Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Odd behavior after MS-SQL scan SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Odd behavior after MS-SQL scan
We received a couple of reports yesterday of some odd behavior after a scan that looks a lot like SQL Slammer (from Jan 2003).  I've only gotten captures of this activity from one user, so I thought I'd ask you, our faithful readers for some assistance.  The behavior was that after a single UDP packet to port 1434, the target machine which had multiple interfaces, first did a reverse DNS lookup and then attempted to do a wildcard NBT lookup back to the source machine from all of its interfaces.  This is clearly providing too much information to the attacker (other IPs configured on the target machine), so I'd like to get a better understanding of what might be happening.  The target machine was not running MS SQLServer and, from the information available at the moment, we're not aware of any firewall or other software on the target that might account for this odd behavior.  If anyone has seen similar behavior or has any idea what might cause this type of response to a scan, please let us know.

Jim Clausing, jclausing /at/, I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Live Online Europe February 2022 Volume 1


423 Posts
ISC Handler
Nov 7th 2005

Sign Up for Free or Log In to start participating in the conversation!