I believe there is a SQL-Server worm floating around that probes for a server and uses the default sa/blank password login.
Paul Paul R. Johnson Senior Network Analyst Johnson Industries [EMAIL PROTECTED] -----Original Message----- From: Mason Landrum [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 25, 2002 7:44 AM To: GTA Users (E-mail) Subject: [gb-users] Unknown block alarms Anyone, I have been getting the following alarms from my GnatBox several times a day for about the past six months. Can anyone shed any light as to what is happening here. I can see that it has something to do with MS SQL Server but would like more information about what someone is looking for and if it is a deliberate process or just a regular function of someone's misguided SQL Server. The source port increments one for each instance and the external alias IPs vary throughout the instances. Thanks in advance for your insight! Sincerely, Mason Landrum ---------------------------------------------------------------------------- - ALARM NO: 14 DATE: Mon 2002-06-24 15:53:54 GMT PRIORITY: 4 INTERFACE: EXTERNAL (ep2) INTERFACE TYPE: External ALARM TYPE: Block IP PACKET: TCP [194.184.159.81/2565]-->[various EXT aliases/1433] l=0 f=0x2 [194.184.159.81/2565]-->[various EXT aliases/ms-sql-s] ---------------------------------------------------------------------------- - --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/[email protected]
