Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Odd behavior after MS-SQL scan - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Odd behavior after MS-SQL scan
We received a couple of reports yesterday of some odd behavior after a scan that looks a lot like SQL Slammer (from Jan 2003).  I've only gotten captures of this activity from one user, so I thought I'd ask you, our faithful readers for some assistance.  The behavior was that after a single UDP packet to port 1434, the target machine which had multiple interfaces, first did a reverse DNS lookup and then attempted to do a wildcard NBT lookup back to the source machine from all of its interfaces.  This is clearly providing too much information to the attacker (other IPs configured on the target machine), so I'd like to get a better understanding of what might be happening.  The target machine was not running MS SQLServer and, from the information available at the moment, we're not aware of any firewall or other software on the target that might account for this odd behavior.  If anyone has seen similar behavior or has any idea what might cause this type of response to a scan, please let us know.

------------------
Jim Clausing, jclausing /at/ isc.sans.org, http://handlers.sans.org/jclausing/ I will be teaching next: Malware Reverse-Engineering Challenge - SANS New York City 2019

Jim

402 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!