Port 1434 Activity gone up, up up.....
Results 1 to 8 of 8

Thread: Port 1434 Activity gone up, up up.....

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    Port 1434 Activity gone up, up up.....

    There has been a steady rise in port 1433 activity over the last week here which is confirmed by ISC, (www.isc.sans.org).

    Yesterday at 12:20 EDT Snort began alerting on MS-SQL version overflow attempts and MS-SQL Worm propogation attempts on port 1434. My external sensor has logged some 300 attempts since that time. Anyone else seeing this?

    Interestingly enough, with all the 1433 scans I have received in the last week the 1434 attempts are untargetted, (random scans at IP's that don't exist). Since both ports are blocked on my network it implies that the 1433 scan was actually unrelated to the 1434 attempts.

    Any thoughts/information?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Banned
    Join Date
    May 2005
    Posts
    173
    Yeah... old exploit, somewhere down the line this ends up being "new" attack modules for SDbot and Gaobot though. Sure thats not what your seeing?

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Yeah, clearly it's an old exploit... I haven't seen Snort pop up an MS-SQL alert in about a year.

    It just strikes me that the uptick in 1433 scans is unrelated to the 1434 and am sorta wondering what the motivation for the two coinciding might be.... eg: did the uptick remind some skiddie that there are probably unpatched/misconfigured MS-SQL servers out there for them to play with?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    I've seen 537 attempts from 144 unique sources this week. Typically I associate this with a bunch of clowns who dig up an automated tool from a site that is 2 years old and then tell all their buddies that they've found a new hack. Stupidity spreads quicker than disease...
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Stupidity spreads quicker than disease...
    Ain't that the truth.... Thanks for the giggle.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Well.... The consistency of the traffic and the large variation of the IP addresses really implies there are a lot of still unpatched systems sitting out there......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    I get a very, VERY large number of these alerts from one of my clients.

    June IDS statistics (for 1 of 8 locations, globally):
    MS - SQL version overflow attempts: 4879 from 1109 unique IPs
    MS - SQL Worm propagation attempts: 5719 from 1279 unique IPs
    All seem to be to 1434/tcp.

    So yeah, unpatched hosts and dingus dipshit wannabes out there trying out the "newest" exploits.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  8. #8
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    Well...here's the old report...

    http://cert-nl.surfnet.nl/s/2003/S-03-005.htm
    SURFnet-CERT S-03-05: Serious Worm Activity using MS SQL Buffer Overflow flaw

    and here's the newer one...interesting how they have the page set up...dates right up till August 1st, 2005...

    http://isc.sans.org/port_details.php?port=1434
    SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •