Port 1433

Has anyone else been getting a lot of these lately? I sure have!

ZoneAlarm Logging Client v2.6.357

type date time source destination transport
FWIN 2002/05/27 00:46:36 -5:00 GMT 207.40.127.196:4470 216.152.35.75:1433 TCP (flags:S)
FWIN 2002/05/27 00:57:48 -5:00 GMT 207.236.27.34:2594 216.152.35.75:1433 TCP (flags:S)
FWIN 2002/05/27 01:18:45 -5:00 GMT 203.204.59.213:4739 216.152.35.75:1433 TCP (flags:S)
FWIN 2002/05/27 01:21:56 -5:00 GMT 211.171.204.252:3707 216.152.35.75:1433 TCP (flags:S)
FWIN 2002/05/27 11:01:49 -5:00 GMT 211.105.245.92:4418 216.152.15.172:1433 TCP (flags:S)
FWIN 2002/05/27 16:21:26 -5:00 GMT 61.206.143.54:1477 216.152.15.137:1433 TCP (flags:S)
FWIN 2002/05/27 16:22:44 -5:00 GMT 211.176.12.244:3481 216.152.15.137:1433 TCP (flags:S)
FWIN 2002/05/27 19:05:13 -5:00 GMT 66.220.17.100:4766 216.152.35.109:1433 TCP (flags:S)
FWIN 2002/05/27 21:35:35 -5:00 GMT 210.180.34.136:2164 216.152.35.101:1433 TCP (flags:S)
FWIN 2002/05/27 21:47:01 -5:00 GMT 211.94.193.176:3989 216.152.35.101:1433 TCP (flags:S)
FWIN 2002/05/27 21:58:48 -5:00 GMT 61.104.101.73:2473 216.152.35.101:1433 TCP (flags:S)
FWIN 2002/05/27 22:05:07 -5:00 GMT 67.115.252.153:2345 216.152.35.101:1433 TCP (flags:S)
FWIN 2002/05/27 22:25:54 -5:00 GMT 211.176.22.13:2750 216.152.35.101:1433 TCP (flags:S)
FWIN 2002/05/27 22:27:53 -5:00 GMT 63.238.185.147:3452 216.152.35.101:1433 TCP (flags:S)
FWIN 2002/05/27 22:30:43 -5:00 GMT 210.207.58.138:1047 216.152.35.101:1433 TCP (flags:S)
FWIN 2002/05/27 22:39:02 -5:00 GMT 208.28.250.80:2457 216.152.35.101:1433 TCP (flags:S)

I got all of these just during the time I was here reading & posted to a couple of questions. About an hour and a half. When I go to the Whois, there is no identification other than the IP number.

Deloris.

 

You bet I have! I got curious and came up with these. Apparently a worm is going around.
http://www.blackcode.com/news/view.php?id=250
http://www.incidents.org/archives/y2k/111700.htm
http://vectra.med.yale.edu/pipermail/itpartners-list/2001/000074.html
http://archives.neohapsis.com/archives/ntbugtraq/2001-q4/0153.html
Updated patch availability for Windows 2000:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-067.asp

 

markp62,

Now I have what is probably a stupid question, but I am going to ask it anyway.

Lets just say this worm got into an unprotected personal computer. What kind of problem would that cause?

I do have a reason for asking that, believe it or not. Not my computer. As you saw, ZA stopped it cold.

Another stupid question.

What does SQL stand for? I know that every personal computer has a port 1433, but we aren't SQL, right?

Told ya they were stupid questions.

I know a lot of stuff, but there's a whole lot I don't know either, & I am self assured enough to admit it, & the only way to learn sometimes is to ask.

Deloris.

 

Structured Query Language, a way to use a web browser to access databases on a server computer.
If you had the worm, you would be the one doing the port scans. as the commands it is trying to do would not be successful with the 9x system.
This worm is scanning IP's to see if it can find a port open. Then it would be trying to logon to the server with "sa" as the user and a blank password, crash the telnet and start a shell, download a couple of files and run them, report back if successful, and be in. They could do just about what they please.
This is a Windows 2000 vulnerability, Linux doesn't have this problem.
I had received multiple scans from various IP's on my ZA, too. Since I had closed my Netbios, I shut it down, waited a minute, then started it back up, I ended up with more than ever.
We aren't SQL running 9x. I learned all this by being curious and researching this.

 

Thanks markp62,

I appreciate the answer.

If I understand you correctly, the worm could actually get onto someone's PC & then do the scanning from their PC in order to find a vulnerable SQL server. Even from a W98 PC, without the knowledge of the PC owner. Then the worm would report back to it's creator via the infected PC. Hmmmmm! Interesting.
Guess I should share this info with some others who think it isn't necessary to use a Firewall.

I spend enough time messing up my eyesight on this computer as it is, so I figured I'd ask you & hoped you'd tell me.

I'm still getting scads of those things on 1433 though. Persistent little booger.

Thanks again.

Deloris.

 

Deloris - I think in this particular case, the use of SQL means specifically the Microsoft data base product. I know that TCP port 1433 is the default when you set up the M$ SQL. Not sure about any of the other products that use a structured query language though.

For instance, I know of at least a couple of net boards that run on systems with MYSQL but I have no idea what the default port for that one is.

Also as an add-on note (from reading some of the articles) - they not only look for a system with a blank password for the SA (system admin) SQL account but also run a little brute-force password cracking app. So, if the SA account is protected but the password is short and easy, they can still get in.

 

Thanks Newt,

I appreciate the information, although I am not quite sure I understand it all. That's really beside the point though. I don't have to totally understand to know that this worm is vicious & dangerous.

One thing I'm trying to get is amunition so that I can get it across to people that I am aquainted with, or family members is the importance of running a Firewall. I can't seem to get it through some of them's thick heads that a Firewall these days is absolutely necessary, even if you are on a dial up. I am on a dial up & I get plenty of hits on lots of my ports.

That not all Trojans & Worms enter a computer by way of the e-mail client. That there are plenty of them that can & do enter through unprotected ports. And that if indeed someone gets a trojan installed on their computer & remotely uses their PC to commit illegal acts, then they could possibly get the blame for it. I need amunition for convincing some of these hard headed people.

Where can I get the amunition that I need to convince these ding-dong friends & family of mine, , that they need a good Firewall.

It didn't take much to convince me, but some people are just plain hard headed.

Deloris.

 

Hey Deloris

Got a few sites for you to check out for your "ammunition ". I use these sites a work and they have helped me out.

Incidents.org
CERT
Safe-Hex
VirusList
Shields UP
Computer Cops

These are just a few...I have more links but they are too many to list but if you navigate to my little hole on the net I have many more links on my "Tiny's Links Page" and "Tiny's AntiVirus Resource Page ".

You can find them at Tiny's Web Pages

Hope this helps...[

 

Thanks dobhar,

Gotta go to the big city tomorrow, but I will be coming back to click, click, click.

I appreciate the help. Hopefully I can convince a few of them. After all, if I do convince them, not only will it protect them, but it will protect ME. And a bunch of other people too.

Thanks to everyone that responded.

Deloris.

 

See this recent thread. Interestingly enough, services.exe is the scanner used by this nasty (the Sida worm) to scan for SQL servers on port 1433. What the little beast does send the configuration (together with whatever passwords are found) of the infected computer to some other host and then commence scanning for new targets. Spida is not otherwise destructive.

Deloris wrote:-

Absolutely. However, it is at least equally important to to either disable unnecessary services (such as File/Printer Sharing) or, where those services are needed, to secure them. In a non-networked environment (where the services are unnecessary), the easiest way to do this is to use EBURGER whilst the steps described at GRC can be used to secure the services within a network.

BTW, these, et al, are the people responsible for the hits on your firewall

 

Ha! I've just started to hit on this same port by "Max-Planck-Institut fur Plasmaphysik ". Sounds very impressive

 

Deloris - you could probably make your point by planting a trojan on the computer of any non-believer and then just delivering a message to the effect "Hi - this is Deloris but if it wasn't, I could take control of your PC. You really need a firewall ".

