[nsp-sec] Update: Strong Increase in port 1433/tcp

Klaus Moeller moeller at dfn-cert.de
Tue Mar 3 13:18:54 EST 2009 

Am Montag, 2. März 2009 17:41:46 schrieb Klaus Moeller:
> ----------- nsp-security Confidential --------
> Our darknet (and SANS ISC) too see a strong increase (8 fold now) in src
> ip addresses accessing port 1433/tcp (MS-SQL). Overall traffic to that
> port (flows, packets, bytes) does not seem to increase, at least not much.

First, let me thank for all the replies I got. I had not yet the time to 
answer since I've been busy with my daily work and further analysis. Here's 
what we found out so far:

1) The attack has now tapered off, as already reported by others. It peaked 
yesterday evening (about 20:00 UTC+1) with about 14K unique src 
ip-addresses accessing port 1433/tcp. This is up from well below 500 for 
the rest of the time (see attached graph).

2) I've seen no clear pattern in the src ip-addresses, no country or ASN 
that sticks out. Src ports seem to be in the range 3500 - 5000.

3) I agree with Tomasz that it was most likely some sort of dictionary 
attck. However, the packets we saw were different from those seen by Tomasz 
(Arrakis). It looks more like distributed SSH password guessing  attacks, 
ie. one hosts makes a connection, tries one or very few passwords and than 
drops the connection. I did not have this information yesterday, we were 
finishing some very primitive sort of MS-SQL honeypot by noon today.

Here's the packet dump from our honeypot, the indented part is the server 
response. Its the only response the honeypot sends, but we had the same 
results on the attackers side with a real MS-SQL 2000 server.

0000  12 01 00 2f 00 00 01 00  00 00 1a 00 06 01 00 20 .../.... ....... 
0010  00 01 02 00 21 00 01 03  00 22 00 04 04 00 26 00 ....!... ."....&.
0020  01 ff 09 00 00 00 00 00  00 00 00 00 00 9c 00    ........ .......

   0000  04 01 00 25 00 00 01 00  00 00 15 00 06 01 00 1b ...%.... ........
   0010  00 01 02 00 1c 00 01 03  00 1d 00 00 ff 08 00 02 ........ ........
   0020  fe 00 00 02 00                                   .....

002F  10 01 01 24 00 00 01 00  1c 01 00 00 02 00 09 72 ...$.... .......r
003F  40 1f 00 00 00 00 00 06  80 54 00 00 00 00 00 00 @....... .T......
004F  e0 03 00 00 00 00 00 00  00 00 00 00 5e 00 0a 00 ........ ....^...
005F  72 00 02 00 76 00 08 00  86 00 1c 00 be 00 0d 00 r...v... ........
006F  d8 00 00 00 d8 00 1c 00  10 01 00 00 10 01 06 00 ........ ........
007F  b3 17 6e 98 43 46 1c 01  00 00 1c 01 00 00 1c 01 ..n.CF.. ........
008F  00 00 00 00 00 00 44 00  53 00 41 00 44 00 31 00 ......D. S.A.D.1.
009F  32 00 33 00 34 00 31 00  34 00 73 00 61 00 a2 a5 2.3.4.1. 4.s.a...
00AF  b3 a5 92 a5 92 a5 d2 a5  53 a5 82 a5 e3 a5 2e 00 ........ S.......
00BF  4e 00 65 00 74 00 20 00  53 00 71 00 6c 00 43 00 N.e.t. . S.q.l.C.
00CF  6c 00 69 00 65 00 6e 00  74 00 20 00 44 00 61 00 l.i.e.n. t. .D.a.
00DF  74 00 61 00 20 00 50 00  72 00 6f 00 76 00 69 00 t.a. .P. r.o.v.i.
00EF  64 00 65 00 72 00 31 00  34 00 31 00 2e 00 39 00 d.e.r.1. 4.1...9.
00FF  2e 00 32 00 34 00 36 00  2e 00 31 00 31 00 34 00 ..2.4.6. ..1.1.4.
010F  2e 00 4e 00 65 00 74 00  20 00 53 00 71 00 6c 00 ..N.e.t.  .S.q.l.
011F  43 00 6c 00 69 00 65 00  6e 00 74 00 20 00 44 00 C.l.i.e. n.t. .D.
012F  61 00 74 00 61 00 20 00  50 00 72 00 6f 00 76 00 a.t.a. . P.r.o.v.
013F  69 00 64 00 65 00 72 00  4d 00 61 00 73 00 74 00 i.d.e.r. M.a.s.t.
014F  65 00 72 00                                      e.r.

Best regards,
		Klaus Möller, DFN-CERT

-- 
Dipl. Inform. Klaus Moeller (Incident Response Team)
Phone: +49 40 808077-555, Fax: +49 40 808077-556

DFN-CERT Services GmbH, https://www.dfn-cert.de,  Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
Sachsenstrase 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

                      16. DFN-Workshop Sicherheit in vernetzten Systemen
                                         https://www.dfn-cert.de/ws2009/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dfn-cert-graph-tue-evening.png
Type: image/png
Size: 53528 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090303/5314dfb9/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 486 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090303/5314dfb9/attachment-0001.sig>

More information about the nsp-security mailing list