Solved

SQLSERVER Port attacks

Posted on 2003-11-05
8
3,057 Views
Last Modified: 2013-12-04
I'm using TCPView to monitor network activity on my server (Windows Server 2000, AD, Domain controller, webserver, MSSQLServer, eEye Firewall).

Server is fully patched.

For the last 24+ hours the following activity is occuring (I've X'd out my IP):

sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:48411      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:48306      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:47590      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:47432      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:47334      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:47231      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:47131      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:47036      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:46942      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:46848      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:46753      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:46665      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:45961      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:45856      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:45767      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:45678      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:45586      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:45497      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:45412      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:45330      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:44630      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:44522      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:44439      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:44341      TIME_WAIT      
sqlservr.exe:1248      TCP      XX.X.XX.XXX:1433      210.159.9.212:44227      TIME_WAIT      

etc.

I think someone is attacking the port being used by MSSQL.

Questions:

What is happening exactly?
How do I make it stop?
How do I prevent this IP from attacking in the future?
What does "TIME_WAIT" mean?

What I've done so far:

Tried using the disconnect function in TCPView - didn't work.
Blocked that IP in ISS - didn't work.



0
Comment
Question by:TMDX
  • 4
  • 3
8 Comments
 
LVL 8

Assisted Solution

by:ViRoy
ViRoy earned 100 total points
ID: 9688604

looks like a denial of service attack (DOS)
we can see he is trying to establish multiple connections at the same time.
if he were to suceed, he would eat all available connections of your SQL server which means no-one else would be able to establish new connections.

do you have a firewall? if so, ban him
if not i would reccomend taking preventative steps such as using a intrusion detection system (IDS).
an IDS can be configured on this server or on a stand-alone, and the IDS can be configured logically to temporarily ban someone (such as the person hitting you) after repeatedly failing or spamming.
pretty sweet... heres a free one that i would reccomend - www.snort.org
0
 
LVL 8

Expert Comment

by:ViRoy
ID: 9688657

wow i checked the IP address out and it looks to be reserved by an JAPANESE ISP!
not good there, it would be very diffucult to hold an over-sea's party accountable.

i would maybe elevate the priority level a bit on this one :<
0
 

Author Comment

by:TMDX
ID: 9689516
Hi, thanks for the reply. I downloaded snort, but wasn't able to get it to work. (missing one file, go and find it, then misisng another and so on).

I do have a firewall. I'm using eEye Digital Security Secure IIS firewall, which doesn't seem to support IP blocking. (Considering that it cost something like $8000 you'd think it would ???) I've sent a tech request to them today to see if it can be done. In the meantime I am blocking that IP within IIS, however this hasn't affected the activity copied above. As of right now this activity is still occuring.

I'll bump up the points on this and spread them around as appropiate.

Thanks for the help so far.
0
 

Author Comment

by:TMDX
ID: 9689522
*points bump*
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:TMDX
ID: 9690063
I've recieved a reply from eEye:

--------------------

"SecureIIS is an application firewall, specifically designed to protect IIS against known and unknown attacks.  As such, it will not protect your MSSQL install, not does it use a port blocking configuration as standard firewalls do.  SecureIIS functions as an ISAPI filter within the IIS space, so it can intercept requests, analyze them, and block them if any part of the request is deemed invalid.

Regarding the issue reported, you will need to use a perimeter, or even a personal firewall to block the respective port being used in the dos attack.

I hope this helps.

Thank you

Signed,
eEye Digital Security Support"

----------------

Any suggestions?
0
 
LVL 13

Accepted Solution

by:
Gnart earned 400 total points
ID: 9690505
SQL-Slammer worm is attacking your machine on port 1433 and 1434...... see here:

http://www.cert.org/advisories/CA-2003-04.html

Modify your router or firewall to drop TCP/UDP on those ports..... problem solved.

cheers
0
 

Author Comment

by:TMDX
ID: 9694544
All, thanks for the help.

I applied SP3 to MSSQL and it fixed the problem.

the strange part -- I had already applied SP3 to MSSQL in January 2003. Weird.
0
 
LVL 8

Expert Comment

by:ViRoy
ID: 9694850
glad to hear!

sorry snort didnt work for ya.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now