SQL port scanning up

From: Barry Dorrans (barryd@IDUNNO.ORG)
Date: 05/21/02

Date:         Tue, 21 May 2002 08:38:02 +0100
From: Barry Dorrans <barryd@IDUNNO.ORG>

This is a cross summary of discussions from the incidents.org list.

There's been a severe rise in port 1433 scanning, and login attempts to
SA (using a blank password). It seems to be coming from Win2k boxes,
some of which are running basic IIS, in (from the home page) what looks
like an unused state.

I would suggest everyone makes sure that failed SQL logins are turned on
(this is off by default) - goto SQL enterprise manager, right click on
your server, choose properties and then choose security. The failed
login attempts go into the Application log (why that's not the security
log, I have no idea). Make sure that no SQL servers have blank SAs. Also
remember that some programs (Visio 2002 Enterprise for example) can
install MSDB, a cut down SQL engine, which will install with blank SA.

I can only assume that they are scanning for boxes missing the MS02-020



Relevant Pages

  • Re: Permission question - another one
    ... If I add an Sql Login it does add the TRAVAC\ in front of the names, ... seems to be users that were setup to use SQL Server Authentication. ... RAPTOR is the Server that has SQL Server running on it. ... > " I could think I am taking permissions away from someone, ...
  • Re: SQL 2k5 SP2 Mirroring - SQL in Mixed mode.
    ... US\sqlservices (old SQLservice account) still member of built-in local admin ... Login: US\sqlservices ... How can I transfer the SQL logins to ... Here is SP_help_revlogin results from the Principal Server (NYSQL-3) ...
  • Re: Renamed Windows login not found in SQL Server 2000
    ... It's almost like SQL tuck some knowledge away in an area ... of memory that only gets released on Windows stop. ... > I am running SQL Server 2000 SP2 with Windows ... > login gets corrupted) I am unable to add the new login to ...
  • Re: SQL Server on XP Home Network
    ... The sa account is the system administrator "God" account witihin SQL ... This account is a SQL-Server login. ... You might be able to use Enterprise Manager to go in and create a new SQL ... Select the "SQL Server Authentication" ...
  • RE: Getting Challenged when using SQL connection on .aspx page
    ... What would happen if i removed integrated security=sspi from the connection ... Just want the login token to be passed, ... Have webpage with following connection in the ... I have account to the database on the SQL server. ...