That should do it I imagine.

 

Hi! I am back from the Big City, so it's time to start clicking.

Newt,

If I was smart enough I might just do that, but alas, I am NOT smart enough.

I'll see what all this help you guys have provided says & hopefully I can get some good ammo to fire away with. They may hate me with a passion before I'm through.

Thank you, all of you.

Be good to yourselves, God Bless & I'll catch you later.

Deloris

 

Brett,

You have got to be kidding about DMP. We have one right here in Heber Springs.

How did you find this out? Did the Whois tell you or what?

I get so many hits on 1433, it seems useless to try to trace them all.

BTW, I've gotten some pretty good stuff from all of you. Thanks guys!

Some people are gonna be mad at me, I'm afraid.

Deloris.

 

I looked into this a short while ago and it is worryingly easy. The tools which are necessary to gain unauthorised access to a remote machine are all shipped with Windows - no special software is needed. I would guess that a fast typist who was familiar with the relevant commands could find his way into an unprotected machine within 30 minutes if not considerably faster. Also rather worrying is the fact that the target machine need not be infected with a trojan in order for remote access to be gained - an open port is enough.

Play with the tools here and here.

Good luck. If more people were to have a sensible degree of protection, the rest of us would have to spend less time deleting Klez et al from our in-boxes

 

Deloris.

Stand Firm.

Being firm and insistant the users add protection to their PC is the only way we can stop ( or at least slow down ) the darn Viri.

I have a Grandson who is VERY unhappy with me for the very reason being discussed.

I just FRIMLY ( but not politely ) told him to get some protection on his machine or Do Not Ever Send me any E-mail.

NAV caught ( before our little chat ) 2 or 3 e-mails ( forwarded by him ) with Snow White attached. Thank goodness for NAV and its E-Mail checker.

BillyBob

 

And did you know, Deloris, that this poor little chap is only 2 years old?

 

Hi Everyone,

Well, I wouldn't have the faintest idea how to use my existing OS to enter someone's computer & take control, and honestly, I don't want to know how. I just want to keep them out of mine.

All of the ones I'm talking about have the proper Virus protection, & either I have convinced them, or a virus has convinced them, to keep their definitions up to date. It's the Firewalls I am having a hard time convincing them about. You know the way a lot of people think. The "it won't ever happen to me syndrome." That's what I am having a difficult time convincing some people of. That more & more "it can happen to them. "

I was lucky, when I first got a computer about four years ago. As far as I know, I never got a Trojan. I didn't know a thing about what the heck a Firewall was. I always had virus protection installed, & kept it up to date, but I went for a couple of years without a Firewall. The more I read about Trojans entering through ports & the worse things got, seeing reports on the news where things had happened, I decided I needed one of those Firewall "thingy's." There's no way that I'd be without one now. In fact, I run two. What one don't catch, the other one does.

Four years ago I was learning how to operate a Windows based PC at home, and a commercially applied Macintosh system, at work, all at the same time! You think that won't mess your mind up, when you don't know zip about either one to begin with? It sure will! But I did it! I was determined! Before then, I'd never touched a computer in my life to know how to do "anything" on one. If, at age 53 1/2, I was capable of learning two totally different, 180 degree opposite systems, with completely different applicational purposes of use, plus graphics applications on both, & also bookkeeping on the Mac, all at the same time, then I definitely wasn't dumb enough to continue without additional Firewall security protection on my PC once I learned of the necessity.

Maybe I can aggravate them enough to wear them down & when they see just how many hits they get in just a couple of hours online, they'll realize that the distinct possibility of what I've been saying is there.

Deloris.

 

Or maybe reading this and this would help convince them

 

brett,

For some reason the first link you gave don't work, but the second one did & it was scary enough. I definitely will pass it along. It should help a great deal in getting the point accross.

Man if my computer suddenly started talking to me, I'd immediately re-format that sucker, even if I'd never heard of a Trojan.

Thanks a bunch.

Deloris.