RE: Red Alert - sharp increase port 1433 (MS SQL) scans
we've been getting alot of these too - 3 connections from each host, 21 so far (all today, between 11am and 4pm) - michael -----Original Message----- From: Arjen De Landgraaf [mailto:arjen.de.landgraaf(a)cologic.co.nz] Sent: Tuesday, 21 May 2002 3:44 PM To: nznog(a)list.waikato.ac.nz Subject: Red Alert - sharp increase port 1433 (MS SQL) scans Importance: High We just issued a "Red Alert" on a rapid and sharp increase in port 1433 TCP probes. If you have MS SQL Server behind web services, you should monitor. Further information will be available shortly under newsitems at: www.e-secure-it.us www.e-secure-it.co.nz Arjen de Landgraaf E-Secure-IT - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
RE: Red Alert - sharp increase port 1433 (MS SQL) scansYes.. I see it as well.. :-( ( (From large number of Multiple Hosts (saw 10 unique machines within about 3 mins), portscanning entire netblocks). 13.317297 x.x.x.x -> 210.54.13.184 TCP 2428 > 1433 [SYN] Seq=4121127920 Ack=0 Win=16384 Len=0 13.317301 x.x.x.x -> 210.54.13.168 TCP 2412 > 1433 [SYN] Seq=4120301305 Ack=0 Win=16384 Len=0 13.317304 x.x.x.x -> 210.54.13.190 TCP 2434 > 1433 [SYN] Seq=4121425987 Ack=0 Win=16384 Len=0 13.317308 x.x.x.x -> 210.54.13.162 TCP 2406 > 1433 [SYN] Seq=4119999237 Ack=0 Win=16384 Len=0 13.317311 x.x.x.x -> 210.54.13.178 TCP 2422 > 1433 [SYN] Seq=4120812200 Ack=0 Win=16384 Len=0 13.317314 x.x.x.x -> 210.54.13.187 TCP 2431 > 1433 [SYN] Seq=4121284990 Ack=0 Win=16384 Len=0 13.317405 x.x.x.x -> 210.54.13.165 TCP 2409 > 1433 [SYN] Seq=4120137569 Ack=0 Win=16384 Len=0 13.318071 x.x.x.x -> 210.54.13.175 TCP 2419 > 1433 [SYN] Seq=4120667208 Ack=0 Win=16384 Len=0 13.318077 x.x.x.x -> 210.54.13.181 TCP 2425 > 1433 [SYN] Seq=4120952009 Ack=0 Win=16384 Len=0 ----- Original Message ----- From: Michael Bordignon To: nznog(a)list.waikato.ac.nz Sent: Tuesday, May 21, 2002 4:19 PM Subject: RE: Red Alert - sharp increase port 1433 (MS SQL) scans we've been getting alot of these too - 3 connections from each host, 21 so far (all today, between 11am and 4pm) - michael -----Original Message----- From: Arjen De Landgraaf [mailto:arjen.de.landgraaf(a)cologic.co.nz] Sent: Tuesday, 21 May 2002 3:44 PM To: nznog(a)list.waikato.ac.nz Subject: Red Alert - sharp increase port 1433 (MS SQL) scans Importance: High We just issued a "Red Alert" on a rapid and sharp increase in port 1433 TCP probes. If you have MS SQL Server behind web services, you should monitor. Further information will be available shortly under newsitems at: www.e-secure-it.us www.e-secure-it.co.nz Arjen de Landgraaf E-Secure-IT - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
RE: Red Alert - sharp increase port 1433 (MS SQL) scansheres a intresting site about it: http://www.cert.org/incident_notes/IN-2001-13.html seems its been around for some time, since Nov 27 2001 infact Karl ------------------ ...starting lame signature strcpy(karl.Designation, "Student, snd year"); strcpy(karl.area-of-study, "Computer Science: programing, databases, grapgic design") strcpy(karl.university, "Waikato (woooohooo)"); btw if any of my lecturers read this please dont fail me if my syntax is wrong....return 0; ----- Original Message ----- From: Craig Whitmore To: Michael Bordignon ; nznog(a)list.waikato.ac.nz Sent: Tuesday, May 21, 2002 5:06 PM Subject: Re: Red Alert - sharp increase port 1433 (MS SQL) scans Yes.. I see it as well.. :-( ( (From large number of Multiple Hosts (saw 10 unique machines within about 3 mins), portscanning entire netblocks). 13.317297 x.x.x.x -> 210.54.13.184 TCP 2428 > 1433 [SYN] Seq=4121127920 Ack=0 Win=16384 Len=0 13.317301 x.x.x.x -> 210.54.13.168 TCP 2412 > 1433 [SYN] Seq=4120301305 Ack=0 Win=16384 Len=0 13.317304 x.x.x.x -> 210.54.13.190 TCP 2434 > 1433 [SYN] Seq=4121425987 Ack=0 Win=16384 Len=0 13.317308 x.x.x.x -> 210.54.13.162 TCP 2406 > 1433 [SYN] Seq=4119999237 Ack=0 Win=16384 Len=0 13.317311 x.x.x.x -> 210.54.13.178 TCP 2422 > 1433 [SYN] Seq=4120812200 Ack=0 Win=16384 Len=0 13.317314 x.x.x.x -> 210.54.13.187 TCP 2431 > 1433 [SYN] Seq=4121284990 Ack=0 Win=16384 Len=0 13.317405 x.x.x.x -> 210.54.13.165 TCP 2409 > 1433 [SYN] Seq=4120137569 Ack=0 Win=16384 Len=0 13.318071 x.x.x.x -> 210.54.13.175 TCP 2419 > 1433 [SYN] Seq=4120667208 Ack=0 Win=16384 Len=0 13.318077 x.x.x.x -> 210.54.13.181 TCP 2425 > 1433 [SYN] Seq=4120952009 Ack=0 Win=16384 Len=0 ----- Original Message ----- From: Michael Bordignon To: nznog(a)list.waikato.ac.nz Sent: Tuesday, May 21, 2002 4:19 PM Subject: RE: Red Alert - sharp increase port 1433 (MS SQL) scans we've been getting alot of these too - 3 connections from each host, 21 so far (all today, between 11am and 4pm) - michael -----Original Message----- From: Arjen De Landgraaf [mailto:arjen.de.landgraaf(a)cologic.co.nz] Sent: Tuesday, 21 May 2002 3:44 PM To: nznog(a)list.waikato.ac.nz Subject: Red Alert - sharp increase port 1433 (MS SQL) scans Importance: High We just issued a "Red Alert" on a rapid and sharp increase in port 1433 TCP probes. If you have MS SQL Server behind web services, you should monitor. Further information will be available shortly under newsitems at: www.e-secure-it.us www.e-secure-it.co.nz Arjen de Landgraaf E-Secure-IT - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Seems its a new worm, called SQLsnake. See http://online.securityfocus.com/news/429 for details. Cheers, Gordon - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
participants (4)
-
Craig Whitmore -
Gordon Smith -
Karl Briscoe -
Michael Bordignon