[nsp-sec] Strong Increase in port 1433/tcp

Smith, Donald Donald.Smith at qwest.com
Mon Mar 2 16:31:23 EST 2009 

That should be sql not swl:)
And I think dasher is the constant since that has been around a LONG time.
Can someone that saw this in their darknet validate that the increase is caused by the non-6000-1433 traffic?


(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia   

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Smith, Donald
> Sent: Monday, March 02, 2009 1:18 PM
> To: 'Klaus Moeller'; 'nsp-security at puck.nether.net'
> Subject: Re: [nsp-sec] Strong Increase in port 1433/tcp
> 
> ----------- nsp-security Confidential --------
> 
> Is ~1/2 of it all coming from or going to tcp port 6000?
> 
> 
> more /tmp/1433.03-02.ips | awk '{ if(($5==6000) || ($8==6000) 
> )print $8}' |wc -l                                            
>                          458159
> wc -l /tmp/1433.03-02.ips 
> 845859 
> 
> Count source port:
> Sourced from 6000
> 442043 6000
> 19026 80
> 1784 443
> 
> Destined to 6000
> 16116 6000
> 12539 80
> 1874 443
>  624 3759
> 
> Mostly syn scanning.
> 
> This shows 324 non syn packets sourced from 6000 destined to 1433.
> 
> /tmp/1433.03-02.ips | awk '{ if(($5==6000) && ($10!=2) )print 
> $8}' | wc -l  
> 324
> 
> So what are those? They are all resets.
> w32.dasher used 6000 as a source port and attempted to 
> exploit an microsoft swl server vulnerability.
> 
> http://vil.mcafeesecurity.com/vil/content/v_137567.htm
> 
> Note that your two pictures show a huge increase in source 
> ips not destination ips.
> The sans shows targets stayed about the same.
> 
> So is this an outbreak of dasher or is dasher the old noise 
> and this is something new?
> 
> 
> (coffee != sleep) & (!coffee == sleep)
> Donald.Smith at qwest.com gcia   
> 
> > -----Original Message-----
> > From: nsp-security-bounces at puck.nether.net 
> > [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> > Klaus Moeller
> > Sent: Monday, March 02, 2009 9:42 AM
> > To: nsp-security at puck.nether.net
> > Subject: [nsp-sec] Strong Increase in port 1433/tcp
> > 
> > ----------- nsp-security Confidential --------
> > 
> > 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list