rianto isaac's Weblog

rianto utomo isaac sahala utomo

windows, Beware Attacks on TCP port 1433

leave a comment »

Beware Attacks on TCP port 1433

Every now and then I like to setup a sniffer and see what hackers are up to. Lately I had seen an increase in my firewall logs for scans to TCP Port 1433 which is used for SQL Server, so I setup a sniffer and waited. What I found was rather interesting, and enough to make you wonder about how bright some script kiddies are.

First the attack. Hackers are targeting SQL Server systems using the MSSQL Hello Buffer Overflow attack as described by Dave Aitel on August 1, 2002, but a better description of the attack was written up by Ben Jurry in »www.xfocus.org/documents/200308/3.html or the BugTraq version at »online.securityfocus.com/bid/5411

A sample packet

217.236.27.93 : 1927 TCP Data In Length 52 bytes : MD5 = D0ED2679AA818F9AC2B3429B55747ECA
— 30/12/2003 09:45:45.212
0000 12 01 00 34 00 00 00 00 00 00 15 00 06 01 00 1B …4…………
0010 00 01 02 00 1C 00 0C 03 00 28 00 04 FF 08 00 01 ………(……
0020 55 00 00 00 4D 53 53 51 4C 53 65 72 76 65 72 00 U…MSSQLServer.
0030 30 04 00 00 0…

The highly stupid part. Script Kiddies take note, if your exploit doesn’t work, then accept defeat and move on. Computers are digital and running the same packet over and over again (almost a hundred times over 20 minutes), isn’t likely succeed in anything except setting off alarms. So far I have seen this stupid behaviour twice, once from 217.236.27.93 and again from 80.138.159.186 In both case the attempts were roughly 9 to 10 seconds apart on random source ports and was attempted almost a hundred times. I would suspect that the same tool was used in both attacks, so take note there is likely a tool out there which has allowed the script kiddies in on this exploit.

In summary this is a rather nasty attack as it can allow the hacker to own your system, however Microsoft has long since released a patch for this so if you are prudent on applying patches you should be safe. When I setup the sniffer I was expecting to see the usual dictionary password attack but this attack is more sophisticated and worthy of notice, despite the stupid script kiddie factor.

Blake

http://www.dslreports.com/forum/remark,8929166~mode=flat

rianto bole ngopi dari orang🙂

Written by isaaconi

Juli 7, 2008 pada 9:25 am

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

%d blogger menyukai ini: