One of our readers, Warner, noted today what initially appeared to be a localized attack on port 1433/tcp (Microsoft SQL Port).  After some continued investigation we are seeing a bit of a spike in the Dshield data, we are indeed seeing a similar spike elsewhere.


Next step is to identify for what they are scanning. This will involve answering the SYN packets and seeing what happens. We already know there are many SYNs, we want to try to figure out what happens if the handshake completes.

Setting up something to answer can be done using netcat: "nc -l 1433 > capturefile" or "nc -L -p 1433 > capturefile" (depending on the version of netcat you're using) but it might need more of the protocol before it does its magic, so some experimentation might be needed.

Upload captures through the contact page please.

We'll update this story as it evolves.

Thanks to all handlers working on this: Scott, David, William, Robert, ...
--
Swa Frantzen -- Section 66