explanation of port 1433 scans...

From: Benjamin Tomhave (falconat_private)
Date: Thu May 16 2002 - 09:04:07 PDT

  • Next message: Matt.Carpenterat_private: "Re: explanation of port 1433 scans..."

    Hi Lists,
    Probably pointing out the obvious here, but thought to share info, since I
    had somehow missed these alerts...
    The May 15th SANS NewsBites had the following comments on port 1433 (MS SQL)
    scans as of late:
    "Update on Port 1433: Last week we reported on widespread scanning of
    port 1433, commonly used by Microsoft's SQL server. We noted that we
    had had no reports at Incidents.Org of exploits connected with the
    scanning. A few hours later we received the following note from the
    CISO of a large research organization:
    "[Our organization] has been hit at least twice in the last 2 weeks with
    Web defacements based on the exploit Port 1433/ms-sql, CAN-2002-0154.
    We were kind of shocked that within 1-2 weeks of Microsoft announcing
    the vulnerability, we were already hit by the exploit. Doesn't
    give much time to clean up. However, I haven't heard of widespread
    exploits yet. Also, I would hope most sites block external access
    to SQL Server. We happened to have a few servers that needed outside
    access for special purposes."
    A quick web search on CAN-2002-0154 yielded the following link, which also
    has links to CVE and the original MS bulletins:
     Benjamin Tomhave
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Thu May 16 2002 - 13:04:57 PDT