[Dshield] RE It must be monday

Heath Lawson Heath at blakelycrophail.com
Tue May 21 14:23:03 GMT 2002


Check the "Speech" features of Office XP.  It used to do that to me and
totally mess me up.  It's under the "Tools" menu.

Heath Lawson
Network Administrator
Blakely Crop Hail, Inc.
Office:  785-232-0937 x384
Mobile:  785-554-8690
Fax:      785-232-0042
mailto:heath at blakelycrophail.com
www.blakelycrophail.com

-----Original Message-----
From: list-request at dshield.org [mailto:list-request at dshield.org] 
Sent: Tuesday, May 21, 2002 8:49 AM
To: list at dshield.org
Subject: Dshield digest, Vol 1 #618 - 14 msgs

Send Dshield mailing list submissions to
	list at dshield.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://www.dshield.org/mailman/listinfo/list
or, via email, send a message with subject or body 'help' to
	list-request at dshield.org

You can reach the person managing the list at
	list-admin at dshield.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dshield digest..."


Today's Topics:

   1. Re: FW: Access Your PC from Anywhere - Download Now (John Hardin)
   2. It must be Monday. (Preston G. Simpson)
   3. Re: Interesting E-mail (John Hardin)
   4. Re: Interesting E-mail (Bruce Lilly)
   5. RE: It must be Monday. (Lane Weast)
   6. Re: It must be Monday. (Preston G. Simpson)
   7. port 1433 (Johannes Ullrich)
   8. Re: port 1433 (*Hobbit*)
   9. MSSQL Server Wanted (Johannes Ullrich)
  10. [LOGS] ACID Incident Report - port 1433 MS SQL Server (John Sage)
  11. Empty cubicals (Daniels566 at cs.com)
  12. Re: Re: It must be Monday. (Jan Wildeboer)
  13. Re: port 1433 (Ed Truitt)
  14. Re: port 1433 (Kelly Martin)

--__--__--

Message: 1
Subject: Re: [Dshield] FW: Access Your PC from Anywhere - Download Now
From: John Hardin <johnh at aproposretail.com>
To: DShield mailing list <list at dshield.org>
Date: 20 May 2002 08:58:25 -0700
Reply-To: list at dshield.org

On Sat, 2002-05-18 at 20:00, John Sage wrote:

> >   <http://img.expertcity.com/dtsimages/im/1x1.gif> 
> 
> heh..
> 
> Lately I've developed this *real* bad habit of taking a url like that,
> above, and sitting a wget -O /dev/null loop on it, and then just kinda
> forgetting about it for an hour...
> 
> ..or two.

Ooooo... Evil... I like it... the Distributed WebBug Insecticide
Network...

And I have a T1 to play with... {rubs hands gleefully}

-- 
John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
  In the Lion
  the Mighty Lion
  the Zebra sleeps tonight...
  Dee de-ee-ee-ee-ee de de de we um umma way!
-----------------------------------------------------------------------
 58 days until Apropos Forum 2002


--__--__--

Message: 2
Date: Mon, 20 May 2002 11:25:35 -0500
To: list at dshield.org
From: "Preston G. Simpson" <preston.simpson at sfrlaw.com>
Subject: [Dshield] It must be Monday.
Reply-To: list at dshield.org

	One of my users grabbed me about an hour ago and reported that his
machine was acting strangely. He was working in Word XP (OS is XP as
well), and random words were being typed in the document he'd been working
on. Salient points:
	1. The stuff being typed was actual words, not total gibberish.
	2. There was no sentence structure and no punctuation. Fragments of
sentences appeared from time to time, usually no more than two or three
words together.
	3. The behavior persisted even with no connection to the outside
world.
	4. Norton Antivirus (fully up to date) and Trend Micro's online
virus
scan turned up nothing.
	5. The behavior stopped once the machine was restarted.

	The user did not report any unusual email or instant messenger
activity.
A friend asked him to go to a website that showed a cup of coffee and
started playing a song, but the user left that website. There were no
obviously out-of-place processes running (visible through the task
manager, that is), and the system seems to be fine now.
	Any ideas?

--Preston G. Simpson
  IS Services
  preston.simpson at sfrlaw.com


--__--__--

Message: 3
Subject: Re: [Dshield] Interesting E-mail
From: John Hardin <johnh at aproposretail.com>
To: DShield mailing list <list at dshield.org>
Date: 20 May 2002 09:27:12 -0700
Reply-To: list at dshield.org

On Sun, 2002-05-19 at 10:17, Daniels566 at cs.com wrote:
> Strange goings on all the time? Just got this today, never received the 
> original infected one. Thought I would pass it along for interesting
reading. 
> This site is supposed to be an undercover cloaked to educate people about 
> viruses.
> 
> http://www.sexyfun.net/
> 
> On the same hand their saying the legitament xxx site is not responsible.

The Hybris worm always forges a From: address of @sexyfun.net. A short
while after it appeared, some helpful people registered that domain name
to provide information about the worm and how to disinfect your system.
The website is legit.

-- 
John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
  In the Lion
  the Mighty Lion
  the Zebra sleeps tonight...
  Dee de-ee-ee-ee-ee de de de we um umma way!
-----------------------------------------------------------------------
 58 days until Apropos Forum 2002


--__--__--

Message: 4
Date: Mon, 20 May 2002 12:30:51 -0400
From: Bruce Lilly <blilly at erols.com>
Organization: Bruce Lilly
To: list at dshield.org
Subject: Re: [Dshield] Interesting E-mail
Reply-To: list at dshield.org


> Subject: [Dshield] Interesting E-mail
> Date: Sun, 19 May 2002 13:17:15 EDT
> From: Daniels566 at cs.com
[...]
> 
> Headers Follow:
> Received: from fif [216.41.226.71] by yismail.yourinter.net
> (SMTPD32-7.10) id AF04B66026E; Sat, 18 May 2002 18:00:36 -0400

The Received header(s) trace the path taken by the message.
In this case, it originated ay IP address 216.41.226.71.  ARIN
reports the following information for that IP address:

Search results for: 216.41.226.71 


       Indiana Printing & Publishing (NETBLK-YOURINTERNET)
          1446 Philadephia Street
          Indiana PA 15701
          US

          Netname: YOURINTERNET
          Netblock: 216.41.224.0 - 216.41.239.255
          Maintainer: IPPC

          Coordinator:
             Krichbaum, Eric  (EK189-ARIN)  eric at telicsolutions.net
             304-296-8229

          Domain System inverse mapping provided by:

          NAMESERVER.YOURINTER.NET     141.158.74.2
          NAMESERVER.IOLINC.NET        206.150.195.6

          ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

          Record last updated on 12-Dec-2000.
          Database last updated on  19-May-2002 19:58:40 EDT.


--__--__--

Message: 5
From: Lane Weast <lweast at leeclerk.org>
To: "'list at dshield.org'" <list at dshield.org>
Subject: RE: [Dshield] It must be Monday.
Date: Mon, 20 May 2002 13:27:45 -0400
Reply-To: list at dshield.org

Check for voice recognition software that might be turned on.
Some packages use a dictionary system to get a close match to the word you
are trying to say. If the Mic is not plugged in while the VR software is
running the pc may adjust the mic sensitivity and try to interpet any random
electrical noise on the mic line. This situation could produce what you
describe.



> -----Original Message-----
> From: Preston G. Simpson [mailto:preston.simpson at sfrlaw.com]
> Sent: Monday, May 20, 2002 12:26 PM
> To: list at dshield.org
> Subject: [Dshield] It must be Monday.
> 
> 
> 	One of my users grabbed me about an hour ago and 
> reported that his
> machine was acting strangely. He was working in Word XP (OS is XP as
> well), and random words were being typed in the document he'd 
> been working
> on. Salient points:
> 	1. The stuff being typed was actual words, not total gibberish.
> 	2. There was no sentence structure and no punctuation. 
> Fragments of
> sentences appeared from time to time, usually no more than 
> two or three
> words together.
> 	3. The behavior persisted even with no connection to 
> the outside world.
> 	4. Norton Antivirus (fully up to date) and Trend 
> Micro's online virus
> scan turned up nothing.
> 	5. The behavior stopped once the machine was restarted.
> 
> 	The user did not report any unusual email or instant 
> messenger activity.
> A friend asked him to go to a website that showed a cup of coffee and
> started playing a song, but the user left that website. There were no
> obviously out-of-place processes running (visible through the task
> manager, that is), and the system seems to be fine now.
> 	Any ideas?
> 
> --Preston G. Simpson
>   IS Services
>   preston.simpson at sfrlaw.com
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 


--__--__--

Message: 6
Date: Mon, 20 May 2002 14:52:30 -0500
To: list at dshield.org
From: "Preston G. Simpson" <preston.simpson at sfrlaw.com>
Subject: [Dshield] Re: It must be Monday.
Reply-To: list at dshield.org

	As several of you were kind enough to point out, the voice
recognition
software was the culprit. Thanks.

--Preston G. Simpson
  IS Services
  preston.simpson at sfrlaw.com


--__--__--

Message: 7
Date: Mon, 20 May 2002 21:58:24 -0400
From: Johannes Ullrich <jullrich at sans.org>
To: list at dshield.org
Organization: Euclidian Consulting
Subject: [Dshield] port 1433
Reply-To: list at dshield.org

Just a quick heads up to the list that I think something
is brewing with port 1433 (mssql). More later...

-- 
---------------------------------------------------------------
jullrich at sans.org             Collaborative Intrusion Detection
join http://www.dshield.org


--__--__--

Message: 8
To: list at dshield.org
Subject: Re: [Dshield] port 1433
Date: Mon, 20 May 2002 20:44:39 +0000 (GMT)
From: hobbit at avian.org (*Hobbit*)
Reply-To: list at dshield.org

I was gonna mention this myself earlier today, but then went grubbin' around
on securityfocus and a couple of other places and found that the tcp 1433
activity is a known SQL attack -- something to do with lame default "sa"
passwords and shoving data through to xp_cmdshell.  So I figured everyone
already knew about it.  Maybe not.  Well, that's what it is.  If you hang
a SQL server out on your exterior, or know someone who does, line up for
your honorary dope-slap.

Why did I go lookin'?  It's been pounding hard on the front gates *all* day.
Definitely something brewing, but mostly from innocent third-party machines
that have already been knocked over.  *sigh*

The funniest one I chased was the Exchange server at some podunk law firm
whose ONE IT guy is on vacay.  He could hardly hear me reading off the IP
address to him because his shrieking 3-year-old was bouncing all over
the hotel room..

_H*


--__--__--

Message: 9
Date: Mon, 20 May 2002 23:02:23 -0400
From: Johannes Ullrich <jullrich at sans.org>
To: list at dshield.org
Organization: Euclidian Consulting
Subject: [Dshield] MSSQL Server Wanted
Reply-To: list at dshield.org


Does anyone here have a 'scarificial' MSSQL server around that
they would be willing to volunteer to bounce some packets to?

-- 
---------------------------------------------------------------
jullrich at sans.org             Collaborative Intrusion Detection
join http://www.dshield.org


--__--__--

Message: 10
Date: Mon, 20 May 2002 22:00:01 -0700
From: John Sage <jsage at finchhaven.com>
To: intrusions at incidents.org
Cc: list at dshield.org
Subject: [Dshield] [LOGS] ACID Incident Report - port 1433 MS SQL Server
Reply-To: list at dshield.org

----- Forwarded message from ACID Alert <acid at finchhaven.com> -----

Date: Mon, 20 May 2002 21:30:04 -0700
Subject: ACID Incident Report
From: ACID Alert <acid at finchhaven.com>

