Strange Pattern Resulting from SQLsnake Probes

From: David Dickinson [MVP] (eis@no-spam.softhome.net)
Date: 05/23/02 

From: "David Dickinson [MVP]" <eis@no-spam.softhome.net>
Date: Thu, 23 May 2002 04:40:14 -0600

I'll be very grateful for some help tracking this down:

-------------------------------------------
A client has this configuration:
-------------------------------------------

Windows 2000 Server SP2 (fully updated, workgroup, no DC) with Win2K Pro
workstations.

Provides DHCP and RRAS/NAT Internet access to the LAN (file sharing, Client
for MSN, and NETBIOS are all /supposed to be/ disabled on that connection
according what's configured, although the lan NIC allows NETBIOS). No
remote access services are provided. It's also a file server. The local
policy is as tight as I can make it without disabling the necessary
services.

Microsoft Office XP Professional (Access, Excel, FrontPage, Outlook,
PowerPoint, Word). But no one is actually allowed to run apps on the
server, and the FrontPage extensions aren't installed.

ZoneAlarm Pro 3.0.118 blocking all incoming and allowing only http, https,
smtp, pop, nntp, ntp, and echo outgoing connection requests. Shields Up,
dslreports.com, and all of Sygate's online scans all report there's nothing
here. Using VisualZone for reports. (The Cisco 678 router provided for DSL
by the phone company doesn't seem to be worth much for security, but ZA
seems to be working fine.)

F-Prot and TDS-3 both report all machines are clean.

IIS 5.0 configured with IISlockdown/URLscan, but blocked from accepting
outside connections in ZoneAlarm.

(The client decided what the server would do even though I protested.)

No other services are provided to the workgroup: no email, no SQL (other
than MDAC via ASP/ADO in IIS for the lan), no nothing. It's actually a
pretty simple setup.

-------------------------------------------
What bugs me:
-------------------------------------------

ZoneAlarm/VisualZone is reporting the SQLsnake TCP probes on port 1433
(ms-sql) and blocking them, but netmon shows that there is nothing
listening on 1433 anyway. (If you haven't noticed, all of these infected
SQL Servers have NETBIOS and a bunch of other ports open to Internet, but
that's one of the reasons why it's also called the "Dumbass Detector Worm".)

Within a few seconds following each blocked probe, ZA blocks an outgoing UDP
connection attempt from 1025 or 1026 on the local server to port 137
(netbios-ns) at the offending IP. fport shows only lsass on 1026, but I can
never seem to run it on time during the connection attempt. A sniffer (NGS
Sniff) shows nothing at all unusual because ZoneAlarm is blocking the
connection attempts. I really don't want to shut down ZA in order to get
info from sniffing.

Nothing related (nothing within even minutes) shows in the event logs, and
I'm auditing damned near everything. I don't see anything unusual in
Services -- I turned off unnecessary services when I set it up last year,
and they're still off.

I'll be very grateful if someone has a hint about where to look next. Also,
if anyone knows of a good process monitor that shows port usage live and
with capture, that would be great. My client heard about SQLsnake, got to
looking at the logs, spotted the pattern and got scared even though nothing
bad seems to be happening (I really do like my clients. They learn fast
even if they don't always do what I want.) I just hope that I don't turn
out to be personally detected by the "DD" worm. 

--
David Dickinson, MVP (Security)
EveningStar Information Services
Las Cruces, NM USA
Summary of Microsoft Security Bulletins
http://www.zianet.com/bwd/securitybulletins.asp
Quantcast