Exploit.Win32.WebDav.n

Hello,
My SQL server that sits outside our firewall has been
sending a large ammount of network traffic the last 2
days. It reminded me of the old SQL Slammer virus,
however I have SP3 installed and all virus updates and MS
patches. I noticed a new process called scan1000.exe
running and sending out many packets. I did some research
on this process and sure enough its a worm called
Exploit.Win32.WebDav.n. I removed the scan1000.exe file
from C:\recycler and everything seems alright now. I
found some info on this on McAfee's site, but not Norton
or Microsoft. My SQL server has been fine and its NOT
using a blank password. How did this get on my system and
exploit it? Any information is greatly appreciated.
Thank you.Hi Phil,
It's possible that this machine was comprised any number of ways.
Having your Server outside the firewall is not a good idea. You should
have it behind a firewall and only expose the ports needed.
If you'd like we can assist you with a security review of your system.
You may want to review these articles as well;
SQL Server Best Practices.
http://www.microsoft.com/technet/pr...n/sp3sec04.mspx
Certs Recommendations
http://www.cert.org/nav/recovering.html
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/co...gmt/sm0504.mspx
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.