Results 1 to 4 of 4

Thread: MS-SQL_NullPacket false positive ??

  1. #1

    Question MS-SQL_NullPacket false positive ??

    Attempted Intrusion "MSSQL_Null_Packet_DoS" against your machine was detected and blocked.
    Intruder: machinename.mydomain.com(192.x.x.x)(ldap(389)).


    My Symantec Client firewall keeps popping up this and I'm sure it's a false positive because I don't have an SQL server at the IP that it says is generating the attack?

    Has anyone seen this happen before and why would a w2003 server generate it, or at least generate something that looked like it? There are no events at the same time generated on the source machine.

    Thanks
    \"\'Do not despise the snake for having no horns, for who is to say it will not become a dragon?\"

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    My Symantec Client firewall keeps popping up this and I'm sure it's a false positive because I don't have an SQL server at the IP that it says is generating the attack?
    Just because you don't have it doesn't mean that someone won't attempt to scan for it or that a worm won't attempt to propogate. It's just telling you what it thinks it found. This is a good thing since it's detecting it (that job of an IDS)

    Has anyone seen this happen before and why would a w2003 server generate it, or at least generate something that looked like it? There are no events at the same time generated on the source machine.
    It's very possible that the source address was "spoofed" (faked). Is this coming from an external source or internal network? Either way, if you want more details you'd need a sniffer to see the full packet (something like Ethereal might be handy). Honestly, however, if this is coming from external sources (outside your network) I wouldn't worry about it.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    The port "under attack" is not the SQL Server port, (1433), it's the LDAP port, (Lightweight Directory Access Protocol). It's probably some kind of worm or bot just firing these packets looking for unfirewalled Win2k/XP boxes to see what it can find. Since it's being blocked I would forget about it.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    Well, since it's on your network ( machinename.mydomain.com(192.x.x.x) ) I'd make sure that someone responsible for the network you use checks out that machine. If Tiger Shark is right, is has at least one worm running on it, and therefor should be considered a security risk. It probably need some patches or other updates.
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •