[Moderators Note: I know this isn't and advisory or even a new exploit
but I felt that the subscribers of this list might want to know about a
potential threat. There have been widespread reports of an increase in
port 1433 scans. If anyone has a copy of the Worm please forward it to me
for analysis.

-Steve (stevevulnwatch.org)]

------------------------------------------------------

From: John Thornton <jthorntonhackersdigest.com>
To: vulnwatchvulnwatch.org
Subject: Microsoft SQL Worm

So far I have been attacked 13 times starting at 7:00est.

What I have notice was that the worms' logic for finding more Microsoft
SQL
servers always starts its scan on a random port and ends on 1433.

Scan 1. port 4345 to port 1433
Scan 2. port 4780 to port 1433
Scan 3. port 4099 to port 1433
Scan 4. port 2193 to port 1433
Scan 5. port 4616 to port 1433
Scan 6. port 4514 to port 1433
Scan 7. port 1649 to port 1433
Scan 8. port 1900 to port 1433
Scan 9. port 1715 to port 1433
Scan 10. port 1717 to port 1433
Scan 11. port 2124 to port 1433
Scan 12. port 1589 to port 1433
Scan 13. port 4696 to port 1433

Always different. I think that this worm is far more dangerous then code
red. Code red was a wake up call and when your IIS server was deface know
you needed to address the security of your network. However this SQL worm
is
very sneaking and I doubt most MCSE certs are not going to even notice the
extra traffic depending on just how smart the logic for locating Microsoft
SQL servers really are. I have been scanned up to 3 times by a infected
server. All start on a random port but ends on 1433.

-John Thornton

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]