"Slammer, aka Sapphire"

The Microsoft Database Engine (MSDE) and embedded MS SQL Server 2000 buffer overflow vulnerability & attack of 01/24-25/2003



The best analysis of this denial of service (DoS) attack on the Internet I have seen, as of January 29, is to be found at
http://www.robertgraham.com/journal/030126-sqlslammer.html   Robert Graham's entire note is well worth reading.

Quotes from the note which I found  especially interesting:

[3] Better patch management would not have solved this

Every news article quotes an "expert" who says something about how we need to keep up with patches better.

If 100% of SQL Server 2000 systems had been patched by system administrators, the situation would not have changed one bit. I probed port 1433/tcp on attacking hosts and got a lot more RSTs than SYNACKs. This means that most hosts were infected by MSDE, not MSSQL. MSDE is "Microsoft Database Embedded", and is embedded within desktop products like Visio, network infrastructure systems from companies like Cisco, and in server applications such as McAffee's virus manager. These aren't unusual: MSDE is being included in thousands of desktop, infrastructure, and server software packages.

Patching all SQL Server would still miss MSDE.

. . .

The main problem here is not patches but hardening. Port 1434 was unnecessary to almost everyone. When application vendors embedded MSDE, why didn't they close down port 1434? Most importantly, my FIRST and LAST step in hardening a system is looking at ‘netstat' and closing down ports I don't need. My personal website http://www.robertgraham.com/ has been running on an unpatched Windows system for 5 years with no problems. I don't need to bother patching it because I have hardened it. Patches solve the "known" vulnerabilities, hardening solves the vulnerabilities that are there, but haven't been discovered yet.

. . .

Most victims were infected through MSDE 2000, a lightweight version of SQL Server installed as part of many applications from Microsoft (e.g. Viseo) as well as 3rd parties. You might have MSDE on your desktop right now. News  articles comparing this to CodeRed have mentioned that most victims were corporate servers. This is wrong:   CodeRed infected primarily desktops from people who didn't know that the "personal" version of IIS was installed, this  worm infected primarily people who didn't know that MSDE was installed.

     The problem had little to do with normal SQL Server 2000 installations.

The moral of these quotes, I think, is that if you have any of the MSDE enabled software packages on your machine (eg. Visio), and are not protected by a personal firewall your machine could be, and probably was, recruited into this assault on the Internet.

Anti-virus software is irrelevant to the prevention of this infection.  From the F-Secure web page:  The worm only spreads as an in-memory process: it never writes itself to the hard drive. In this  sense it is similar to the Code Red from July 2001.   As the worm does not infect any files, an infected machine can be cleaned by simply rebooting  the machine. However, a machine running MSDE will soon get reinfected if the machine is connected to the network  without a proper firewall to protect it.   For a master list for MSDE apps, see http://www.microsoft.com/technet/security/MSDEapps.asp

In addition to making sure that machines are protected by firewalls, MSDE/MS SQL server facilities, including those  on home and office client machines, should be disabled or removed unless necessary to the user.  If  it is not feasible to disable or remove MSDE and MS SQL then it is necessary to apply the patch that eliminates the buffer overflow vulnerability in the software.  (See the Microsoft link below.)

Top Slammer Links from www.grc.com
http://grc.com/worms/25-01-03.htm
 http://www.eeye.com/html/Research/Flash/AL20030125.html
 http://www.techie.hopto.org/sqlworm.html



The following is a list of Port 1434 probes at this firewall over the last 100 days.  Note that the FIRST of these probes originated on December 29, 2002; there were none before that.  Activity here reflects the "square wave" effect discussed by Robert Graham in his note, beginning abruptly at 9:32 PM PT on the 24th and essentially ending at 12:41 PM PT on the 25th.

If I had not been running the Zone Alarm personal firewall, and did not have MSDE disabled on my machine, I would have been infected, and my machine would have  become a source of infection for other machines.

This vulnerability has been known for more than 6 months, in fact I believe patches to prevent the exploitation of the vulnerability have been available for that long.  In July, 2002 well known security expert predicted that an attack exploiting this vulnerability would be the 'next big thing' in internet security breaches.  Six months might seem fair enough warning, but see Robert Graham's note, cited above.

