[unisog] 1433 scan increase

Jeff Kell jeff-kell at utc.edu
Sat Jan 1 01:02:06 GMT 2005


Nick Lewis wrote:
> ----- Original Message ----- From: "Jeff Kell" <jeff-kell at utc.edu>

>> Increase here in 1434/udp, haven't seen that in some time.  Recent 
>> ones that are particularly unusual are from source port 0 to dest port 
>> 1434. I'm seeing a slow scan right now from 222.149.235.237.
> 
> I'm seeing the same host going back to 12/29 on our network.
> 
> 12/31-15:33:20.219746 222.149.235.237:0 -> 207.75.164.234:1434
> UDP TTL:104 TOS:0x0 ID:60922 IpLen:20 DgmLen:404
> Len: 376
> 04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
> 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
> 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
> 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
> 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
> 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
> 01 DC C9 B0 42 EB 0E 01 01 01 01 01 01 01 70 AE  ....B.........p.
> 42 01 70 AE 42 90 90 90 90 90 90 90 90 68 DC C9  B.p.B........h..
> B0 42 B8 01 01 01 01 31 C9 B1 18 50 E2 FD 35 01  .B.....1...P..5.
> 01 01 05 50 89 E5 51 68 2E 64 6C 6C 68 65 6C 33  ...P..Qh.dllhel3
> 32 68 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B  2hkernQhounthick

Thanks for the pcap.  If memory serves me correctly that is the old 
classic SQL Slammer exploit, or pretty darned close.  I am blindly 
dropping 1434/udp at our border (and have been for quite some time) but 
these scans appeared in my logs by virtue of having the zero source 
port.  I don't recall that being a characteristic of the original 
Slammer (?).

Jeff



More information about the unisog mailing list