Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Mailbag Items for Ports 1433 and 113 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Mailbag Items for Ports 1433 and 113

Published: 2004-07-04
Last Updated: 2004-07-05 23:41:55 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Port 1433 Mailbag



1433's in the Top Ten ports scanned with a significant increase in the number of Targets.

http://isc.sans.org/top10.php

http://isc.sans.org/port_report.php?l=20&a=0&s=records&d=desc&date_month=07&date_day=04&date_year=2004
Significant increases in the number of Targets

scanned have occurred sinse June 12th, and are even more evident when looking further back (next two links;

http://isc.sans.org/port_details.php?port=1433&repax=1&tarax=2&srcax=2&percent=N&days=70&Redraw=Submit+Query

http://isc.sans.org/port_details.php?port=1433&repax=1&tarax=2&srcax=2&percent=N&days=240&Redraw=Submit+Query

Diary readers have submittied

interesting information related to exploits aimed at Port 1433.
One honeypot dump submisssion showed a "mssql password brute force attempt" from a couple of days ago. Some lessons learned over time have been:

(1) don't put your db outside the firewall,

(2) don't rely on passwords, since exploiters even try some odd passwords many people consider 'safe'.

(3) set a realistic pw lockout policy - and read the logs



Another Port 1433 honeypot submission from RSS#### was taken from a commercial honeypot product. It showed osql-32 sa login password failures. Passwords attempted (from the submissions only) were were:

blimp, corner, craze, curb, daunt, deadline, delight, devil, dismayed, doom, drizzle, ecstasy, emigrant, entire, evince, eyelid, faulty, finished, flop, forcible, forsale, frontier, garlic, glee, grabat, grower, hard, hectic, hijack, holy, humus, impede, iniquity, inventor, jeweller, keyboard, lamp, lean, lieup, locate, lucky, mallard, matinee, meter, mister, mortgage, mutable, nether, notable, offal, oration, overload, pasture, perform, pink, pirate, poorly, prepare, protect, putout, rainbow, recount.



There has also been some other speculation that a "new mssql brute force tool" is going around so if you've got some info on a new tool please post us a note.
Last item on Port 1433, there's an excellent paper on "TCP/1433 MS-SQL" by Handler Kevin C. Liston at;

http://www.giac.org/practical/Kevin_Liston_GCIH.doc
Port 113 Mailbag

Other readers have submitted information concerning Port 113 scans mentioned in the Handler's Diary of July 1st 2004.
http://isc.sans.org/diary.php?date=2004-07-01

In addition to the Korgo family of malware listening on Port 113 (T variant and some earlier versions), one submission whose email I returned (rejected at the far end) said he's seeing "attempts at SMTP AUTH, originating from Chinanet" in recent days
and explicitly denied any brute force pw activity. In a portion of my rejected response I also mentioned "It could indicate an NMAP "identd scan being run to
identify a handful of user accounts" and asked if there were any other log correlations from the indicated source IP's.

W32.Korgo.T

http://securityresponse.symantec.com/avcenter/venc/data/w32.korgo.t.html
Discovered on: June 21, 2004, Last Updated on: June 30, 2004 12:09:09
PM



SANS GSEC Tool Survey Responses Requested



On Friday, July 02, Eric Cole emailed SANS GSEC folks and asked for some assistance in "improving the GIAC certification." The assistance is in the form of answering the following:



1) the 10 tools you use most often to get your security job done

2) a brief description of how you use them (optional)

3) the platforms on which you run them

4) the top 3 tips/tricks that you utilize on daily basis that allow you to be more productive



If you get the time/chance to participate and answer these questions please respond to Eric's email ( ;^ ).


-----------

Patrick Nolan
Assistance from Johannes, Marc, and Jim, Fan club management by Ed
Keywords:
0 comment(s)
Diary Archives