[nsp-sec] Strong Increase in port 1433/tcp
Smith, Donald
Donald.Smith at qwest.com
Mon Mar 2 15:17:40 EST 2009
Is ~1/2 of it all coming from or going to tcp port 6000?
more /tmp/1433.03-02.ips | awk '{ if(($5==6000) || ($8==6000) )print $8}' |wc -l 458159
wc -l /tmp/1433.03-02.ips
845859
Count source port:
Sourced from 6000
442043 6000
19026 80
1784 443
Destined to 6000
16116 6000
12539 80
1874 443
624 3759
Mostly syn scanning.
This shows 324 non syn packets sourced from 6000 destined to 1433.
/tmp/1433.03-02.ips | awk '{ if(($5==6000) && ($10!=2) )print $8}' | wc -l
324
So what are those? They are all resets.
w32.dasher used 6000 as a source port and attempted to exploit an microsoft swl server vulnerability.
http://vil.mcafeesecurity.com/vil/content/v_137567.htm
Note that your two pictures show a huge increase in source ips not destination ips.
The sans shows targets stayed about the same.
So is this an outbreak of dasher or is dasher the old noise and this is something new?
(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Klaus Moeller
> Sent: Monday, March 02, 2009 9:42 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] Strong Increase in port 1433/tcp
>
> ----------- nsp-security Confidential --------
>
>
More information about the nsp-security
mailing list