[Dshield] Re: SQL Port 1433
dshield at tinfoil.demon.co.uk
Tue May 21 22:35:14 GMT 2002
Out of interest I grep'd my log files for DPT=1433 and it turfed up this:
May 12 02:42:38 IN=ppp0 SRC=22.214.171.124 DST=62.3.64.X LEN=48 TOS=0x00
TTL=109 ID=8356 DF PROTO=TCP SPT=2779 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
(**This host had one more entry 3 seconds after this one**)
May 19 10:54:20 IN=ppp0 SRC=126.96.36.199 DST=62.3.64.X LEN=40 TOS=0x00
TTL=110 ID=13095 DF PROTO=TCP SPT=80 DPT=1433 WINDOW=0 RES=0x00 RST URGP=0
(**Note different source port + Reset and not SYN**)
May 21 15:58:55 IN=ppp0 SRC=188.8.131.52 DST=62.3.64.X LEN=44 TOS=0x00
TTL=106 ID=40170 DF PROTO=TCP SPT=1634 DPT=1433 WINDOW=8192 RES=0x00 SYN URGP=0
(**This host had two more entries within 9 seconds of this one**)
May 21 20:43:01 IN=ppp0 SRC=184.108.40.206 DST=62.3.64.X LEN=48 TOS=0x00
TTL=107 ID=35417 DF PROTO=TCP SPT=1958 DPT=1433 WINDOW=16384 RES=0x00 SYN
(** This host had two more entries within 10 seconds of this one**)
Hope that didn't get too mangled. The reason I posted is because the entry
for May 12th is very similar to second host on May 21st but the host for
the 19th and first host on 21st have different characteristics.
-------------- next part --------------
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.362 / Virus Database: 199 - Release Date: 07/05/2002
More information about the list