[Dshield] MSSQL scans

Johannes B. Ullrich jullrich at sans.org
Sat May 4 01:00:41 GMT 2002

  My (preliminary) conclusion on the big jump in mssql scans is
that we have a very small number of sources, who scan one IP
after another for mssql. So far, I don't have any data to
point to a particular exploit or such. All the packets I have
are just syn's (none of the people submitting packets for this
had something listening). It could be someone scanning for
unpatched SQL servers, or someone building a target list for
a new exploit they have up their sleve. But so far, there is
no 'worm indication' and there is no captured exploit code.

jullrich at euclidian.com               Join http://www.DShield.org
                          Distributed Intrusion Detection System

More information about the list mailing list