Beware Attacks on TCP port 1433

Author	All Replies
Link Logger Premium,MVM join:2001-03-29 Calgary, AB kudos:3 Reviews: ·Shaw	Beware Attacks on TCP port 1433 Every now and then I like to setup a sniffer and see what hackers are up to. Lately I had seen an increase in my firewall logs for scans to TCP Port 1433 which is used for SQL Server, so I setup a sniffer and waited. What I found was rather interesting, and enough to make you wonder about how bright some script kiddies are. First the attack. Hackers are targeting SQL Server systems using the MSSQL Hello Buffer Overflow attack as described by Dave Aitel on August 1, 2002, but a better description of the attack was written up by Ben Jurry in »www.xfocus.org/documents/200308/3.html or the BugTraq version at »online.securityfocus.com/bid/5411 A sample packet 217.236.27.93 : 1927 TCP Data In Length 52 bytes : MD5 = D0ED2679AA818F9AC2B3429B55747ECA --- 30/12/2003 09:45:45.212 0000 12 01 00 34 00 00 00 00 00 00 15 00 06 01 00 1B ...4............ 0010 00 01 02 00 1C 00 0C 03 00 28 00 04 FF 08 00 01 .........(...... 0020 55 00 00 00 4D 53 53 51 4C 53 65 72 76 65 72 00 U...MSSQLServer. 0030 30 04 00 00 0... The highly stupid part. Script Kiddies take note, if your exploit doesn't work, then accept defeat and move on. Computers are digital and running the same packet over and over again (almost a hundred times over 20 minutes), isn't likely succeed in anything except setting off alarms. So far I have seen this stupid behaviour twice, once from 217.236.27.93 and again from 80.138.159.186 In both case the attempts were roughly 9 to 10 seconds apart on random source ports and was attempted almost a hundred times. I would suspect that the same tool was used in both attacks, so take note there is likely a tool out there which has allowed the script kiddies in on this exploit. In summary this is a rather nasty attack as it can allow the hacker to own your system, however Microsoft has long since released a patch for this so if you are prudent on applying patches you should be safe. When I setup the sniffer I was expecting to see the usual dictionary password attack but this attack is more sophisticated and worthy of notice, despite the stupid script kiddie factor. Blake -- Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel
	to forum · permalink · 2003-12-30 13:46:37 ·
dave Premium,MVM join:2000-05-04 not in ohio kudos:7 Reviews: ·Verizon FiOS ·Verizon Online DSL	said by Link Logger: Computers are digital and running the same packet over and over again (almost a hundred times over 20 minutes), isn't likely succeed in anything except setting off alarms. Perhaps they're hoping that your firewall will get tired?
	to forum · permalink · 2003-12-30 13:59:05 ·

anthrorules Premium join:2003-09-14 Rollinsville, CO	reply to Link Logger This worm has been around for awhile, and it is recommended that you update to SP3 for SQL Server 2000 and MSDE. This SP does address this hack.
	to forum · permalink · 2003-12-30 14:10:45 ·
novaflare The Dragon Was Here Premium join:2002-01-24 Barberton, OH	reply to dave said by dave: said by Link Logger: Computers are digital and running the same packet over and over again (almost a hundred times over 20 minutes), isn't likely succeed in anything except setting off alarms. Perhaps they're hoping that your firewall will get tired? rofl -- my fav mmorpg »www.rubiesofeventide.com if you sign up use novaflare as referal
	to forum · permalink · 2003-12-30 14:11:40 ·
Link Logger Premium,MVM join:2001-03-29 Calgary, AB kudos:3 Reviews: ·Shaw	reply to dave said by dave: Perhaps they're hoping that your firewall will get tired? LOL, I should point out that the attack starts with a port scan to see if TCP Port 1433 is open, if not they move on. I had opened my TCP Port 1433 so I could capture the attack, so their initial port scan showed that I had an open port and hence they began with the attack, which I captured. So if you don't have TCP Port 1433 open all you would see in your logs is a single scan. Blake -- Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel
	to forum · permalink · 2003-12-30 15:11:51 ·
mboy Premium join:2001-04-13 Little Falls, NJ	No offense, but isn't this an almost ancient one these days? I have been getting 1433's for a LOOONG time (over a year for sure now).