Generated by ACID v0.9.6b21 on Mon May 20, 2002 21:30:04

----------------------------------------------------------------------------
--
#(132 - 31) [2002-05-20 13:49:11]  TCP to 1433 MS SQL server
IPv4: 202.119.134.13 -> 12.82.133.65
      hlen=5 TOS=0 dlen=64 ID=42867 flags=0 offset=0 TTL=46 chksum=49964
TCP:  port=3656 -> dport: 1433  flags=******S* seq=4294341037
      ack=0 off=11 res=0 win=8192 urp=0 chksum=44643
      Options:
       #1 - MSS len=4 data=05B4
       #2 - NOP len=0
       #3 - WS len=3 data=00
       #4 - NOP len=0
       #5 - NOP len=0
       #6 - TS len=10 data=0000000000000000
       #7 - NOP len=0
       #8 - NOP len=0
       #9 - SACKOK len=0
Payload: none
----------------------------------------------------------------------------
--
#(132 - 32) [2002-05-20 13:49:15]  TCP to 1433 MS SQL server
IPv4: 202.119.134.13 -> 12.82.133.65
      hlen=5 TOS=0 dlen=64 ID=43033 flags=0 offset=0 TTL=46 chksum=49798
TCP:  port=3656 -> dport: 1433  flags=******S* seq=4294341037
      ack=0 off=11 res=0 win=8192 urp=0 chksum=44643
      Options:
       #1 - MSS len=4 data=05B4
       #2 - NOP len=0
       #3 - WS len=3 data=00
       #4 - NOP len=0
       #5 - NOP len=0
       #6 - TS len=10 data=0000000000000000
       #7 - NOP len=0
       #8 - NOP len=0
       #9 - SACKOK len=0
Payload: none
----------------------------------------------------------------------------
--
#(132 - 33) [2002-05-20 13:49:21]  TCP to 1433 MS SQL server
IPv4: 202.119.134.13 -> 12.82.133.65
      hlen=5 TOS=0 dlen=64 ID=43302 flags=0 offset=0 TTL=46 chksum=49529
TCP:  port=3656 -> dport: 1433  flags=******S* seq=4294341037
      ack=0 off=11 res=0 win=8192 urp=0 chksum=44643
      Options:
       #1 - MSS len=4 data=05B4
       #2 - NOP len=0
       #3 - WS len=3 data=00
       #4 - NOP len=0
       #5 - NOP len=0
       #6 - TS len=10 data=0000000000000000
       #7 - NOP len=0
       #8 - NOP len=0
       #9 - SACKOK len=0
Payload: none


[toot at sparky /]# lynx -head http://202.119.134.13/

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Content-Location: http://202.119.134.13/login.htm
Date: Tue, 21 May 2002 04:52:47 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Wed, 08 May 2002 09:31:00 GMT
ETag: "0e2671073f6c11:8b0"
Content-Length: 3024


----------------------------------------------------------------------------
--
#(132 - 38) [2002-05-20 15:14:35]  TCP to 1433 MS SQL server
IPv4: 211.202.3.249 -> 12.82.133.65
      hlen=5 TOS=0 dlen=48 ID=42743 flags=0 offset=0 TTL=110 chksum=64633
TCP:  port=2986 -> dport: 1433  flags=******S* seq=3611249093
      ack=0 off=7 res=0 win=16384 urp=0 chksum=42880
      Options:
       #1 - MSS len=4 data=05B4
       #2 - NOP len=0
       #3 - NOP len=0
       #4 - SACKOK len=0
Payload: none
----------------------------------------------------------------------------
--
#(132 - 39) [2002-05-20 15:14:39]  TCP to 1433 MS SQL server
IPv4: 211.202.3.249 -> 12.82.133.65
      hlen=5 TOS=0 dlen=48 ID=42848 flags=0 offset=0 TTL=110 chksum=64528
TCP:  port=2986 -> dport: 1433  flags=******S* seq=3611249093
      ack=0 off=7 res=0 win=16384 urp=0 chksum=42880
      Options:
       #1 - MSS len=4 data=05B4
       #2 - NOP len=0
       #3 - NOP len=0
       #4 - SACKOK len=0
Payload: none
----------------------------------------------------------------------------
--
#(132 - 40) [2002-05-20 15:14:45]  TCP to 1433 MS SQL server
IPv4: 211.202.3.249 -> 12.82.133.65
      hlen=5 TOS=0 dlen=48 ID=43133 flags=0 offset=0 TTL=110 chksum=64243
TCP:  port=2986 -> dport: 1433  flags=******S* seq=3611249093
      ack=0 off=7 res=0 win=16384 urp=0 chksum=42880
      Options:
       #1 - MSS len=4 data=05B4
       #2 - NOP len=0
       #3 - NOP len=0
       #4 - SACKOK len=0
Payload: none


[toot at sparky /]# lynx -head http://211.202.3.249/

Looking up 211.202.3.249
Making HTTP connection to 211.202.3.249
Alert!: Unable to connect to remote host.

lynx: Can't access startfile http://211.202.3.249/


----- End forwarded message -----


- John
-- 
It's very possible to know lots about computers,
and know nothing about Window$

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 


--__--__--

Message: 11
From: Daniels566 at cs.com
Date: Tue, 21 May 2002 01:19:44 EDT
To: list at dshield.org
Subject: [Dshield] Empty cubicals
Reply-To: list at dshield.org

