[Dshield] [LOGS] ACID Incident Report - port 1433 MS SQL Server

John Sage jsage at finchhaven.com
Tue May 21 05:00:01 GMT 2002


----- Forwarded message from ACID Alert <acid at finchhaven.com> -----

Date: Mon, 20 May 2002 21:30:04 -0700
Subject: ACID Incident Report
From: ACID Alert <acid at finchhaven.com>

Generated by ACID v0.9.6b21 on Mon May 20, 2002 21:30:04

------------------------------------------------------------------------------
#(132 - 31) [2002-05-20 13:49:11]  TCP to 1433 MS SQL server
IPv4: 202.119.134.13 -> 12.82.133.65
      hlen=5 TOS=0 dlen=64 ID=42867 flags=0 offset=0 TTL=46 chksum=49964
TCP:  port=3656 -> dport: 1433  flags=******S* seq=4294341037
      ack=0 off=11 res=0 win=8192 urp=0 chksum=44643
      Options:
       #1 - MSS len=4 data=05B4
       #2 - NOP len=0
       #3 - WS len=3 data=00
       #4 - NOP len=0
       #5 - NOP len=0
       #6 - TS len=10 data=0000000000000000
       #7 - NOP len=0
       #8 - NOP len=0
       #9 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------
#(132 - 32) [2002-05-20 13:49:15]  TCP to 1433 MS SQL server
IPv4: 202.119.134.13 -> 12.82.133.65
      hlen=5 TOS=0 dlen=64 ID=43033 flags=0 offset=0 TTL=46 chksum=49798
TCP:  port=3656 -> dport: 1433  flags=******S* seq=4294341037
      ack=0 off=11 res=0 win=8192 urp=0 chksum=44643
      Options:
       #1 - MSS len=4 data=05B4
       #2 - NOP len=0
       #3 - WS len=3 data=00
       #4 - NOP len=0
       #5 - NOP len=0
       #6 - TS len=10 data=0000000000000000
       #7 - NOP len=0
       #8 - NOP len=0
       #9 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------
#(132 - 33) [2002-05-20 13:49:21]  TCP to 1433 MS SQL server
IPv4: 202.119.134.13 -> 12.82.133.65
      hlen=5 TOS=0 dlen=64 ID=43302 flags=0 offset=0 TTL=46 chksum=49529
TCP:  port=3656 -> dport: 1433  flags=******S* seq=4294341037
      ack=0 off=11 res=0 win=8192 urp=0 chksum=44643
      Options:
       #1 - MSS len=4 data=05B4
       #2 - NOP len=0
       #3 - WS len=3 data=00
       #4 - NOP len=0
       #5 - NOP len=0
       #6 - TS len=10 data=0000000000000000
       #7 - NOP len=0
       #8 - NOP len=0
       #9 - SACKOK len=0
Payload: none


[toot at sparky /]# lynx -head http://202.119.134.13/

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Content-Location: http://202.119.134.13/login.htm
Date: Tue, 21 May 2002 04:52:47 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Wed, 08 May 2002 09:31:00 GMT
ETag: "0e2671073f6c11:8b0"
Content-Length: 3024


------------------------------------------------------------------------------
#(132 - 38) [2002-05-20 15:14:35]  TCP to 1433 MS SQL server
IPv4: 211.202.3.249 -> 12.82.133.65
      hlen=5 TOS=0 dlen=48 ID=42743 flags=0 offset=0 TTL=110 chksum=64633
TCP:  port=2986 -> dport: 1433  flags=******S* seq=3611249093
      ack=0 off=7 res=0 win=16384 urp=0 chksum=42880
      Options:
       #1 - MSS len=4 data=05B4
       #2 - NOP len=0
       #3 - NOP len=0
       #4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------
#(132 - 39) [2002-05-20 15:14:39]  TCP to 1433 MS SQL server
IPv4: 211.202.3.249 -> 12.82.133.65
      hlen=5 TOS=0 dlen=48 ID=42848 flags=0 offset=0 TTL=110 chksum=64528
TCP:  port=2986 -> dport: 1433  flags=******S* seq=3611249093
      ack=0 off=7 res=0 win=16384 urp=0 chksum=42880
      Options:
       #1 - MSS len=4 data=05B4
       #2 - NOP len=0
       #3 - NOP len=0
       #4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------
#(132 - 40) [2002-05-20 15:14:45]  TCP to 1433 MS SQL server
IPv4: 211.202.3.249 -> 12.82.133.65
      hlen=5 TOS=0 dlen=48 ID=43133 flags=0 offset=0 TTL=110 chksum=64243
TCP:  port=2986 -> dport: 1433  flags=******S* seq=3611249093
      ack=0 off=7 res=0 win=16384 urp=0 chksum=42880
      Options:
       #1 - MSS len=4 data=05B4
       #2 - NOP len=0
       #3 - NOP len=0
       #4 - SACKOK len=0
Payload: none


[toot at sparky /]# lynx -head http://211.202.3.249/

Looking up 211.202.3.249
Making HTTP connection to 211.202.3.249
Alert!: Unable to connect to remote host.

lynx: Can't access startfile http://211.202.3.249/


----- End forwarded message -----


- John
-- 
It's very possible to know lots about computers,
and know nothing about Window$

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 




More information about the list mailing list