Results 1 to 7 of 7

Thread: Worm like activity...help please.

  1. #1

    Worm like activity...help please.

    I've been noticing some scanning activity on my system coming from multiple addresses all trying to hit the same port, TCP 1433. Has anyone seen anything about this or maybe know of a worm that is designed to specifically scan for MS-SQL servers?

    -eeshman

  2. #2
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584
    hmm can u show us ur firewall log??

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    if the report is only showing a scan on that port ,odds are its someone scanning entire blocks of ip addresses looking for a computer that is vulnerable to attack on that port....are you?

    if not, it really isn't anything to be concerned about. some kiddi3 found a new script but needs a computer with version of a certain os running a certain unpatched service on a particular port and is searching the internet looking for the chance to try it out.

    if sql port 1433 is open to untrusted traffic it could be someone starting up a zombie for a distrubed attack on someone, an attempt to DoD you or someone trying to run commands on you system remotely to do just about anything.

    make sure youe firewall is blocking port 1433. the default is usually to deny trafic unless you specefied otherwise. if it has to be open make sure its only to trusted ip addresses
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  4. #4
    I actually cannot due to reasons beyond my control. But if there is a worm out there that specifically targets MS-SQL servers (or just TCP/UDP port 1433) that would be a start. Thanks cor the interest nonetheless.

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    244
    What s the firewall you use?
    i m gone,thx everyone for so much fun and good info.
    cheers and good bye

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  7. #7
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    Here is an update to zigars post.

    Taken from SANS update
    Update on Port 1433: Last week we reported on widespread scanning of
    port 1433, commonly used by Microsoft's SQL server. We noted that we
    had had no reports at Incidents.Org of exploits connected with the
    scanning. A few hours later we received the following note from the
    CISO of a large research organization:

    [Our organization] has been hit at least twice in the last 2 weeks with
    Web defacements based on the exploit Port 1433/ms-sql, CAN-2002-0154.
    We were kind of shocked that within 1-2 weeks of Microsoft announcing
    the vulnerability, we were already hit by the exploit. Doesn't
    give much time to clean up. However, I haven't heard of widespread
    exploits yet. Also, I would hope most sites block external access
    to SQL Server. We happened to have a few servers that needed outside
    access for special purposes.
    Here is some more info.

    This taken from Incidents.org directly from This page.
    Large scale MSSQL scans.
    ================================================================
    ========================

    For the last few days, we received a number of reports of widespread
    scans of port 1433. The most common use of port 1433 is Microsoft's
    SQL server.

    Just this march, a vulnerability in SQL Server 7.0 and 2000 was shown
    to allow access to the the security context of the server
    (http://www.cve.mitre.org/cgi-bin/cve...=CAN-2002-0154). Microsoft
    released and advisory and a patch for this problem.
    (http://www.microsoft.com/technet/tre...n/MS02-020.asp
    )

    It has also been known that many administrators do not change the
    default password for the administrator account. SQL Server by default
    ships with no password set for this account
    ( http://www.bhs.silesianet.pl/html/sql.htm ).

    Data
    ====

    Data collected by DShield.org (
    http://www.dshield.org/port_report.php?port=1433 ) did show a
    remarkable increase in MSSQL scans. These could be traced back to only
    two sources, which systematically scan large IP address blocks. The
    intent of these scans is not clear yet.

    ------------------------------------------------------

    +-----------------+------------------------+
    | source | count(distinct target) |
    +-----------------+------------------------+
    | 024.100.150.234 | 1 |
    | 064.215.201.030 | 1 |
    | 080.015.001.085 | 1 |
    | 134.184.033.072 | 64650 |
    | 193.252.002.086 | 6957 |
    | 194.192.015.045 | 71 |
    | 195.176.253.197 | 1 |
    | 200.181.089.010 | 87 |
    | 211.219.008.068 | 7 |
    | 211.224.129.115 | 8 |
    +-----------------+------------------------+
    Table 1: # of targets scanned by source for
    port 1433 scans on May 3rd 2002.

    -------------------------------------------------------

    Full packet submitted by one user:

    05/02-18:53:30.534490 200.181.89.10:4181 -> xxx.xxx.xxx.xxx:1433
    TCP TTL:113 TOS:0x0 ID:43652 IpLen:20 DgmLen:40 DF
    *****R** Seq: 0x1C68D5 Ack: 0x5F7CC4AF Win: 0x0 TcpLen: 20
    0x0000: 00 00 0F FF FF FF 00 E0 63 17 88 A1 08 00 45 00 ........c.....E.
    0x0010: 00 28 AA 84 40 00 71 06 CE 2B C8 B5 59 0A xx xx .(..@.q..+..Y..,
    0x0020: xx xx 10 55 05 99 00 1C 68 D5 5F 7C C4 AF 50 04 .3.U....h._|..P.
    0x0030: 00 00 7B B5 00 00 00 00 00 00 00 00 ..{.........


    Conclusion
    ==========

    At this point, the intent of these scans is not clear. No definite
    link between these scans and the use of a particular exploit can be
    made so far. Standard security practices should mitigate this attack
    (block external access to any SQL servers. keep patches current. Use
    strong passwords).
    Hope that helps clear things up.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •