[Dshield] RE: Dshield digest, Vol 1 #620 - 1 msg

Johnson, April apjohnson at seattleschools.org
Tue May 21 16:36:35 GMT 2002

I'm seeing a few thousand SQL hits (inbound tcp port 1433) on my firewall.
I have the ability to drop a sniffer in-line and grab most of the packets...
who would be interested in the captures?  Sadly I don't have the time to
reverse engineer them myself.

-April Johnson  (CCNP, MCSE)
apjohnson at seattleschools.org

-----Original Message-----
From: list-request at dshield.org [mailto:list-request at dshield.org]
Sent: Tuesday, May 21, 2002 9:02 AM
To: list at dshield.org
Subject: Dshield digest, Vol 1 #620 - 1 msg

Send Dshield mailing list submissions to
	list at dshield.org

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
	list-request at dshield.org

You can reach the person managing the list at
	list-admin at dshield.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dshield digest..."

Today's Topics:

   1. RE: (Dshield) port 1433 -- additional information (Toney, Mark)


Message: 1
From: "Toney, Mark" <mtoney at sodexhoUSA.com>
To: jullrich at sans.org, list at dshield.org
Date: Tue, 21 May 2002 10:52:00 -0400
Subject: [Dshield] RE: (Dshield) port 1433 -- additional information
Reply-To: list at dshield.org

     Additional info from incidents.org
     "MSSQL Worm (sqlsnake) on the rise
     Starting yesterday, the Internet Storm Center detected a sudden
     increase in hosts scanning for port 1433, which is commonly used 
     by Microsoft's SQL Server. A number of exploits are known for 
     this service. It is also known that many administrators do not 
     set a password for the 'SA' account. This administrator account 
     can be used to log on to the SQL server, execute arbitrary SQL 
     commands. Using these commands, the user can read and write 
     files, as well as execute code.
     While we are still collecting all the pieces, some exploit code 
     has been captured indicating that this is a self propagating 
     Aside from a number of other functions, the worm will email a 
     password list to ixltd at postone.com. As of this morning, the quota 
     of this account is exceeded."
     ______________________________ Reply Separator 
     Subject: (Dshield) port 1433
     Author:  "Johannes Ullrich" <SMTP:jullrich at sans.org> at BUFFALO 
     Date:    5/20/2002 9:58 PM
     Just a quick heads up to the list that I think something is 
     brewing with port 1433 (mssql). More later...
     jullrich at sans.org             Collaborative Intrusion Detection 
     join http://www.dshield.org
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see: 


Dshield mailing list
Dshield at dshield.org

End of Dshield Digest

More information about the list mailing list