:00 GMT 210.1.17.205:53
63.13.224.116:1434 UDP
FWIN 2003/01/15
3:43:34 AM -8:00 GMT 216.77.233.111:2440
63.13.224.35:1434 UDP
FWIN 2003/01/22
2:45:10 AM -8:00 GMT 67.35.162.118:1702
63.13.224.182:1434 UDP
FWIN 2003/01/24
9:32:36 PM -8:00 GMT 210.125.138.54:1036
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:34:32 PM -8:00 GMT 192.107.87.15:1494
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:36:54 PM -8:00 GMT 203.146.250.88:3478
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:38:08 PM -8:00 GMT 198.6.17.77:1042
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:39:16 PM -8:00 GMT 64.235.226.82:1122
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:39:54 PM -8:00 GMT 216.175.120.247:4813
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:40:04 PM -8:00 GMT 64.94.40.50:2219
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:40:12 PM -8:00 GMT 212.0.117.118:1084
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:41:58 PM -8:00 GMT 202.79.125.48:4662
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:42:28 PM -8:00 GMT 12.252.53.96:1258
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:45:08 PM -8:00 GMT 202.120.90.83:1955
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:45:40 PM -8:00 GMT 130.212.34.145:1210
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:45:58 PM -8:00 GMT 129.177.162.248:3897
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:49:32 PM -8:00 GMT 62.25.2.24:2431
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:49:46 PM -8:00 GMT 219.166.16.140:2772
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:50:26 PM -8:00 GMT 12.42.143.11:1067
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:50:30 PM -8:00 GMT 130.191.57.84:1047
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:50:40 PM -8:00 GMT 211.91.178.205:3006
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:50:58 PM -8:00 GMT 195.178.227.66:1377
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:51:20 PM -8:00 GMT 69.12.6.124:3161
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:52:10 PM -8:00 GMT 12.96.247.10:3103
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:52:26 PM -8:00 GMT 64.68.32.56:3172
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:53:28 PM -8:00 GMT 208.48.228.74:3405
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:55:28 PM -8:00 GMT 24.123.127.7:1350
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:56:34 PM -8:00 GMT 166.102.238.233:2678
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:56:46 PM -8:00 GMT 195.113.165.227:2518
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:57:20 PM -8:00 GMT 63.251.169.200:1040
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:57:24 PM -8:00 GMT 164.109.176.175:1776
63.13.224.140:1434 UDP
FWIN 2003/01/24
9:59:04 PM -8:00 GMT 203.83.111.222:1118
63.13.224.140:1434 UDP
FWIN 2003/01/24
10:01:00 PM -8:00 GMT 128.139.197.101:2350
63.13.224.140:1434 UDP
FWIN 2003/01/24
10:01:04 PM -8:00 GMT 194.183.128.225:2439
63.13.224.140:1434 UDP
FWIN 2003/01/24
10:01:48 PM -8:00 GMT 137.189.151.3:3059
63.13.224.140:1434 UDP
FWIN 2003/01/24
10:04:38 PM -8:00 GMT 61.97.32.30:1285
63.13.224.140:1434 UDP
FWIN 2003/01/24
10:06:44 PM -8:00 GMT 218.47.38.86:4745
63.13.224.140:1434 UDP
FWIN 2003/01/24
10:09:10 PM -8:00 GMT 65.245.57.112:2043
63.13.224.140:1434 UDP
FWIN 2003/01/24
10:09:44 PM -8:00 GMT 211.210.58.8:1167
63.13.224.140:1434 UDP
FWIN 2003/01/24
10:11:18 PM -8:00 GMT 204.152.142.202:38678 63.13.224.140:1434
UDP
FWIN 2003/01/24
10:13:10 PM -8:00 GMT 213.138.143.194:1730
63.13.224.140:1434 UDP
FWIN 2003/01/24
10:13:46 PM -8:00 GMT 212.78.71.33:4217
63.13.224.140:1434 UDP
FWIN 2003/01/24
10:14:58 PM -8:00 GMT 195.52.218.114:1249
63.13.224.140:1434 UDP
FWIN 2003/01/24
10:16:08 PM -8:00 GMT 65.69.103.207:2214
63.13.224.140:1434 UDP
FWIN 2003/01/24
10:16:38 PM -8:00 GMT 209.53.90.50:2826
63.13.224.140:1434 UDP
FWIN 2003/01/24
10:17:10 PM -8:00 GMT 209.208.142.60:3079
63.13.224.140:1434 UDP
FWIN 2003/01/24
10:17:22 PM -8:00 GMT 207.46.200.152:3337
63.13.224.140:1434 UDP
FWIN 2003/01/24
10:17:28 PM -8:00 GMT 146.151.30.107:2785
63.13.224.140:1434 UDP
FWIN 2003/01/24
10:17:46 PM -8:00 GMT 138.49.129.21:3869
63.13.224.140:1434 UDP
FWIN 2003/01/24
10:18:28 PM -8:00 GMT 128.63.31.44:1875
63.13.224.140:1434 UDP
FWIN 2003/01/24
10:19:58 PM -8:00 GMT 61.151.244.152:3256
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:20:14 PM -8:00 GMT 195.217.205.233:1355
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:21:04 PM -8:00 GMT 205.155.218.94:1285
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:22:36 PM -8:00 GMT 148.240.229.25:4306
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:24:06 PM -8:00 GMT 80.82.165.4:4854
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:24:18 PM -8:00 GMT 209.117.145.151:1168
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:30:44 PM -8:00 GMT 209.242.56.66:3334
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:31:10 PM -8:00 GMT 61.192.75.138:1075
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:32:10 PM -8:00 GMT 216.120.45.155:2020
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:32:50 PM -8:00 GMT 12.146.138.246:1040
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:34:18 PM -8:00 GMT 64.70.191.74:1046
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:36:08 PM -8:00 GMT 63.253.97.115:1153
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:37:42 PM -8:00 GMT 211.139.140.41:1398
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:37:58 PM -8:00 GMT 211.43.243.230:1758
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:40:36 PM -8:00 GMT 152.66.251.40:4311
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:43:20 PM -8:00 GMT 217.204.40.13:3791
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:44:44 PM -8:00 GMT 216.41.186.2:2994
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:46:02 PM -8:00 GMT 207.46.200.141:4878
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:46:16 PM -8:00 GMT 65.217.111.36:1443
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:46:32 PM -8:00 GMT 202.49.144.80:33786
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:46:58 PM -8:00 GMT 216.205.95.130:1424
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:47:22 PM -8:00 GMT 217.208.173.10:3765
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:48:34 PM -8:00 GMT 66.114.0.22:2887
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:49:10 PM -8:00 GMT 67.115.46.17:2817
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:49:32 PM -8:00 GMT 202.52.161.103:2852
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:50:14 PM -8:00 GMT 64.247.0.168:1379
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:51:34 PM -8:00 GMT 216.218.230.66:1047
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:51:36 PM -8:00 GMT 159.178.60.213:3633
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:51:42 PM -8:00 GMT 216.119.107.10:1242
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:52:58 PM -8:00 GMT 202.166.143.2:4075
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:53:28 PM -8:00 GMT 128.40.32.159:1637
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:53:40 PM -8:00 GMT 164.223.1.115:3567
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:54:34 PM -8:00 GMT 128.103.190.46:1677
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:56:38 PM -8:00 GMT 209.158.140.19:1628
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:56:52 PM -8:00 GMT 212.80.184.254:1810
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:57:34 PM -8:00 GMT 216.174.248.3:2383
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:58:42 PM -8:00 GMT 210.50.4.250:2790
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:58:44 PM -8:00 GMT 216.34.194.231:2943
63.13.224.17:1434 UDP
FWIN 2003/01/24
10:58:56 PM -8:00 GMT 161.58.176.235:1149
63.13.224.17:1434 UDP
FWIN 2003/01/24
11:01:04 PM -8:00 GMT 202.79.66.8:1735
63.13.224.17:1434 UDP
FWIN 2003/01/24
11:02:18 PM -8:00 GMT 213.239.134.27:2497
63.13.224.17:1434 UDP
FWIN 2003/01/24
11:02:34 PM -8:00 GMT 195.111.96.234:61150
63.13.224.17:1434 UDP
FWIN 2003/01/24
11:05:02 PM -8:00 GMT 210.118.193.65:4966
63.13.224.17:1434 UDP
FWIN 2003/01/25
12:20:34 AM -8:00 GMT 65.170.82.66:33556
63.13.224.17:1434 UDP
FWIN 2003/01/25
12:20:48 AM -8:00 GMT 211.161.159.41:4676
63.13.224.17:1434 UDP
FWIN 2003/01/25
12:23:12 AM -8:00 GMT 65.83.69.16:4837
63.13.224.17:1434 UDP
FWIN 2003/01/25
12:26:36 AM -8:00 GMT 211.94.193.67:3549
63.13.224.17:1434 UDP
FWIN 2003/01/25
12:28:16 AM -8:00 GMT 168.156.127.12:2345
63.13.224.17:1434 UDP
FWIN 2003/01/25
12:31:36 AM -8:00 GMT 130.230.20.159:2905
63.13.224.17:1434 UDP
FWIN 2003/01/25
12:31:54 AM -8:00 GMT 68.22.238.34:4158
63.13.224.17:1434 UDP
FWIN 2003/01/25
12:35:04 AM -8:00 GMT 130.39.184.67:2283
63.13.224.17:1434 UDP
FWIN 2003/01/25
12:36:30 AM -8:00 GMT 217.111.11.170:2530
63.13.224.17:1434 UDP
FWIN 2003/01/25
12:41:08 AM -8:00 GMT 207.191.27.133:1686
63.13.224.17:1434 UDP
FWIN 2003/01/25
1:51:36 AM -8:00 GMT 216.19.223.70:4077
63.13.224.17:1434 UDP
FWIN 2003/01/25
3:33:38 AM -8:00 GMT 203.131.78.3:2761
63.13.224.17:1434 UDP
FWIN 2003/01/25
7:06:16 AM -8:00 GMT 160.193.163.81:1172
63.13.224.17:1434 UDP
FWIN 2003/01/25
8:38:18 AM -8:00 GMT 216.41.186.2:2994
63.13.224.17:1434 UDP
http://www.microsoft.com/security/slammer.asp
http://www.techtv.com/news/security/story/0,24195,3415704,00.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/slammer.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp
http://www.counterpane.com/alert-v20020730001.html