TCP1433 probes/attacks

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 05/21/02


Date:         Tue, 21 May 2002 13:50:58 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

We're tracking two distinctly different attacks on-going since yesterday
against TCP1433 (SQL).

The first sends 52 bytes (seemingly a SQL ping) followed by a 210 byte
packet (apparently an SA login with blank password and some scripting
host stuff).

The second sends a 583 byte packet alone, also logging in as SA with a
blank password.

Beyond that, I haven't seen a compromised machine yet so I can't confirm
other reports about what it does (Trend, Dshield, and SANS are all
claiming various things this "worm" does).

Conflicting reports may be explained by our contention it is definitely
two different worms propagating.

If you have a compromised machine, won which is actually making outbound
connection attempts on 1433 to unknown machine addresses, please drop me
a note.

More as it comes.

Meanwhile;

1. Make sure you block Internet access to T1433
2. Make sure you have a password on your SA account.
3. Disable TCP/IP Network Libraries if you're not using them.
4. Drop all eXtended Procedures (XP_) if you can.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor