MS SQL Server Scanning warning

Discussion in 'Windows Desktop Systems' started by tdinc, Jul 8, 2004.

  1. tdinc

    tdinc █▄█ ▀█▄ █ Political User

    Messages:
    3,507
    Location:
    Sterling Heights, MICHIGAN
    MS SQL Server Scanning
    Paul Asadoorian, GCIH and GCIA wrote in identifying several Windows systems that were discovered compromised on his network with the following characteristics:

    + They are all scanning the Internet for hosts listening on port 1433
    + They are all listening on port 26101 TCP (suspected backdoor)
    + They are all listening on TCP/35894 with a FTP banner message "220 Microsoft FTP Server"

    These systems appear to be used for attacking MS SQL Servers, as reported in the 7/4 incident handlers report. Paul was able to identify these systems by parsing the output of TCPDump capture files with the following script for Unix systems:

    $ tcpdump -c 500 -i eth1 -nn src net YOUR.SUBNET.0.0/16 and dst port 1433 | cut -d" " -f3 | cut -d"." -f1,2,3,4 | sort | uniq -c | sort

    Organizations can benefit from from monitoring egress TCP/1433 traffic as a sign of infected systems.


    -----------------------------------------------------------
    For anyone using MS SQL please be advised and on the lookout for this.