Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: TCP/1433 spike: Call for Packets. - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
TCP/1433 spike: Call for Packets.

One of our readers, Warner, noted today what initially appeared to be a localized attack on port 1433/tcp (Microsoft SQL Port).  After some continued investigation we are seeing a bit of a spike in the Dshield data, we are indeed seeing a similar spike elsewhere.


Next step is to identify for what they are scanning. This will involve answering the SYN packets and seeing what happens. We already know there are many SYNs, we want to try to figure out what happens if the handshake completes.

Setting up something to answer can be done using netcat: "nc -l 1433 > capturefile" or "nc -L -p 1433 > capturefile" (depending on the version of netcat you're using) but it might need more of the protocol before it does its magic, so some experimentation might be needed.

Upload captures through the contact page please.

We'll update this story as it evolves.

Thanks to all handlers working on this: Scott, David, William, Robert, ...
--
Swa Frantzen -- Section 66

Swa

760 Posts

Sign Up for Free or Log In to start participating in the conversation!