Sorry if this is a bit off topic just tying a knot in the string. Must be m=
y=20
week to get spam slamed. Just got this in tonight. Thinking on canceling my=
=20
subscription to
Tech Republic. Actually earlier on I was thinking about it but after some=
=20
research dropped the notion. Something about palm remotes can be logged and=
=20
fingerprinted.
Anyway I remember the garage door capers in years back and this is not for=
=20
me.
John Daniels

Subj:    Access Your PC from Anywhere - Download Now=20=20=20=20
Date:   5/20/02 11:06:34 PM Eastern Daylight Time=20=20=20
From:   <A HREF=3D"mailto:delivers at members.techrepublic.com">delivers at membe=
rs.techrepublic.com</A>=20=20=20
To: <A HREF=3D"mailto:daniels566 at cs.com">daniels566 at cs.com</A>=20=20=20
Received from Internet: click here for more information=20
=20=20=20=20

    A special offer for TechRepublic Members Only.=20
>=20
> If you prefer not to receive special offers from TechRepublic, please cli=
ck=20
> below:
> <A HREF=3D"http://www.techrepublic.com/myaccount/TechListGen_unsub.html?n=
ame=3Ddaniels566 at cs.com">
> www.techrepublic.com/myaccount/TechListGen_unsub.html?name=3Ddaniels566 at c=
s.com</A>
>=20
> You are currently on our mailing list as [daniels566 at cs.com].
>=20
>   Access Your PC from Anywhere - Free     Download
=20=20=20=20
*** Please forward this info to people who need to access their computer aw=
ay=20
from the office. ***=20=20=20=20=20

Introducing a new technology that ZDNet calls "a revelation" and "a=20
remarkably simple and effective Web service that lets you log into your hom=
e=20
(or work) PC from another machine anywhere on the Internet."=20

<A HREF=3D"http://members.techrepublic.com/cgi-bin9/flo?y=3DhJCh0EuOmy0EX20=
BKe80AC">Try GoToMyPC free</A> and see why it's the ZDNet and CNET editors'=
 choice pick=20
for anytime, anywhere remote access.
=20=20=20=20
    =E2=80=A2       SECURE: 128-bit encryption, multiple passwords and scre=
en and=20
keyboard locking ensure maximum privacy and security.
=20=20=20=20

 NOTE:  (this must mean many of you people)

=E2=80=A2    REMOTE SERVER ADMINISTRATION: GoToMyPC pays for itself quickly=
 by=20
increasing System Administrator productivity by enabling remote Windows=20
server administration.=20
=20=20=20=20
=E2=80=A2    EASY SETUP: The 2-minute Web-based installation and easy-to-us=
e=20
interface saves you training time and hassles. No maintenance required.
=20=20=20=20
    Never be without a forgotten file again.
=20=20=20=20
    TechRepublic Users:
Download Your Free Trial Now!=20=20=20=20
=20=20=20=20
=20=20=20=20


[[ Attachement of type text/html deleted]]


--__--__--

Message: 12
Date: Tue, 21 May 2002 09:54:32 +0200
From: Jan Wildeboer <jan.wildeboer at gmx.de>
To: list at dshield.org
Subject: Re: [Dshield] Re: It must be Monday.
Reply-To: list at dshield.org

Preston G. Simpson wrote:
> 	As several of you were kind enough to point out, the voice
recognition
> software was the culprit. Thanks.

Since you also stated the person in charge took a look at a site with a 
cup of coffee, I am wondering if this behaviour is related to the fact 
that the new flash-player will turn on microphones and cameras if found?

Jan Wildeboer


--__--__--

Message: 13
From: "Ed Truitt" <ed.truitt at etee2k.net>
To: <list at dshield.org>
Subject: Re: [Dshield] port 1433
Date: Tue, 21 May 2002 06:08:20 -0500
Reply-To: list at dshield.org

Yeah.  Just looking at my tarpit, I have more MSSQLs caught than HTTPs!  In
fact, I have been hit with over 19,000 probes in the last 24 hours.
Something interesting about this activity:  I have 9 IPs set up in LaBrea,
and the SQL attacks tend to hit all of them in parallel, whereas Nimda/CR
often (not always) only gets stuck on one IP (I did have one Nimda-zombie,
though, whose thread-count rivalled that of fine bedsheets.).  In some
cases, this thing hits each IP with two attack threads.

I don't have a SQL server to sacrifice (yet), but is there some way I can
combine LaBrea and Snort to get additional data (I presume you want actual
packet capture, to look at the payload and ID the attack)?

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."

----- Original Message -----
From: "Johannes Ullrich" <jullrich at sans.org>
To: <list at dshield.org>
Sent: Monday, May 20, 2002 8:58 PM
Subject: [Dshield] port 1433


> Just a quick heads up to the list that I think something
> is brewing with port 1433 (mssql). More later...
>
> --
> ---------------------------------------------------------------
> jullrich at sans.org             Collaborative Intrusion Detection
join http://www.dshield.org
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>


--__--__--

Message: 14
From: "Kelly Martin" <kmartin at pyrzqxgl.org>
To: <list at dshield.org>
Subject: Re: [Dshield] port 1433
Date: Tue, 21 May 2002 07:30:00 -0500
Reply-To: list at dshield.org

I just checked my portscan detector log, and I've also seen several port
1433 scans:

Sun Mar 31 03:31:03 2002 scanning complete from 80.13.236.97, 2 hits in 0
seconds (1 hosts, 2 ports [TCP:21,TCP:1433])
Tue Apr 30 12:28:31 2002 scanning complete from 200.207.168.18, 506 hits in
11 seconds (503 hosts, 2 ports [TCP:1433,ICMP:8:0])
Mon May 20 12:35:56 2002 scanning complete from 209.240.253.29, 1700 hits in
41 seconds (507 hosts, 1 ports [TCP:1433])
Mon May 20 14:48:09 2002 scanning complete from 64.24.106.253, 1534 hits in
39 seconds (502 hosts, 1 ports [TCP:1433])
Tue May 21 03:24:37 2002 scanning complete from 210.117.63.55, 1250 hits in
37 seconds (477 hosts, 1 ports [TCP:1433])
Tue May 21 05:12:06 2002 scanning complete from 12.228.25.1, 1277 hits in 40
seconds (494 hosts, 1 ports [TCP:1433])
Tue May 21 06:18:06 2002 scanning complete from 193.12.129.80, 1414 hits in
40 seconds (486 hosts, 1 ports [TCP:1433])

I would guess that there's a new tool entering circulation.  The April 30
scan is obviously a different tool.

Kelly

----- Original Message -----
From: "Ed Truitt" <ed.truitt at etee2k.net>
To: <list at dshield.org>
Sent: Tuesday, May 21, 2002 6:08 AM
Subject: Re: [Dshield] port 1433


> Yeah.  Just looking at my tarpit, I have more MSSQLs caught than HTTPs!
In
> fact, I have been hit with over 19,000 probes in the last 24 hours.
> Something interesting about this activity:  I have 9 IPs set up in LaBrea,
> and the SQL attacks tend to hit all of them in parallel, whereas Nimda/CR
> often (not always) only gets stuck on one IP (I did have one Nimda-zombie,
> though, whose thread-count rivalled that of fine bedsheets.).  In some
> cases, this thing hits each IP with two attack threads.
>
> I don't have a SQL server to sacrifice (yet), but is there some way I can
> combine LaBrea and Snort to get additional data (I presume you want actual
> packet capture, to look at the payload and ID the attack)?
>
> Cheers,
> Ed Truitt
> PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
> http://www.etee2k.net
> http://www.bsatroop148.org
>
> "Note to spammers:  my 'delete' key is connected to YOUR ISP.
>  Also, if you send me UCE, I reserve the right to post your spew
> on my Web site, with the appropriate color commentary, so that
> others may have a good laugh at your expense."
>
> ----- Original Message -----
> From: "Johannes Ullrich" <jullrich at sans.org>
> To: <list at dshield.org>
> Sent: Monday, May 20, 2002 8:58 PM
> Subject: [Dshield] port 1433
>
>
> > Just a quick heads up to the list that I think something
> > is brewing with port 1433 (mssql). More later...
> >
> > --
> > ---------------------------------------------------------------
> > jullrich at sans.org             Collaborative Intrusion Detection
> join http://www.dshield.org
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> >
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>



--__--__--

_______________________________________________
Dshield mailing list
Dshield at dshield.org
http://www.dshield.org/mailman/listinfo/list


End of Dshield Digest




More information about the list mailing list