We received a couple of reports yesterday of some odd behavior after a scan that looks a lot like SQL Slammer (from Jan 2003). I've only gotten captures of this activity from one user, so I thought I'd ask you, our faithful readers for some assistance. The behavior was that after a single UDP packet to port 1434, the target machine which had multiple interfaces, first did a reverse DNS lookup and then attempted to do a wildcard NBT lookup back to the source machine from all of its interfaces. This is clearly providing too much information to the attacker (other IPs configured on the target machine), so I'd like to get a better understanding of what might be happening. The target machine was not running MS SQLServer and, from the information available at the moment, we're not aware of any firewall or other software on the target that might account for this odd behavior. If anyone has seen similar behavior or has any idea what might cause this type of response to a scan, please let us know.
Jim Clausing, jclausing /at/ isc.sans.org, http://handlers.sans.org/jclausing/ I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Northern VA - Fairfax 2020
Nov 7th 2005
1 decade ago