[Dshield] port 1433 -- yet more additional information (
Erik J. Varney
erik at centralsecurity.net
Tue May 21 19:04:27 GMT 2002
We're tracking two distinctly different attacks on-going since yesterday
against TCP1433 (SQL).
The first sends 52 bytes (seemingly a SQL ping) followed by a 210 byte
packet (apparently an SA login with blank password and some scripting
The second sends a 583 byte packet alone, also logging in as SA with a
Beyond that, I haven't seen a compromised machine yet so I can't confirm
other reports about what it does (Trend, Dshield, and SANS are all
claiming various things this "worm" does).
Conflicting reports may be explained by our contention it is definitely
two different worms propagating.
If you have a compromised machine, won which is actually making outbound
connection attempts on 1433 to unknown machine addresses, please drop me
More as it comes.
1. Make sure you block Internet access to T1433
2. Make sure you have a password on your SA account.
3. Disable TCP/IP Network Libraries if you're not using them.
4. Drop all eXtended Procedures (XP_) if you can.
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
More information about the list