	to forum · permalink · 2003-12-30 15:54:27 ·
Link Logger Premium,MVM join:2001-03-29 Calgary, AB kudos:3 Reviews: ·Shaw	reply to Link Logger As I mentioned this attack was first published a year and a half ago, complete with source code, so its not new. Typically most of the attacks we see on TCP port 1433 are related to passwords or lack there of. For example today we saw this attempt: 200.150.211.10 : 2065 TCP Connected ID = 1 --- 30/12/2003 12:41:55.161 Status Code: 0 OK 200.150.211.10 : 2065 TCP Disconnected ID = 1 --- 30/12/2003 12:41:55.371 Status Code: 0 OK TCP Connection Request --- 30/12/2003 12:41:56.302 200.150.211.10 : 2244 TCP Connected ID = 1 --- 30/12/2003 12:41:56.322 Status Code: 0 OK 200.150.211.10 : 2244 TCP Data In Length 512 bytes : MD5 = 74E57895C8ECA753A032AA17AAF248D5 --- 30/12/2003 12:41:56.353 0000 02 00 02 00 00 00 01 00 57 45 42 53 45 52 56 45 ........WEBSERVE 0010 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R............... 0020 00 00 00 00 00 00 09 73 61 00 00 00 00 00 00 00 .......sa....... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 02 73 61 00 00 00 00 00 00 00 00 ......sa........ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 02 30 30 30 30 31 36 35 38 00 00 00 .....00001658... 0070 00 00 00 00 00 00 00 00 00 00 00 00 00 F5 25 43 ..............%C 0080 E8 7F 79 08 03 01 06 0A 09 01 01 00 00 00 00 00 .y............. 0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00B0 00 00 00 36 38 2E 31 34 34 2E 31 32 38 2E 31 30 ...68.144.128.10 00C0 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4............... 00D0 00 0E 00 02 73 61 00 00 00 00 00 00 00 00 00 00 ....sa.......... 00E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01D0 00 04 04 02 00 00 4F 44 42 43 00 00 00 00 00 00 ......ODBC...... 01E0 04 06 00 00 00 00 0D 11 00 00 00 00 00 00 00 00 ................ 01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 200.150.211.10 : 2244 TCP Data In Length 71 bytes : MD5 = 6130F202B4AB2FDBBC5916550C9ED32F --- 30/12/2003 12:41:56.763 0000 02 01 00 47 00 00 02 00 00 00 00 00 00 00 00 01 ...G............ 0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 30 30 30 .............000 0040 00 00 00 03 00 00 00 ....... TCP Connection Request --- 30/12/2003 12:41:56.873 200.150.211.10 : 2263 TCP Connected ID = 2 --- 30/12/2003 12:41:56.903 Status Code: 0 OK 200.150.211.10 : 2263 TCP Data In Length 512 bytes : MD5 = AE8274EDC6087CE98D598D57119D861A --- 30/12/2003 12:41:56.953 0000 02 00 02 00 00 00 01 00 57 45 42 53 45 52 56 45 ........WEBSERVE 0010 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R............... 0020 00 00 00 00 00 00 09 73 61 00 00 00 00 00 00 00 .......sa....... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 30 30 30 30 31 36 35 38 00 00 00 .....00001658... 0070 00 00 00 00 00 00 00 00 00 00 00 00 00 F5 25 43 ..............%C 0080 E8 7F 79 08 03 01 06 0A 09 01 01 00 00 00 00 00 .y............. 0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00B0 00 00 00 36 38 2E 31 34 34 2E 31 32 38 2E 31 30 ...68.144.128.10 00C0 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4............... 00D0 00 0E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01D0 00 02 04 02 00 00 4F 44 42 43 00 00 00 00 00 00 ......ODBC...... 01E0 04 06 00 00 00 00 0D 11 00 00 00 00 00 00 00 00 ................ 01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 200.150.211.10 : 2263 TCP Data In Length 71 bytes : MD5 = 6130F202B4AB2FDBBC5916550C9ED32F --- 30/12/2003 12:41:57.364 0000 02 01 00 47 00 00 02 00 00 00 00 00 00 00 00 01 ...G............ 0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 30 30 30 .............000 0040 00 00 00 03 00 00 00 ....... 200.150.211.10 : 2244 TCP Disconnected ID = 1 --- 30/12/2003 12:42:11.044 Status Code: 0 OK 200.150.211.10 : 2263 TCP Disconnected ID = 2 --- 30/12/2003 12:42:12.406 Status Code: 28484 [28484] (no description available) This is a SQL Server sa user connection attempt first trying 'sa' as the password and then second trying a null password. These are typically what TCP port 1433 attacks have been in the past (password focused), but the MSSQL Hello Buffer Overflow Attack seems to have increased in popularity and is very different then a password attack, which is why I posted it. Blake -- Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel
	to forum · permalink · 2003-12-30 16:28:13 ·
mboy Premium join:2001-04-13 Little Falls, NJ	reply to Link Logger Now, I see.
