scanning for ms sql systems
r.fulton at auckland.ac.nz
Tue Jan 28 09:43:31 GMT 2003
I first scanned out network (using nmap) for udp 1434 and found it very
unreliable, both false +ves and -ves. I then fell back to tcp 1433.
Does anyone know if this is sufficient to detect a potentially
vulnerable system -- ie one running either MS SQL of MSDE.
After identifying some machines that responded on tcp 1433 the admin ran
the eEye scanner against them and it said that two out of the eight did
not have any services on udp 1434.
I have seen other reports that the eEye scanner has a very aggressive
timeout and gives different results each time it is run.
Any other experiences?
BTW we lost 6 systems to the worm, these were concentrated in two
buildings and the switches in these buildings were disabled by the
traffic but with different symptoms which confused the network techies
who thought they were dealing with two separate problems.
Once they realized they were dealing with a worm the made progress and
we had all systems isolated in the small hours of Sunday morning (local
time -- about 6 hours after the worm struck).
Ironically, after the original announcement of the vulnerability we
blocked TCP 1433, but no one here realized that it could be exploited
via UDP as well. Sigh...
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
"It aint necessarily so" - Gershwin
More information about the unisog