sql slammer look a like attack [Archive] - Cyber Tech Help Support Forums

Amish

April 18th, 2008, 01:33 PM

Please find logs below and suggest , many instances of 1433 port on same server IP?

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:25 0.0.0.0:0 LISTENING
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:381 0.0.0.0:0 LISTENING
TCP 0.0.0.0:382 0.0.0.0:0 LISTENING
TCP 0.0.0.0:383 0.0.0.0:0 LISTENING
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1073 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1079 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1086 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1181 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1185 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2301 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2381 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6129 0.0.0.0:0 LISTENING
TCP 0.0.0.0:9304 0.0.0.0:0 LISTENING
TCP 0.0.0.0:12345 0.0.0.0:0 LISTENING
TCP 0.0.0.0:13001 0.0.0.0:0 LISTENING
TCP 0.0.0.0:13724 0.0.0.0:0 LISTENING
TCP 0.0.0.0:13782 0.0.0.0:0 LISTENING
TCP 0.0.0.0:13783 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49400 0.0.0.0:0 LISTENING
TCP 192.168.2.75:80 192.168.255.80:2439 ESTABLISHED
TCP 192.168.2.75:80 192.168.255.80:2441 ESTABLISHED
TCP 192.168.2.75:80 192.168.255.80:3109 ESTABLISHED
TCP 192.168.2.75:80 192.168.255.80:3149 ESTABLISHED
TCP 192.168.2.75:80 192.168.255.80:9574 ESTABLISHED
TCP 192.168.2.75:80 192.168.255.80:23726 ESTABLISHED
TCP 192.168.2.75:80 192.168.255.80:28501 ESTABLISHED
TCP 192.168.2.75:80 192.168.255.80:32138 ESTABLISHED
TCP 192.168.2.75:80 192.168.255.80:36766 ESTABLISHED
TCP 192.168.2.75:80 192.168.255.80:38904 ESTABLISHED
TCP 192.168.2.75:80 192.168.255.80:43037 ESTABLISHED
TCP 192.168.2.75:80 192.168.255.80:47982 ESTABLISHED
TCP 192.168.2.75:80 192.168.255.80:48767 ESTABLISHED
TCP 192.168.2.75:80 192.168.255.80:49346 ESTABLISHED
TCP 192.168.2.75:80 192.168.255.80:50291 ESTABLISHED
TCP 192.168.2.75:80 192.168.255.80:50345 ESTABLISHED
TCP 192.168.2.75:80 192.168.255.80:50957 ESTABLISHED
TCP 192.168.2.75:80 192.168.255.80:51055 ESTABLISHED
TCP 192.168.2.75:80 10.193.0.80:3823 ESTABLISHED
TCP 192.168.2.75:80 10.193.3.195:2082 ESTABLISHED
TCP 192.168.2.75:80 10.195.0.67:4102 ESTABLISHED
TCP 192.168.2.75:80 10.195.0.67:4103 ESTABLISHED
TCP 192.168.2.75:80 10.195.2.66:2286 ESTABLISHED
TCP 192.168.2.75:80 10.196.1.80:3007 ESTABLISHED
TCP 192.168.2.75:80 10.196.1.82:1722 ESTABLISHED
TCP 192.168.2.75:80 10.196.6.78:2080 ESTABLISHED
TCP 192.168.2.75:80 10.197.3.253:3187 ESTABLISHED
TCP 192.168.2.75:80 10.197.6.75:2286 ESTABLISHED
TCP 192.168.2.75:80 10.207.2.220:1295 ESTABLISHED
TCP 192.168.2.75:80 10.207.2.220:1296 ESTABLISHED
TCP 192.168.2.75:80 10.207.4.204:3046 ESTABLISHED
TCP 192.168.2.75:80 121.247.52.27:63658 ESTABLISHED
TCP 192.168.2.75:139 0.0.0.0:0 LISTENING
TCP 192.168.2.75:1433 192.168.255.101:1052 ESTABLISHED
TCP 192.168.2.75:1433 192.168.255.101:1054 ESTABLISHED
TCP 192.168.2.75:1433 192.168.255.101:1076 ESTABLISHED
TCP 192.168.2.75:1433 192.168.255.101:1077 ESTABLISHED
TCP 192.168.2.75:1433 192.168.255.101:1078 ESTABLISHED
TCP 192.168.2.75:1433 192.168.255.101:3204 ESTABLISHED
TCP 192.168.2.75:1433 192.168.255.101:3205 ESTABLISHED
TCP 192.168.2.75:1433 192.168.255.101:3206 ESTABLISHED
TCP 192.168.2.75:1840 97.253.18.67:12011 CLOSE_WAIT
TCP 192.168.2.75:3389 10.8.75.62:3001 ESTABLISHED
TCP 192.168.2.75:3540 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3614 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3615 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3616 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3617 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3686 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3687 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3688 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3689 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3690 192.168.255.165:135 TIME_WAIT
TCP 192.168.2.75:3691 192.168.255.165:1025 TIME_WAIT
TCP 192.168.2.75:3692 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3697 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3698 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3699 192.168.255.5:445 TIME_WAIT
TCP 192.168.2.75:3705 192.168.255.5:135 TIME_WAIT
TCP 192.168.2.75:3706 192.168.255.5:1025 TIME_WAIT
TCP 192.168.2.75:3711 192.168.255.5:389 TIME_WAIT
TCP 192.168.2.75:3712 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3713 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3714 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3715 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3716 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3717 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3718 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3719 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3720 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3722 192.168.255.169:139 TIME_WAIT
TCP 192.168.2.75:3724 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3725 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3726 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3732 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3733 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3734 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3735 192.168.255.155:80 TIME_WAIT
TCP 192.168.2.75:3736 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3737 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3738 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3739 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3740 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3741 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3742 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3743 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3744 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3745 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3885 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3886 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3887 192.168.2.75:1433 TIME_WAIT
TCP 192.168.2.75:3888 192.168.2.75:1433 TIME_WAIT
TCP 127.0.0.1:383 127.0.0.1:3629 TIME_WAIT
TCP 127.0.0.1:1181 127.0.0.1:1192 ESTABLISHED
TCP 127.0.0.1:1185 127.0.0.1:1194 ESTABLISHED
TCP 127.0.0.1:1192 127.0.0.1:1181 ESTABLISHED
TCP 127.0.0.1:1194 127.0.0.1:1185 ESTABLISHED
TCP 127.0.0.1:2187 127.0.0.1:40000 ESTABLISHED
TCP 127.0.0.1:40000 0.0.0.0:0 LISTENING
TCP 127.0.0.1:40000 127.0.0.1:2187 ESTABLISHED
TCP 172.17.10.24:3721 172.17.11.180:139 TIME_WAIT
UDP 0.0.0.0:135 *:*
UDP 0.0.0.0:161 *:*
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1027 *:*
UDP 0.0.0.0:1047 *:*
UDP 0.0.0.0:1089 *:*
UDP 0.0.0.0:1097 *:*
UDP 0.0.0.0:1180 *:*
UDP 0.0.0.0:1184 *:*
UDP 0.0.0.0:1434 *:*
UDP 0.0.0.0:3456 *:*
UDP 0.0.0.0:3708 *:*
UDP 0.0.0.0:13001 *:*
UDP 192.168.2.75:137 *:*
UDP 192.168.2.75:138 *:*
UDP 192.168.2.75:500 *:*

Snurfen

April 18th, 2008, 06:23 PM

Is this an SQL server system?

1443 is the default port for SQL server comms - what is this device connected to and what os and apps is it running?

Amish

April 19th, 2008, 07:31 AM

SQL server is running, its a video conferencing server.

Snurfen

April 19th, 2008, 09:39 AM

OK mate, without spending the rest of the day playing post ping-pong with you, I'm guessing that you've got some video conferencing utility fired up and the server wants to talk to the clients that do the conferrencing.

It would seem to me that your server is chatting quite amicably with another device or devices saying "hello, I'm the control box for this VC suite, are you ready to send data through me?"

It would appear to be a fairly normal state of affairs for the control software to be asking clients if they wanted to play. Has this suddenly appeared from nowhere, or more likely, have you suddenly been given access to play with it?