Re: Odd MS-SQL scan.

• Previous message: larosa, vjay: "Odd MS-Sql scans."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "larosa, vjay" <larosa_vjay@emc.com>
Date: Mon, 20 Oct 2003 13:22:25 -0400 (EDT)

> Hello,
>
> This morning while reviewing my IDS logs I found about 1,000 events all
> originating from one source IP (64.166.152.138) incrementally scanning one
> of my subnets for port 1433. These scans were odd to me because the packet
> payload was cko (Q traffic payload) the flags were AR, Sequence number,
> Acknowledgment number, and TCP window size numbers were all 0, and the TTL
> is always between 1-2 (this might be because the stream4 TTL evasion flagged
> these packets). Is anybody else seeing anything like this?

don't know about the specific packets, but this computer has been
attacking the world since jun 27th:

http://www.mynetwatchman.com/LID.asp?IID=35323835

looks like 24 larts have been sent off to pacbell starting on july
1st

Maybe if someone at pacbell can disconnect this computer till they get rid
of their worm.

-- 
Michael Scheidell
SECNAP Network Security, LLC 
Main: 561-368-9561 / www.secnap.net
Looking for a career in Internet security?
http://www.secnap.net/employment/
---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------------

• Previous message: larosa, vjay: "Odd MS-Sql scans."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]