- Joined
- 6 Dec 2003
- Messages
- 3,508
MS SQL Server Scanning
Paul Asadoorian, GCIH and GCIA wrote in identifying several Windows systems that were discovered compromised on his network with the following characteristics:
+ They are all scanning the Internet for hosts listening on port 1433
+ They are all listening on port 26101 TCP (suspected backdoor)
+ They are all listening on TCP/35894 with a FTP banner message "220 Microsoft FTP Server"
These systems appear to be used for attacking MS SQL Servers, as reported in the 7/4 incident handlers report. Paul was able to identify these systems by parsing the output of TCPDump capture files with the following script for Unix systems:
$ tcpdump -c 500 -i eth1 -nn src net YOUR.SUBNET.0.0/16 and dst port 1433 | cut -d" " -f3 | cut -d"." -f1,2,3,4 | sort | uniq -c | sort
Organizations can benefit from from monitoring egress TCP/1433 traffic as a sign of infected systems.
-----------------------------------------------------------
For anyone using MS SQL please be advised and on the lookout for this.
Paul Asadoorian, GCIH and GCIA wrote in identifying several Windows systems that were discovered compromised on his network with the following characteristics:
+ They are all scanning the Internet for hosts listening on port 1433
+ They are all listening on port 26101 TCP (suspected backdoor)
+ They are all listening on TCP/35894 with a FTP banner message "220 Microsoft FTP Server"
These systems appear to be used for attacking MS SQL Servers, as reported in the 7/4 incident handlers report. Paul was able to identify these systems by parsing the output of TCPDump capture files with the following script for Unix systems:
$ tcpdump -c 500 -i eth1 -nn src net YOUR.SUBNET.0.0/16 and dst port 1433 | cut -d" " -f3 | cut -d"." -f1,2,3,4 | sort | uniq -c | sort
Organizations can benefit from from monitoring egress TCP/1433 traffic as a sign of infected systems.
-----------------------------------------------------------
For anyone using MS SQL please be advised and on the lookout for this.
