[Dshield] Re: SQL Port 1433

Matthew Palmer dshield at tinfoil.demon.co.uk
Tue May 21 22:35:14 GMT 2002


Hello List,

Out of interest I grep'd my log files for DPT=1433 and it turfed up this:

May 12 02:42:38 IN=ppp0 SRC=216.3.219.43 DST=62.3.64.X LEN=48 TOS=0x00 
PREC=0x00
TTL=109 ID=8356 DF PROTO=TCP SPT=2779 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
OPT (020405B401010402)
         (**This host had one more entry 3 seconds after this one**)

May 19 10:54:20 IN=ppp0 SRC=63.88.172.66 DST=62.3.64.X LEN=40 TOS=0x00 
PREC=0x00
TTL=110 ID=13095 DF PROTO=TCP SPT=80 DPT=1433 WINDOW=0 RES=0x00 RST URGP=0
         (**Note different source port + Reset and not SYN**)

May 21 15:58:55 IN=ppp0 SRC=213.25.59.108 DST=62.3.64.X LEN=44 TOS=0x00 
PREC=0x00
TTL=106 ID=40170 DF PROTO=TCP SPT=1634 DPT=1433 WINDOW=8192 RES=0x00 SYN URGP=0
OPT (020405B4)
         (**This host had two more entries within 9 seconds of this one**)

May 21 20:43:01 IN=ppp0 SRC=211.238.90.90 DST=62.3.64.X LEN=48 TOS=0x00 
PREC=0x00
TTL=107 ID=35417 DF PROTO=TCP SPT=1958 DPT=1433 WINDOW=16384 RES=0x00 SYN 
URGP=0
OPT (020405B401010402)
         (** This host had two more entries within 10 seconds of this one**)



Hope that didn't get too mangled.  The reason I posted is because the entry 
for May 12th is very similar to second host on May 21st but the host for 
the 19th and first host on 21st have different characteristics.

Regards
Matthew Palmer.
-------------- next part --------------

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.362 / Virus Database: 199 - Release Date: 07/05/2002


More information about the list mailing list