Thread: Port 1434 Activity gone up, up up.....

There has been a steady rise in port 1433 activity over the last week here which is confirmed by ISC, (www.isc.sans.org).

Yesterday at 12:20 EDT Snort began alerting on MS-SQL version overflow attempts and MS-SQL Worm propogation attempts on port 1434. My external sensor has logged some 300 attempts since that time. Anyone else seeing this?

Interestingly enough, with all the 1433 scans I have received in the last week the 1434 attempts are untargetted, (random scans at IP's that don't exist). Since both ports are blocked on my network it implies that the 1433 scan was actually unrelated to the 1434 attempts.

Any thoughts/information?

Yeah, clearly it's an old exploit... I haven't seen Snort pop up an MS-SQL alert in about a year.

It just strikes me that the uptick in 1433 scans is unrelated to the 1434 and am sorta wondering what the motivation for the two coinciding might be.... eg: did the uptick remind some skiddie that there are probably unpatched/misconfigured MS-SQL servers out there for them to play with?

I've seen 537 attempts from 144 unique sources this week. Typically I associate this with a bunch of clowns who dig up an automated tool from a site that is 2 years old and then tell all their buddies that they've found a new hack. Stupidity spreads quicker than disease...

Stupidity spreads quicker than disease...

Ain't that the truth.... Thanks for the giggle.....

Well.... The consistency of the traffic and the large variation of the IP addresses really implies there are a lot of still unpatched systems sitting out there......

I get a very, VERY large number of these alerts from one of my clients.

June IDS statistics (for 1 of 8 locations, globally):
MS - SQL version overflow attempts: 4879 from 1109 unique IPs
MS - SQL Worm propagation attempts: 5719 from 1279 unique IPs
All seem to be to 1434/tcp.

So yeah, unpatched hosts and dingus dipshit wannabes out there trying out the "newest" exploits.