Showing posts with label worm. Show all posts
Showing posts with label worm. Show all posts

Monday, March 26, 2012

New SQL worm? getting multiple, continuous connections from random IP's for last 4 days

Our bandwidth usage tripled since this started happening. We get
about 1 new attack daily. To stop the attacks we either block the IPs
on the router or email the ISP to get the guy off the network. This
is happening to every SQL server on the network. Seems to be scanning
for open port 1433.
Example;
TCP 229.133.145.237:1433 65.203.118.170:36950 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:36975 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37028 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37058 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37101 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37112 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37182 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37204 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37255 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37282 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37326 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37357 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37409 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37438 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37484 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37519 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37567 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37579 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37640 TIME_WAIT
TCP 229.131.145.234:1433 65.203.118.170:37649 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37723 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37744 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37804 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37815 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37890 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37901 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37963 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:37971 TIME_WAIT
TCP 229.133.145.237:1433 65.203.118.170:38045 TIME_WAIT
TIA!It seems that you scan them... Please post more details
Bojidar Alexandrov
Posted by compensatoryfghn at 8:15 AM 0 comments
Labels: , , , , , , , , , , , , , , , , , , ,

Friday, March 23, 2012

New SQL Server 2000 worm?

Hi all.

My SQL Server 2000 SP4 installation running on Windows 2003 server (SP1, all patches current) has been infected TWICE by something that Sophos can't detect.

The symptoms are that an account called SQLsys is created on the machine and is made an administrator.

A service called "ApptoService spoolsrv" is created. An executable called syss.exe is also created in a few places. After infection the machine immediately starts attacking other computers on the network.

I had Windows Firewall running, with ports open for SQL server and Remote Desktop.

I ran the MBSA, it didn't find anything open.

I even ran the beta MS web tool for scanning, didn't detect any trojans.

I'm going to be restoring the machine (AGAIN), but I wish I knew what security hole is being found! Any ideas?
Please try changing your SA account password. Try a complicated password that has numbers, letters, and symbols in it. Also, do not allow your sql server to have inbound access to the internet. At the very least block port 1433 on your firewall.|||

Have you noticed this issue again after setting a strong SA password?

Thanks
Laurentiu

|||Try using Windows Defender beta which is a good one to catchup such trojans & spyware. Also check any spurious activity on SQL server by referring to data & log file usage with an audit trial.sql
Posted by compensatoryfghn at 6:54 AM 0 comments
Labels: , , , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)