SANS ISC: TCP/1433 spike: Call for Packets. - SANS Internet Storm Center

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

One of our readers, Warner, noted today what initially appeared to be a localized attack on port 1433/tcp (Microsoft SQL Port).  After some continued investigation we are seeing a bit of a spike in the Dshield data, we are indeed seeing a similar spike elsewhere.


Next step is to identify for what they are scanning. This will involve answering the SYN packets and seeing what happens. We already know there are many SYNs, we want to try to figure out what happens if the handshake completes.

Setting up something to answer can be done using netcat: "nc -l 1433 > capturefile" or "nc -L -p 1433 > capturefile" (depending on the version of netcat you're using) but it might need more of the protocol before it does its magic, so some experimentation might be needed.

Upload captures through the contact page please.

We'll update this story as it evolves.

Thanks to all handlers working on this: Scott, David, William, Robert, ...
--
Swa Frantzen -- Section 66