Mailbag Items for Ports 1433 and 113

Published: 2004-07-04
Last Updated: 2004-07-05 23:41:55 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Port 1433 Mailbag

1433's in the Top Ten ports scanned with a significant increase in the number of Targets.
Significant increases in the number of Targets

scanned have occurred sinse June 12th, and are even more evident when looking further back (next two links;

Diary readers have submittied

interesting information related to exploits aimed at Port 1433.
One honeypot dump submisssion showed a "mssql password brute force attempt" from a couple of days ago. Some lessons learned over time have been:

(1) don't put your db outside the firewall,

(2) don't rely on passwords, since exploiters even try some odd passwords many people consider 'safe'.

(3) set a realistic pw lockout policy - and read the logs

Another Port 1433 honeypot submission from RSS#### was taken from a commercial honeypot product. It showed osql-32 sa login password failures. Passwords attempted (from the submissions only) were were:

blimp, corner, craze, curb, daunt, deadline, delight, devil, dismayed, doom, drizzle, ecstasy, emigrant, entire, evince, eyelid, faulty, finished, flop, forcible, forsale, frontier, garlic, glee, grabat, grower, hard, hectic, hijack, holy, humus, impede, iniquity, inventor, jeweller, keyboard, lamp, lean, lieup, locate, lucky, mallard, matinee, meter, mister, mortgage, mutable, nether, notable, offal, oration, overload, pasture, perform, pink, pirate, poorly, prepare, protect, putout, rainbow, recount.

There has also been some other speculation that a "new mssql brute force tool" is going around so if you've got some info on a new tool please post us a note.
Last item on Port 1433, there's an excellent paper on "TCP/1433 MS-SQL" by Handler Kevin C. Liston at;
Port 113 Mailbag

Other readers have submitted information concerning Port 113 scans mentioned in the Handler's Diary of July 1st 2004.

In addition to the Korgo family of malware listening on Port 113 (T variant and some earlier versions), one submission whose email I returned (rejected at the far end) said he's seeing "attempts at SMTP AUTH, originating from Chinanet" in recent days
and explicitly denied any brute force pw activity. In a portion of my rejected response I also mentioned "It could indicate an NMAP "identd scan being run to
identify a handful of user accounts" and asked if there were any other log correlations from the indicated source IP's.

Discovered on: June 21, 2004, Last Updated on: June 30, 2004 12:09:09

SANS GSEC Tool Survey Responses Requested

On Friday, July 02, Eric Cole emailed SANS GSEC folks and asked for some assistance in "improving the GIAC certification." The assistance is in the form of answering the following:

1) the 10 tools you use most often to get your security job done

2) a brief description of how you use them (optional)

3) the platforms on which you run them

4) the top 3 tips/tricks that you utilize on daily basis that allow you to be more productive

If you get the time/chance to participate and answer these questions please respond to Eric's email ( ;^ ).


Patrick Nolan
Assistance from Johannes, Marc, and Jim, Fan club management by Ed
0 comment(s)


Diary Archives