This taken from Incidents.org directly from This page.
Large scale MSSQL scans.
================================================================
========================
For the last few days, we received a number of reports of widespread
scans of port 1433. The most common use of port 1433 is Microsoft's
SQL server.
Just this march, a vulnerability in SQL Server 7.0 and 2000 was shown
to allow access to the the security context of the server
(
http://www.cve.mitre.org/cgi-bin/cve...=CAN-2002-0154). Microsoft
released and advisory and a patch for this problem.
(
http://www.microsoft.com/technet/tre...n/MS02-020.asp
)
It has also been known that many administrators do not change the
default password for the administrator account. SQL Server by default
ships with no password set for this account
(
http://www.bhs.silesianet.pl/html/sql.htm ).
Data
====
Data collected by DShield.org (
http://www.dshield.org/port_report.php?port=1433 ) did show a
remarkable increase in MSSQL scans. These could be traced back to only
two sources, which systematically scan large IP address blocks. The
intent of these scans is not clear yet.
------------------------------------------------------
+-----------------+------------------------+
| source | count(distinct target) |
+-----------------+------------------------+
| 024.100.150.234 | 1 |
| 064.215.201.030 | 1 |
| 080.015.001.085 | 1 |
| 134.184.033.072 | 64650 |
| 193.252.002.086 | 6957 |
| 194.192.015.045 | 71 |
| 195.176.253.197 | 1 |
| 200.181.089.010 | 87 |
| 211.219.008.068 | 7 |
| 211.224.129.115 | 8 |
+-----------------+------------------------+
Table 1: # of targets scanned by source for
port 1433 scans on May 3rd 2002.
-------------------------------------------------------
Full packet submitted by one user:
05/02-18:53:30.534490 200.181.89.10:4181 -> xxx.xxx.xxx.xxx:1433
TCP TTL:113 TOS:0x0 ID:43652 IpLen:20 DgmLen:40 DF
*****R** Seq: 0x1C68D5 Ack: 0x5F7CC4AF Win: 0x0 TcpLen: 20
0x0000: 00 00 0F FF FF FF 00 E0 63 17 88 A1 08 00 45 00 ........c.....E.
0x0010: 00 28 AA 84 40 00 71 06 CE 2B C8 B5 59 0A xx xx .(..@.q..+..Y..,
0x0020: xx xx 10 55 05 99 00 1C 68 D5 5F 7C C4 AF 50 04 .3.U....h._|..P.
0x0030: 00 00 7B B5 00 00 00 00 00 00 00 00 ..{.........
Conclusion
==========
At this point, the intent of these scans is not clear. No definite
link between these scans and the use of a particular exploit can be
made so far. Standard security practices should mitigate this attack
(block external access to any SQL servers. keep patches current. Use
strong passwords).