[Dshield] port 1433

Kelly Martin kmartin at pyrzqxgl.org
Tue May 21 12:30:00 GMT 2002


I just checked my portscan detector log, and I've also seen several port
1433 scans:

Sun Mar 31 03:31:03 2002 scanning complete from 80.13.236.97, 2 hits in 0
seconds (1 hosts, 2 ports [TCP:21,TCP:1433])
Tue Apr 30 12:28:31 2002 scanning complete from 200.207.168.18, 506 hits in
11 seconds (503 hosts, 2 ports [TCP:1433,ICMP:8:0])
Mon May 20 12:35:56 2002 scanning complete from 209.240.253.29, 1700 hits in
41 seconds (507 hosts, 1 ports [TCP:1433])
Mon May 20 14:48:09 2002 scanning complete from 64.24.106.253, 1534 hits in
39 seconds (502 hosts, 1 ports [TCP:1433])
Tue May 21 03:24:37 2002 scanning complete from 210.117.63.55, 1250 hits in
37 seconds (477 hosts, 1 ports [TCP:1433])
Tue May 21 05:12:06 2002 scanning complete from 12.228.25.1, 1277 hits in 40
seconds (494 hosts, 1 ports [TCP:1433])
Tue May 21 06:18:06 2002 scanning complete from 193.12.129.80, 1414 hits in
40 seconds (486 hosts, 1 ports [TCP:1433])

I would guess that there's a new tool entering circulation.  The April 30
scan is obviously a different tool.

Kelly

----- Original Message -----
From: "Ed Truitt" <ed.truitt at etee2k.net>
To: <list at dshield.org>
Sent: Tuesday, May 21, 2002 6:08 AM
Subject: Re: [Dshield] port 1433


> Yeah.  Just looking at my tarpit, I have more MSSQLs caught than HTTPs!
In
> fact, I have been hit with over 19,000 probes in the last 24 hours.
> Something interesting about this activity:  I have 9 IPs set up in LaBrea,
> and the SQL attacks tend to hit all of them in parallel, whereas Nimda/CR
> often (not always) only gets stuck on one IP (I did have one Nimda-zombie,
> though, whose thread-count rivalled that of fine bedsheets.).  In some
> cases, this thing hits each IP with two attack threads.
>
> I don't have a SQL server to sacrifice (yet), but is there some way I can
> combine LaBrea and Snort to get additional data (I presume you want actual
> packet capture, to look at the payload and ID the attack)?
>
> Cheers,
> Ed Truitt
> PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
> http://www.etee2k.net
> http://www.bsatroop148.org
>
> "Note to spammers:  my 'delete' key is connected to YOUR ISP.
>  Also, if you send me UCE, I reserve the right to post your spew
> on my Web site, with the appropriate color commentary, so that
> others may have a good laugh at your expense."
>
> ----- Original Message -----
> From: "Johannes Ullrich" <jullrich at sans.org>
> To: <list at dshield.org>
> Sent: Monday, May 20, 2002 8:58 PM
> Subject: [Dshield] port 1433
>
>
> > Just a quick heads up to the list that I think something
> > is brewing with port 1433 (mssql). More later...
> >
> > --
> > ---------------------------------------------------------------
> > jullrich at sans.org             Collaborative Intrusion Detection
> join http://www.dshield.org
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> >
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list