	to forum · permalink · 2004-01-01 00:50:22 ·
Link Logger Premium,MVM join:2001-03-29 Calgary, AB kudos:3 Reviews: ·Shaw	reply to Link Logger OK so our script kiddie is branching out as yesterday we picked up another MSSQL Hello Buffer Overflow Attack from 217.226.102.87 (note this address is very close to 217.236.27.93 recorded above - dialup accounts in Germany so its possibly the same system). So after trying the SQL Attack 49 times then he goes for open shares on ports 139 and 445, to bad the firewall bounced him. Next time I'll have to watch for him, so I can play with his mind a bit while sending him back some crafted packets. Dec 31, 2003 16:27:27.692 - (TCP) 217.226.102.87 : 4006 >>> 68.144.128.104 : 1433 SQL Server Scan Dec 31, 2003 16:27:28.062 - (TCP) 217.226.102.87 : 4015 >>> 68.144.128.104 : 1433 SQL Server Scan Dec 31, 2003 16:27:38.958 - (TCP) 217.226.102.87 : 4128 >>> 68.144.128.104 : 1433 SQL Server Scan Dec 31, 2003 16:27:49.864 - (TCP) 217.226.102.87 : 4226 >>> 68.144.128.104 : 1433 SQL Server Scan -- chop chop chop in the interest of saving electrons -- Dec 31, 2003 16:28:27.057 - (TCP) 217.226.102.87 : 4572 >>> 68.144.128.104 : 1433 SQL Server Scan Dec 31, 2003 16:28:27.828 - (TCP) 217.226.102.87 : 4577 >>> 68.144.128.104 : 445 SQL Server Scan Dec 31, 2003 16:28:27.848 - (TCP) 217.226.102.87 : 1043 >>> 68.144.128.104 : 139 SQL Server Scan Dec 31, 2003 16:28:28.219 - (TCP) 217.226.102.87 : 4582 >>> 68.144.128.104 : 1433 SQL Server Scan Dec 31, 2003 16:28:30.762 - (TCP) 217.226.102.87 : 4577 >>> 68.144.128.104 : 445 SQL Server Scan Dec 31, 2003 16:28:30.783 - (TCP) 217.226.102.87 : 1043 >>> 68.144.128.104 : 139 SQL Server Scan Dec 31, 2003 16:28:36.701 - (TCP) 217.226.102.87 : 1043 >>> 68.144.128.104 : 139 SQL Server Scan Dec 31, 2003 16:28:36.791 - (TCP) 217.226.102.87 : 4577 >>> 68.144.128.104 : 445 SQL Server Scan I guess even script kiddies get tired of hitting their head against the same brick. I wonder what he will try next? Blake -- Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel
	to forum · permalink · 2004-01-01 07:33:21 ·

Broadband Tech > Security > Security > Beware Attacks on TCP port 1433