Here is an update to zigars post.

Taken from SANS update
Update on Port 1433: Last week we reported on widespread scanning of
port 1433, commonly used by Microsoft's SQL server. We noted that we
had had no reports at Incidents.Org of exploits connected with the
scanning. A few hours later we received the following note from the
CISO of a large research organization:

[Our organization] has been hit at least twice in the last 2 weeks with
Web defacements based on the exploit Port 1433/ms-sql, CAN-2002-0154.
We were kind of shocked that within 1-2 weeks of Microsoft announcing
the vulnerability, we were already hit by the exploit. Doesn't
give much time to clean up. However, I haven't heard of widespread
exploits yet. Also, I would hope most sites block external access
to SQL Server. We happened to have a few servers that needed outside
access for special purposes.
Here is some more info.

This taken from Incidents.org directly from This page.
Large scale MSSQL scans.
================================================================
========================

For the last few days, we received a number of reports of widespread
scans of port 1433. The most common use of port 1433 is Microsoft's
SQL server.

Just this march, a vulnerability in SQL Server 7.0 and 2000 was shown
to allow access to the the security context of the server
(http://www.cve.mitre.org/cgi-bin/cve...=CAN-2002-0154). Microsoft
released and advisory and a patch for this problem.
(http://www.microsoft.com/technet/tre...n/MS02-020.asp
)

It has also been known that many administrators do not change the
default password for the administrator account. SQL Server by default
ships with no password set for this account
( http://www.bhs.silesianet.pl/html/sql.htm ).

Data
====

Data collected by DShield.org (
http://www.dshield.org/port_report.php?port=1433 ) did show a
remarkable increase in MSSQL scans. These could be traced back to only
two sources, which systematically scan large IP address blocks. The
intent of these scans is not clear yet.

------------------------------------------------------

+-----------------+------------------------+
| source | count(distinct target) |
+-----------------+------------------------+
| 024.100.150.234 | 1 |
| 064.215.201.030 | 1 |
| 080.015.001.085 | 1 |
| 134.184.033.072 | 64650 |
| 193.252.002.086 | 6957 |
| 194.192.015.045 | 71 |
| 195.176.253.197 | 1 |
| 200.181.089.010 | 87 |
| 211.219.008.068 | 7 |
| 211.224.129.115 | 8 |
+-----------------+------------------------+
Table 1: # of targets scanned by source for
port 1433 scans on May 3rd 2002.

-------------------------------------------------------

Full packet submitted by one user:

05/02-18:53:30.534490 200.181.89.10:4181 -> xxx.xxx.xxx.xxx:1433
TCP TTL:113 TOS:0x0 ID:43652 IpLen:20 DgmLen:40 DF
*****R** Seq: 0x1C68D5 Ack: 0x5F7CC4AF Win: 0x0 TcpLen: 20
0x0000: 00 00 0F FF FF FF 00 E0 63 17 88 A1 08 00 45 00 ........c.....E.
0x0010: 00 28 AA 84 40 00 71 06 CE 2B C8 B5 59 0A xx xx .([email protected]..+..Y..,
0x0020: xx xx 10 55 05 99 00 1C 68 D5 5F 7C C4 AF 50 04 .3.U....h._|..P.
0x0030: 00 00 7B B5 00 00 00 00 00 00 00 00 ..{.........


Conclusion
==========

At this point, the intent of these scans is not clear. No definite
link between these scans and the use of a particular exploit can be
made so far. Standard security practices should mitigate this attack
(block external access to any SQL servers. keep patches current. Use
strong passwords).
Hope that helps clear things up.