The experts and advisories cited below did NOT anticipate the role of MSDE in the attack.
 http://www.nextgenss.com/advisories/mssql-udp.txt
 http://www.searchdatabase.com/qna/0,289202,sid13_gci841576,00.html
(more links at the bottom)

Probes of particular interest to me are in color.

Type Date Time Source Host Name Port Destination Host Name Port Transport Reported
FWIN 12/29/02 4:20:50 AM -8:00 GMT 210.1.17.205 N/A 53 63.13.224.116 2Cust116.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/15/03 3:43:34 AM -8:00 GMT 216.77.233.111 adsl-77-233-111.clt.bellsouth.net 2440 63.13.224.35 2Cust35.VR1.PAO1.broadband.uu.net 1434 UDP Yes
FWIN 1/22/03 2:45:10 AM -8:00 GMT 67.35.162.118 adsl-35-162-118.clt.bellsouth.net 1702 63.13.224.182 2Cust182.VR1.PAO1.broadband.uu.net 1434 UDP Yes
FWIN 1/24/03 9:32:36 PM -8:00 GMT 210.125.138.54 N/A 1036 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:34:32 PM -8:00 GMT 192.107.87.15 www2.pnra.it 1494 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:36:54 PM -8:00 GMT 203.146.250.88 N/A 3478 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:38:08 PM -8:00 GMT 198.6.17.77 fix-test1.trackdata.com 1042 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:39:16 PM -8:00 GMT 64.235.226.82 N/A 1122 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:39:54 PM -8:00 GMT 216.175.120.247 user-vcauu7n.dsl.mindspring.com 4813 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:40:04 PM -8:00 GMT 64.94.40.50 mars.aisn.net 2219 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:40:12 PM -8:00 GMT 212.0.117.118 N/A 1084 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:41:58 PM -8:00 GMT 202.79.125.48 N/A 4662 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:42:28 PM -8:00 GMT 12.252.53.96 12-252-53-96.client.attbi.com 1258 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:45:08 PM -8:00 GMT 202.120.90.83 N/A 1955 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:45:40 PM -8:00 GMT 130.212.34.145 centplz34-145.sfsu.edu 1210 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:45:58 PM -8:00 GMT 129.177.162.248 N/A 3897 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:49:32 PM -8:00 GMT 62.25.2.24 seneca5.cust.asmr1.nl.energis.net 2431 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:49:46 PM -8:00 GMT 219.166.16.140 unit.p-sankoh.co.jp 2772 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:50:26 PM -8:00 GMT 12.42.143.11 N/A 1067 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:50:30 PM -8:00 GMT 130.191.57.84 N/A 1047 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:50:40 PM -8:00 GMT 211.91.178.205 N/A 3006 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:50:58 PM -8:00 GMT 195.178.227.66 lilja.mah.se 1377 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:51:20 PM -8:00 GMT 69.12.6.124 N/A 3161 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:52:10 PM -8:00 GMT 12.96.247.10 mishawakarad.hypervine.net 3103 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:52:26 PM -8:00 GMT 64.68.32.56 dev-sql.AdvancedAccess.Com 3172 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:53:28 PM -8:00 GMT 208.48.228.74 itsb074.itsnpt.com 3405 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:55:28 PM -8:00 GMT 24.123.127.7 rrcs-central-24-123-127-7.biz.rr.com 1350 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:56:34 PM -8:00 GMT 166.102.238.233 h233.238.102.166.ip.alltel.net 2678 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:56:46 PM -8:00 GMT 195.113.165.227 N/A 2518 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:57:20 PM -8:00 GMT 63.251.169.200 N/A 1040 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:57:24 PM -8:00 GMT 164.109.176.175 N/A 1776 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 9:59:04 PM -8:00 GMT 203.83.111.222 ip111222.hkicable.com 1118 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:01:00 PM -8:00 GMT 128.139.197.101 e-learn.iucc.ac.il 2350 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:01:04 PM -8:00 GMT 194.183.128.225 davilla.TELE.NET 2439 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:01:48 PM -8:00 GMT 137.189.151.3 N/A 3059 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:04:38 PM -8:00 GMT 61.97.32.30 N/A 1285 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:06:44 PM -8:00 GMT 218.47.38.86 i038086.ap.plala.or.jp 4745 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:09:10 PM -8:00 GMT 65.245.57.112 N/A 2043 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:09:44 PM -8:00 GMT 211.210.58.8 N/A 1167 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:11:18 PM -8:00 GMT 204.152.142.202 proxy.wizcom.com 38678 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:13:10 PM -8:00 GMT 213.138.143.194 213138143194.edelkey.net 1730 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:13:46 PM -8:00 GMT 212.78.71.33 N/A 4217 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:14:58 PM -8:00 GMT 195.52.218.114 N/A 1249 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:16:08 PM -8:00 GMT 65.69.103.207 N/A 2214 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:16:38 PM -8:00 GMT 209.53.90.50 sportquestdb.sport-quest.com 2826 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:17:10 PM -8:00 GMT 209.208.142.60 N/A 3079 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:17:22 PM -8:00 GMT 207.46.200.152 N/A 3337 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:17:28 PM -8:00 GMT 146.151.30.107 cole030-107.resnet.wisc.edu 2785 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:17:46 PM -8:00 GMT 138.49.129.21 N/A 3869 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:18:28 PM -8:00 GMT 128.63.31.44 washington.arl.army.mil 1875 63.13.224.140 2Cust140.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:19:58 PM -8:00 GMT 61.151.244.152 N/A 3256 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:20:14 PM -8:00 GMT 195.217.205.233 N/A 1355 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:21:04 PM -8:00 GMT 205.155.218.94 N/A 1285 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:22:36 PM -8:00 GMT 148.240.229.25 na-148-240-229-25.na.avantel.net.mx 4306 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:24:06 PM -8:00 GMT 80.82.165.4 servs.utorg.ru 4854 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:24:18 PM -8:00 GMT 209.117.145.151 votna.com 1168 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:30:44 PM -8:00 GMT 209.242.56.66 N/A 3334 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:31:10 PM -8:00 GMT 61.192.75.138 zaq3dc04b8a.zaq.ne.jp 1075 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:32:10 PM -8:00 GMT 216.120.45.155 N/A 2020 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:32:50 PM -8:00 GMT 12.146.138.246 N/A 1040 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:34:18 PM -8:00 GMT 64.70.191.74 74-191-70-64.primarydns.com 1046 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:36:08 PM -8:00 GMT 63.253.97.115 A010-0369.MLE2.splitrock.net 1153 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:37:42 PM -8:00 GMT 211.139.140.41 N/A 1398 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:37:58 PM -8:00 GMT 211.43.243.230 N/A 1758 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:40:36 PM -8:00 GMT 152.66.251.40 vukk.aut.bme.hu 4311 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:43:20 PM -8:00 GMT 217.204.40.13 N/A 3791 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:44:44 PM -8:00 GMT 216.41.186.2 mail.vitalent.com 2994 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:46:02 PM -8:00 GMT 207.46.200.141 N/A 4878 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:46:16 PM -8:00 GMT 65.217.111.36 N/A 1443 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:46:32 PM -8:00 GMT 202.49.144.80 subnetix.com 33786 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:46:58 PM -8:00 GMT 216.205.95.130 N/A 1424 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:47:22 PM -8:00 GMT 217.208.173.10 h10n2c2o299.bredband.skanova.com 3765 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:48:34 PM -8:00 GMT 66.114.0.22 server02.computron.net 2887 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:49:10 PM -8:00 GMT 67.115.46.17 teamleads17.teamleads.net 2817 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:49:32 PM -8:00 GMT 202.52.161.103 N/A 2852 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:50:14 PM -8:00 GMT 64.247.0.168 N/A 1379 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:51:34 PM -8:00 GMT 216.218.230.66 N/A 1047 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:51:36 PM -8:00 GMT 159.178.60.213 clintrac.shands.ufl.edu 3633 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:51:42 PM -8:00 GMT 216.119.107.10 N/A 1242 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:52:58 PM -8:00 GMT 202.166.143.2 N/A 4075 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:53:28 PM -8:00 GMT 128.40.32.159 ecrc.geog.ucl.ac.uk 1637 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:53:40 PM -8:00 GMT 164.223.1.115 N/A 3567 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No (nuwc.navy.mil)
FWIN 1/24/03 10:54:34 PM -8:00 GMT 128.103.190.46 ksgbudsvr.harvard.edu 1677 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:56:38 PM -8:00 GMT 209.158.140.19 blackboard.aacps.org 1628 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:56:52 PM -8:00 GMT 212.80.184.254 gic-184-254.genotec.ch 1810 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:57:34 PM -8:00 GMT 216.174.248.3 ohama.net10.net 2383 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:58:42 PM -8:00 GMT 210.50.4.250 jasmine.narcus.com.au 2790 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:58:44 PM -8:00 GMT 216.34.194.231 N/A 2943 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 10:58:56 PM -8:00 GMT 161.58.176.235 N/A 1149 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 11:01:04 PM -8:00 GMT 202.79.66.8 N/A 1735 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 11:02:18 PM -8:00 GMT 213.239.134.27 www.unitedmotors.net 2497 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 11:02:34 PM -8:00 GMT 195.111.96.234 www.ekvivalencia.hu 61150 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/24/03 11:05:02 PM -8:00 GMT 210.118.193.65 N/A 4966 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 12:20:34 AM -8:00 GMT 65.170.82.66 mail.cardiotheater.com 33556 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 12:20:48 AM -8:00 GMT 211.161.159.41 N/A 4676 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 12:23:12 AM -8:00 GMT 65.83.69.16 N/A 4837 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 12:26:36 AM -8:00 GMT 211.94.193.67 N/A 3549 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 12:28:16 AM -8:00 GMT 168.156.127.12 N/A 2345 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 12:31:36 AM -8:00 GMT 130.230.20.159 gfeps.ce.tut.fi 2905 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 12:31:54 AM -8:00 GMT 68.22.238.34 68-22-238-34.ded.ameritech.net 4158 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 12:35:04 AM -8:00 GMT 130.39.184.67 tree-sms.lsu-tree.lsu.edu 2283 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 12:36:30 AM -8:00 GMT 217.111.11.170 asklepios.com 2530 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 12:41:08 AM -8:00 GMT 207.191.27.133 N/A 1686 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 1:51:36 AM -8:00 GMT 216.19.223.70 toaster.getnet.net 4077 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 3:33:38 AM -8:00 GMT 203.131.78.3 N/A 2761 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 7:06:16 AM -8:00 GMT 160.193.163.81 N/A 1172 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No
FWIN 1/25/03 8:38:18 AM -8:00 GMT 216.41.186.2 mail.vitalent.com 2994 63.13.224.17 2Cust17.VR1.PAO1.broadband.uu.net 1434 UDP No

