[unisog] 1433 scan increase

Tim Gurganus tsgurgan at eos.ncsu.edu
Thu Dec 30 03:10:48 GMT 2004


I noticed it around Christmas here at NCSU as well.  I tracked down one machine at 207.224.162.67 
and it was running a dictionary attack tool called 'sqlck.exe'.  The password file had about 60000 
words.  User names were:

administrator
admin
guest
user
webmaster
TsInternetUser
sa
sql
database
server
root
db

The machine was scanning large blocks of addresses (64.x.y.z - 69.a.b.c) at a time with 1500 
threads.  Results looked like this:

64.z.xxx.yy:1433 [sa:] Time:90 msec
64.z.xxx.yy:1433 [guest:] Time:30 msec
64.z.xxx.yy:1433 [guest:] Time:30 msec
64.z.xxx.yy:1433 [guest:] Time:80 msec
64.z.xxx.yy:1433 [guest:guest] Time:60 msec
64.z.xxx.yy:1433 [admin:password] Time:80 msec
64.z.xxx.yyy:1433 [admin:] Time:71 msec
64.z.xxx.yy:1433 [admin:password] Time:120 msec
64.z.xxx.y:1433 [admin:password] Time:80 msec
64.z.xxx.yyy:1433 [admin:password] Time:80 msec
64.z.xxx.yy:1433 [admin:password] Time:80 msec

Most victims just didn't have a password or had a default password.  Since these are admin accounts, 
the compromised SQL servers were used for running network attacks in the neighborhood of the victim.

> On Wed, 29 Dec 2004 zero at zero.byzero.net wrote:
> 
>> Anyone seeing an increase in port 1433 (MS SQLServer) scans over the 
>> last 24 hours?  It seems to have slowed down over the last 18 hours or 
>> so but continues.  I'm seeing this from many IP addresses mostly in Asia.
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.sans.org
>> http://www.dshield.org/mailman/listinfo/unisog

Tim Gurganus, MCSE




More information about the unisog mailing list