Router getting banged on at port 1433. SQLSnake? What to do?

Post #72,089 by Another Scott 1/2/03 5:40:49 PM Reply	Router getting banged on at port 1433. SQLSnake? What to do? Hi, I'm trying to figure out some things on my home network using a DI-704P router (with some more discussion in the Mac forum in post [link\|http://z.iwethey.org/forums/render/content/show?contentid=72083\|72083]). Looking through the DI log, I'm seeing lots of activity on port 1433. E.g. Thursday, January 02, 2003 17:17:45 Unrecognized access from 24.42.86.xxx:4683 to TCP port 1433 Thursday, January 02, 2003 17:17:48 Unrecognized access from 24.42.86.xxx:4683 to TCP port 1433 Thursday, January 02, 2003 17:17:54 Unrecognized access from 24.42.86.xxx:4683 to TCP port 1433 I've also seen activity from 66.136.157.xxx:4931 and 211.211.5.xxx:4294 and 203.228.149.xxx:2526 . Is this the MS SQLServer [link\|http://isc.incidents.org/port_details.html?port=1433\|"SQLSnake"] worm/virus? Should I be concerned, or is the firewall in the router doing its job? Should I do something to configure the DI-704P to combat this activity? (Nearly everything in the DLink is at its default configuration.) I've not looked at the Log before today so this may be typical activity these days that's simply new to me. The PC in question is running WinME and SQLServer isn't anywhere near it. Thanks! Cheers, Scott.
Post #72,156 by Ashton 1/3/03 2:01:20 AM Reply	2 of 8 tries (via dialup) today == same port. But the source #s have only one 3-digit set of the four, in common with yours. I guess this means: it's Out There: The firewall has blocked Internet access to your computer (TCP Port 1433) from 66.167.175.20 (TCP Port 3298) [TCP Flags: S]. Time: 1/2/03 5:48:10 PM The firewall has blocked Internet access to your computer (TCP Port 1433) from 211.234.3.57 (TCP Port 1551) [TCP Flags: S]. Time: 1/2/03 10:01:50 PM FWIW, Ashton
Post #72,277 by tseliot 1/3/03 2:47:28 PM Reply	If you don't see many other incoming ports then possibly someone just mistyped the IP of their SQL server, so several machines round the country are trying your box incorrectly. At any rate, I wouldn't worry if the DLink is catching it. Many fears are born of stupidity and ignorance - Which you should be feeding with rumour and generalisation. BOfH, 2002 "Episode" 10
Post #72,696 by orion 1/5/03 2:53:28 PM Reply	WinME could run MSDE but I doubt you are running it if you never heard about it. MSDE is a Mini-SQL Server designed for just 5 clients or less. It comes in the MSDE directory of SQL Server 2000, and Office XP Pro or you can download it [link\|http://www.normad.com/msde/msde2000.zip\|From my website] and install it and see what kind of queries are being made in the SQL Log trace. But if it was me, I'd block access to it, tell the router to deny any packets coming in to port 1433, not unless you want to share that port with the world for some reason? Now also it could be something else that is using that port, like a GNUTELLA client. Someone is probing your IP seeing if there is a GNUTELLA server there and using 1433 and other ports to see if they get a response. 3260 is the GNUTELLA port IIRC< but I could be wrong. I had people banging their packets on my firewall on that port and others. I had someone from my former employer trying to bang packets on the SNTP ports a year ago or so, nasty stuff. But I am going to a new DSL provider and I will have dynamic IPs instead of a static one, harder for them to break into it then when the IP changes. For an Alternative Nearly To Imitate IWETHEY please visit [link\|http://pub75.ezboard.com/bantiiwethey\|the ANTIIWETHEY Board] providing an alternative to IWETHEY since December 2002

Welcome to IWETHEY!