TCP1433 probes/attacksFrom: Russ (Russ.Cooper@RC.ON.CA)
- Previous message: Barry Dorrans: "SQL port scanning up"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 21 May 2002 13:50:58 -0400 From: Russ <Russ.Cooper@RC.ON.CA> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
We're tracking two distinctly different attacks on-going since yesterday
against TCP1433 (SQL).
The first sends 52 bytes (seemingly a SQL ping) followed by a 210 byte
packet (apparently an SA login with blank password and some scripting
The second sends a 583 byte packet alone, also logging in as SA with a
Beyond that, I haven't seen a compromised machine yet so I can't confirm
other reports about what it does (Trend, Dshield, and SANS are all
claiming various things this "worm" does).
Conflicting reports may be explained by our contention it is definitely
two different worms propagating.
If you have a compromised machine, won which is actually making outbound
connection attempts on 1433 to unknown machine addresses, please drop me
More as it comes.
1. Make sure you block Internet access to T1433
2. Make sure you have a password on your SA account.
3. Disable TCP/IP Network Libraries if you're not using them.
4. Drop all eXtended Procedures (XP_) if you can.
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor