At 07:44 25-6-02 -0400, Mason Landrum wrote: >Anyone, > >I have been getting the following alarms from my GnatBox several times a >day for about the past six months. Can anyone shed any light as to what is >happening here. I can see that it has something to do with MS SQL Server >but would like more information about what someone is looking for and if >it is a deliberate process or just a regular function of someone's >misguided SQL Server. > >The source port increments one for each instance and the external alias >IPs vary throughout the instances. > >Thanks in advance for your insight! > >Sincerely, >Mason Landrum > >----------------------------------------------------------------------------- > > ALARM NO: 14 > DATE: Mon 2002-06-24 15:53:54 GMT > PRIORITY: 4 > INTERFACE: EXTERNAL (ep2) >INTERFACE TYPE: External > ALARM TYPE: Block > IP PACKET: TCP [194.184.159.81/2565]-->[various EXT > aliases/1433] l=0 f=0x2 > [194.184.159.81/2565]-->[various EXT aliases/ms-sql-s]
Hi, this probably has to do with this "recently" published MS SQL hole/exploit: http://www.cert.org/incident_notes/IN-2002-04.html (I think?) I've seen a significant increase in scans to this port the last few months, so much that I decided to add it to my my "no-log" rule for common scanned ports. Benno... --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/[email protected]
