Odd MS-Sql scans.

• Previous message: James C. Slora, Jr.: "RE: Proxy attackers/hijackers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'incidents@securityfocus.com'" <incidents@securityfocus.com>
Date: Mon, 20 Oct 2003 10:56:34 -0400

Hello,

This morning while reviewing my IDS logs I found about 1,000 events all
originating from one source IP (64.166.152.138) incrementally scanning one
of my subnets for port 1433. These scans were odd to me because the packet
payload was cko (Q traffic payload) the flags were AR, Sequence number,
Acknowledgment number, and TCP window size numbers were all 0, and the TTL
is always between 1-2 (this might be because the stream4 TTL evasion flagged
these packets). Is anybody else seeing anything like this?

Thanks!
 
vjl

V.Jay LaRosa EMC Corporation
Information Security 4400 Computer Dr.
(508)898-7433 Office Westboro, MA 01580
(508)962-1482 Cell www.emc.com
888-799-9750 Pager vjl@emc.com

---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------------

• Previous message: James C. Slora, Jr.: "RE: Proxy attackers/hijackers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]