ZoneAlarm Logging Client v3.1.395
Windows 98-4.10.1998- -SP
type    date    time    source  destination     transport
FWIN    2002/12/29      4:20:50 AM -8:00 GMT    210.1.17.205:53         63.13.224.116:1434      UDP
FWIN    2003/01/15      3:43:34 AM -8:00 GMT    216.77.233.111:2440    63.13.224.35:1434       UDP
FWIN    2003/01/22      2:45:10 AM -8:00 GMT    67.35.162.118:1702      63.13.224.182:1434      UDP
FWIN    2003/01/24      9:32:36 PM -8:00 GMT    210.125.138.54:1036     63.13.224.140:1434      UDP
FWIN    2003/01/24      9:34:32 PM -8:00 GMT    192.107.87.15:1494      63.13.224.140:1434      UDP
FWIN    2003/01/24      9:36:54 PM -8:00 GMT    203.146.250.88:3478     63.13.224.140:1434      UDP
FWIN    2003/01/24      9:38:08 PM -8:00 GMT    198.6.17.77:1042        63.13.224.140:1434      UDP
FWIN    2003/01/24      9:39:16 PM -8:00 GMT    64.235.226.82:1122      63.13.224.140:1434      UDP
FWIN    2003/01/24      9:39:54 PM -8:00 GMT    216.175.120.247:4813    63.13.224.140:1434      UDP
FWIN    2003/01/24      9:40:04 PM -8:00 GMT    64.94.40.50:2219        63.13.224.140:1434      UDP
FWIN    2003/01/24      9:40:12 PM -8:00 GMT    212.0.117.118:1084      63.13.224.140:1434      UDP
FWIN    2003/01/24      9:41:58 PM -8:00 GMT    202.79.125.48:4662      63.13.224.140:1434      UDP
FWIN    2003/01/24      9:42:28 PM -8:00 GMT    12.252.53.96:1258       63.13.224.140:1434      UDP
FWIN    2003/01/24      9:45:08 PM -8:00 GMT    202.120.90.83:1955      63.13.224.140:1434      UDP
FWIN    2003/01/24      9:45:40 PM -8:00 GMT    130.212.34.145:1210     63.13.224.140:1434      UDP
FWIN    2003/01/24      9:45:58 PM -8:00 GMT    129.177.162.248:3897    63.13.224.140:1434      UDP
FWIN    2003/01/24      9:49:32 PM -8:00 GMT    62.25.2.24:2431         63.13.224.140:1434      UDP
FWIN    2003/01/24      9:49:46 PM -8:00 GMT    219.166.16.140:2772     63.13.224.140:1434      UDP
FWIN    2003/01/24      9:50:26 PM -8:00 GMT    12.42.143.11:1067       63.13.224.140:1434      UDP
FWIN    2003/01/24      9:50:30 PM -8:00 GMT    130.191.57.84:1047      63.13.224.140:1434      UDP
FWIN    2003/01/24      9:50:40 PM -8:00 GMT    211.91.178.205:3006     63.13.224.140:1434      UDP
FWIN    2003/01/24      9:50:58 PM -8:00 GMT    195.178.227.66:1377     63.13.224.140:1434      UDP
FWIN    2003/01/24      9:51:20 PM -8:00 GMT    69.12.6.124:3161        63.13.224.140:1434      UDP
FWIN    2003/01/24      9:52:10 PM -8:00 GMT    12.96.247.10:3103       63.13.224.140:1434      UDP
FWIN    2003/01/24      9:52:26 PM -8:00 GMT    64.68.32.56:3172        63.13.224.140:1434      UDP
FWIN    2003/01/24      9:53:28 PM -8:00 GMT    208.48.228.74:3405      63.13.224.140:1434      UDP
FWIN    2003/01/24      9:55:28 PM -8:00 GMT    24.123.127.7:1350       63.13.224.140:1434      UDP
FWIN    2003/01/24      9:56:34 PM -8:00 GMT    166.102.238.233:2678    63.13.224.140:1434      UDP
FWIN    2003/01/24      9:56:46 PM -8:00 GMT    195.113.165.227:2518    63.13.224.140:1434      UDP
FWIN    2003/01/24      9:57:20 PM -8:00 GMT    63.251.169.200:1040     63.13.224.140:1434      UDP
FWIN    2003/01/24      9:57:24 PM -8:00 GMT    164.109.176.175:1776    63.13.224.140:1434      UDP
FWIN    2003/01/24      9:59:04 PM -8:00 GMT    203.83.111.222:1118     63.13.224.140:1434      UDP
FWIN    2003/01/24      10:01:00 PM -8:00 GMT   128.139.197.101:2350    63.13.224.140:1434      UDP
FWIN    2003/01/24      10:01:04 PM -8:00 GMT   194.183.128.225:2439    63.13.224.140:1434      UDP
FWIN    2003/01/24      10:01:48 PM -8:00 GMT   137.189.151.3:3059      63.13.224.140:1434      UDP
FWIN    2003/01/24      10:04:38 PM -8:00 GMT   61.97.32.30:1285        63.13.224.140:1434      UDP
FWIN    2003/01/24      10:06:44 PM -8:00 GMT   218.47.38.86:4745       63.13.224.140:1434      UDP
FWIN    2003/01/24      10:09:10 PM -8:00 GMT   65.245.57.112:2043      63.13.224.140:1434      UDP
FWIN    2003/01/24      10:09:44 PM -8:00 GMT   211.210.58.8:1167       63.13.224.140:1434      UDP
FWIN    2003/01/24      10:11:18 PM -8:00 GMT   204.152.142.202:38678   63.13.224.140:1434      UDP
FWIN    2003/01/24      10:13:10 PM -8:00 GMT   213.138.143.194:1730    63.13.224.140:1434      UDP
FWIN    2003/01/24      10:13:46 PM -8:00 GMT   212.78.71.33:4217       63.13.224.140:1434      UDP
FWIN    2003/01/24      10:14:58 PM -8:00 GMT   195.52.218.114:1249     63.13.224.140:1434      UDP
FWIN    2003/01/24      10:16:08 PM -8:00 GMT   65.69.103.207:2214      63.13.224.140:1434      UDP
FWIN    2003/01/24      10:16:38 PM -8:00 GMT   209.53.90.50:2826       63.13.224.140:1434      UDP
FWIN    2003/01/24      10:17:10 PM -8:00 GMT   209.208.142.60:3079     63.13.224.140:1434      UDP
FWIN    2003/01/24      10:17:22 PM -8:00 GMT   207.46.200.152:3337     63.13.224.140:1434      UDP
FWIN    2003/01/24      10:17:28 PM -8:00 GMT   146.151.30.107:2785     63.13.224.140:1434      UDP
FWIN    2003/01/24      10:17:46 PM -8:00 GMT   138.49.129.21:3869      63.13.224.140:1434      UDP
FWIN    2003/01/24      10:18:28 PM -8:00 GMT   128.63.31.44:1875       63.13.224.140:1434      UDP
FWIN    2003/01/24      10:19:58 PM -8:00 GMT   61.151.244.152:3256     63.13.224.17:1434       UDP
FWIN    2003/01/24      10:20:14 PM -8:00 GMT   195.217.205.233:1355    63.13.224.17:1434       UDP
FWIN    2003/01/24      10:21:04 PM -8:00 GMT   205.155.218.94:1285     63.13.224.17:1434       UDP
FWIN    2003/01/24      10:22:36 PM -8:00 GMT   148.240.229.25:4306     63.13.224.17:1434       UDP
FWIN    2003/01/24      10:24:06 PM -8:00 GMT   80.82.165.4:4854        63.13.224.17:1434       UDP
FWIN    2003/01/24      10:24:18 PM -8:00 GMT   209.117.145.151:1168    63.13.224.17:1434       UDP
FWIN    2003/01/24      10:30:44 PM -8:00 GMT   209.242.56.66:3334      63.13.224.17:1434       UDP
FWIN    2003/01/24      10:31:10 PM -8:00 GMT   61.192.75.138:1075      63.13.224.17:1434       UDP
FWIN    2003/01/24      10:32:10 PM -8:00 GMT   216.120.45.155:2020     63.13.224.17:1434       UDP
FWIN    2003/01/24      10:32:50 PM -8:00 GMT   12.146.138.246:1040     63.13.224.17:1434       UDP
FWIN    2003/01/24      10:34:18 PM -8:00 GMT   64.70.191.74:1046       63.13.224.17:1434       UDP
FWIN    2003/01/24      10:36:08 PM -8:00 GMT   63.253.97.115:1153      63.13.224.17:1434       UDP
FWIN    2003/01/24      10:37:42 PM -8:00 GMT   211.139.140.41:1398     63.13.224.17:1434       UDP
FWIN    2003/01/24      10:37:58 PM -8:00 GMT   211.43.243.230:1758     63.13.224.17:1434       UDP
FWIN    2003/01/24      10:40:36 PM -8:00 GMT   152.66.251.40:4311      63.13.224.17:1434       UDP
FWIN    2003/01/24      10:43:20 PM -8:00 GMT   217.204.40.13:3791      63.13.224.17:1434       UDP
FWIN    2003/01/24      10:44:44 PM -8:00 GMT   216.41.186.2:2994       63.13.224.17:1434       UDP
FWIN    2003/01/24      10:46:02 PM -8:00 GMT   207.46.200.141:4878     63.13.224.17:1434       UDP
FWIN    2003/01/24      10:46:16 PM -8:00 GMT   65.217.111.36:1443      63.13.224.17:1434       UDP
FWIN    2003/01/24      10:46:32 PM -8:00 GMT   202.49.144.80:33786     63.13.224.17:1434       UDP
FWIN    2003/01/24      10:46:58 PM -8:00 GMT   216.205.95.130:1424     63.13.224.17:1434       UDP
FWIN    2003/01/24      10:47:22 PM -8:00 GMT   217.208.173.10:3765     63.13.224.17:1434       UDP
FWIN    2003/01/24      10:48:34 PM -8:00 GMT   66.114.0.22:2887        63.13.224.17:1434       UDP
FWIN    2003/01/24      10:49:10 PM -8:00 GMT   67.115.46.17:2817       63.13.224.17:1434       UDP
FWIN    2003/01/24      10:49:32 PM -8:00 GMT   202.52.161.103:2852     63.13.224.17:1434       UDP
FWIN    2003/01/24      10:50:14 PM -8:00 GMT   64.247.0.168:1379       63.13.224.17:1434       UDP
FWIN    2003/01/24      10:51:34 PM -8:00 GMT   216.218.230.66:1047     63.13.224.17:1434       UDP
FWIN    2003/01/24      10:51:36 PM -8:00 GMT   159.178.60.213:3633     63.13.224.17:1434       UDP
FWIN    2003/01/24      10:51:42 PM -8:00 GMT   216.119.107.10:1242     63.13.224.17:1434       UDP
FWIN    2003/01/24      10:52:58 PM -8:00 GMT   202.166.143.2:4075      63.13.224.17:1434       UDP
FWIN    2003/01/24      10:53:28 PM -8:00 GMT   128.40.32.159:1637      63.13.224.17:1434       UDP
FWIN    2003/01/24      10:53:40 PM -8:00 GMT   164.223.1.115:3567      63.13.224.17:1434       UDP
FWIN    2003/01/24      10:54:34 PM -8:00 GMT   128.103.190.46:1677     63.13.224.17:1434       UDP
FWIN    2003/01/24      10:56:38 PM -8:00 GMT   209.158.140.19:1628     63.13.224.17:1434       UDP
FWIN    2003/01/24      10:56:52 PM -8:00 GMT   212.80.184.254:1810     63.13.224.17:1434       UDP
FWIN    2003/01/24      10:57:34 PM -8:00 GMT   216.174.248.3:2383      63.13.224.17:1434       UDP
FWIN    2003/01/24      10:58:42 PM -8:00 GMT   210.50.4.250:2790       63.13.224.17:1434       UDP
FWIN    2003/01/24      10:58:44 PM -8:00 GMT   216.34.194.231:2943     63.13.224.17:1434       UDP
FWIN    2003/01/24      10:58:56 PM -8:00 GMT   161.58.176.235:1149     63.13.224.17:1434       UDP
FWIN    2003/01/24      11:01:04 PM -8:00 GMT   202.79.66.8:1735        63.13.224.17:1434       UDP
FWIN    2003/01/24      11:02:18 PM -8:00 GMT   213.239.134.27:2497     63.13.224.17:1434       UDP
FWIN    2003/01/24      11:02:34 PM -8:00 GMT   195.111.96.234:61150    63.13.224.17:1434       UDP
FWIN    2003/01/24      11:05:02 PM -8:00 GMT   210.118.193.65:4966     63.13.224.17:1434       UDP
FWIN    2003/01/25      12:20:34 AM -8:00 GMT   65.170.82.66:33556      63.13.224.17:1434       UDP
FWIN    2003/01/25      12:20:48 AM -8:00 GMT   211.161.159.41:4676     63.13.224.17:1434       UDP
FWIN    2003/01/25      12:23:12 AM -8:00 GMT   65.83.69.16:4837        63.13.224.17:1434       UDP
FWIN    2003/01/25      12:26:36 AM -8:00 GMT   211.94.193.67:3549      63.13.224.17:1434       UDP
FWIN    2003/01/25      12:28:16 AM -8:00 GMT   168.156.127.12:2345     63.13.224.17:1434       UDP
FWIN    2003/01/25      12:31:36 AM -8:00 GMT   130.230.20.159:2905     63.13.224.17:1434       UDP
FWIN    2003/01/25      12:31:54 AM -8:00 GMT   68.22.238.34:4158       63.13.224.17:1434       UDP
FWIN    2003/01/25      12:35:04 AM -8:00 GMT   130.39.184.67:2283      63.13.224.17:1434       UDP
FWIN    2003/01/25      12:36:30 AM -8:00 GMT   217.111.11.170:2530     63.13.224.17:1434       UDP
FWIN    2003/01/25      12:41:08 AM -8:00 GMT   207.191.27.133:1686     63.13.224.17:1434       UDP
FWIN    2003/01/25      1:51:36 AM -8:00 GMT    216.19.223.70:4077      63.13.224.17:1434       UDP
FWIN    2003/01/25      3:33:38 AM -8:00 GMT    203.131.78.3:2761       63.13.224.17:1434       UDP
FWIN    2003/01/25      7:06:16 AM -8:00 GMT    160.193.163.81:1172     63.13.224.17:1434       UDP
FWIN    2003/01/25      8:38:18 AM -8:00 GMT    216.41.186.2:2994       63.13.224.17:1434       UDP

http://www.microsoft.com/security/slammer.asp
http://www.techtv.com/news/security/story/0,24195,3415704,00.html
 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/slammer.asp
 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp
 http://www.counterpane.com/alert-v20020730001.html