republican-creole
site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

Broadband Tech > Security > Security > Beware Attacks on TCP port 1433

Search Topic:
 Share Topic
Posting?
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
AuthorAll Replies


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
Reviews:
·Shaw

reply to Link Logger

Re: Beware Attacks on TCP port 1433

As I mentioned this attack was first published a year and a half ago, complete with source code, so its not new. Typically most of the attacks we see on TCP port 1433 are related to passwords or lack there of. For example today we saw this attempt:

200.150.211.10 : 2065 TCP Connected ID = 1
--- 30/12/2003 12:41:55.161
Status Code: 0 OK

200.150.211.10 : 2065 TCP Disconnected ID = 1
--- 30/12/2003 12:41:55.371
Status Code: 0 OK

TCP Connection Request
--- 30/12/2003 12:41:56.302

200.150.211.10 : 2244 TCP Connected ID = 1
--- 30/12/2003 12:41:56.322
Status Code: 0 OK

200.150.211.10 : 2244 TCP Data In Length 512 bytes : MD5 = 74E57895C8ECA753A032AA17AAF248D5
--- 30/12/2003 12:41:56.353
0000 02 00 02 00 00 00 01 00 57 45 42 53 45 52 56 45 ........WEBSERVE
0010 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R...............
0020 00 00 00 00 00 00 09 73 61 00 00 00 00 00 00 00 .......sa.......
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 00 02 73 61 00 00 00 00 00 00 00 00 ......sa........
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060 00 00 00 00 02 30 30 30 30 31 36 35 38 00 00 00 .....00001658...
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 F5 25 43 ..............%C
0080 E8 7F 79 08 03 01 06 0A 09 01 01 00 00 00 00 00 .y.............
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00B0 00 00 00 36 38 2E 31 34 34 2E 31 32 38 2E 31 30 ...68.144.128.10
00C0 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4...............
00D0 00 0E 00 02 73 61 00 00 00 00 00 00 00 00 00 00 ....sa..........
00E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01D0 00 04 04 02 00 00 4F 44 42 43 00 00 00 00 00 00 ......ODBC......
01E0 04 06 00 00 00 00 0D 11 00 00 00 00 00 00 00 00 ................
01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

200.150.211.10 : 2244 TCP Data In Length 71 bytes : MD5 = 6130F202B4AB2FDBBC5916550C9ED32F
--- 30/12/2003 12:41:56.763
0000 02 01 00 47 00 00 02 00 00 00 00 00 00 00 00 01 ...G............
0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 30 30 30 .............000
0040 00 00 00 03 00 00 00 .......

TCP Connection Request
--- 30/12/2003 12:41:56.873

200.150.211.10 : 2263 TCP Connected ID = 2
--- 30/12/2003 12:41:56.903
Status Code: 0 OK

200.150.211.10 : 2263 TCP Data In Length 512 bytes : MD5 = AE8274EDC6087CE98D598D57119D861A
--- 30/12/2003 12:41:56.953
0000 02 00 02 00 00 00 01 00 57 45 42 53 45 52 56 45 ........WEBSERVE
0010 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R...............
0020 00 00 00 00 00 00 09 73 61 00 00 00 00 00 00 00 .......sa.......
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 ................
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060 00 00 00 00 00 30 30 30 30 31 36 35 38 00 00 00 .....00001658...
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 F5 25 43 ..............%C
0080 E8 7F 79 08 03 01 06 0A 09 01 01 00 00 00 00 00 .y.............
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00B0 00 00 00 36 38 2E 31 34 34 2E 31 32 38 2E 31 30 ...68.144.128.10
00C0 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4...............
00D0 00 0E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01D0 00 02 04 02 00 00 4F 44 42 43 00 00 00 00 00 00 ......ODBC......
01E0 04 06 00 00 00 00 0D 11 00 00 00 00 00 00 00 00 ................
01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

200.150.211.10 : 2263 TCP Data In Length 71 bytes : MD5 = 6130F202B4AB2FDBBC5916550C9ED32F
--- 30/12/2003 12:41:57.364
0000 02 01 00 47 00 00 02 00 00 00 00 00 00 00 00 01 ...G............
0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 30 30 30 .............000
0040 00 00 00 03 00 00 00 .......

200.150.211.10 : 2244 TCP Disconnected ID = 1
--- 30/12/2003 12:42:11.044
Status Code: 0 OK

200.150.211.10 : 2263 TCP Disconnected ID = 2
--- 30/12/2003 12:42:12.406
Status Code: 28484 [28484] (no description available)

This is a SQL Server sa user connection attempt first trying 'sa' as the password and then second trying a null password. These are typically what TCP port 1433 attacks have been in the past (password focused), but the MSSQL Hello Buffer Overflow Attack seems to have increased in popularity and is very different then a password attack, which is why I posted it.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel
to forum · permalink · 2003-12-30 16:28:13 ·
Forums > Broadband Tech > Security > Security

Monday, 04-Jun 19:51:56 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 12.5 years online © 1999-2012 dslreports.com.
Most commented news this week
Hot Topics