[Dshield] port 1433

Ed Truitt ed.truitt at etee2k.net
Tue May 21 11:08:20 GMT 2002


Yeah.  Just looking at my tarpit, I have more MSSQLs caught than HTTPs!  In
fact, I have been hit with over 19,000 probes in the last 24 hours.
Something interesting about this activity:  I have 9 IPs set up in LaBrea,
and the SQL attacks tend to hit all of them in parallel, whereas Nimda/CR
often (not always) only gets stuck on one IP (I did have one Nimda-zombie,
though, whose thread-count rivalled that of fine bedsheets.).  In some
cases, this thing hits each IP with two attack threads.

I don't have a SQL server to sacrifice (yet), but is there some way I can
combine LaBrea and Snort to get additional data (I presume you want actual
packet capture, to look at the payload and ID the attack)?

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."

----- Original Message -----
From: "Johannes Ullrich" <jullrich at sans.org>
To: <list at dshield.org>
Sent: Monday, May 20, 2002 8:58 PM
Subject: [Dshield] port 1433


> Just a quick heads up to the list that I think something
> is brewing with port 1433 (mssql). More later...
>
> --
> ---------------------------------------------------------------
> jullrich at sans.org             Collaborative Intrusion Detection
join http://www.dshield.org
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list