MS SQL Server Scanning warning

tdinc

█▄█ ▀█▄ █
Political User
#1
MS SQL Server Scanning
Paul Asadoorian, GCIH and GCIA wrote in identifying several Windows systems that were discovered compromised on his network with the following characteristics:

+ They are all scanning the Internet for hosts listening on port 1433
+ They are all listening on port 26101 TCP (suspected backdoor)
+ They are all listening on TCP/35894 with a FTP banner message "220 Microsoft FTP Server"

These systems appear to be used for attacking MS SQL Servers, as reported in the 7/4 incident handlers report. Paul was able to identify these systems by parsing the output of TCPDump capture files with the following script for Unix systems:

$ tcpdump -c 500 -i eth1 -nn src net YOUR.SUBNET.0.0/16 and dst port 1433 | cut -d" " -f3 | cut -d"." -f1,2,3,4 | sort | uniq -c | sort

Organizations can benefit from from monitoring egress TCP/1433 traffic as a sign of infected systems.


-----------------------------------------------------------
For anyone using MS SQL please be advised and on the lookout for this.
 

Members online

No members online now.

Latest posts

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,971
Messages
673,300
Members
89,016
Latest member
Poseeut