June 4, 2004 at 8:25 am
Hello, I am getting some unusual information from our Network Administrator responsible for firewall scanning: Here is how he describes the issue:
'Our firewall logs are getting filled with SQL requests. Currently we are seeing lot of activity from UDP port 1434. This port is acting as a source port and sending messages to IP 10.0.0.4 at port 1071. Interestingly we don't have any machine with that IP in our network. We have instances of SQL 2000 and MSDE in our Andover site. These are patched with either SP3 or SP3a. But we are still having this issue. Any help with this will be appreciated...."
As I understand, we are talking about many source SQL Servers that are trying to send send messages to 10.0.0.4 on the port 1434. This port is mostly blocked. It is blocked for all SQL Server computers that are not running multiple instances. We do understand that 1434 is a Slammer port and that is why 100% of SQL Servers are patched with SP3 or SP3A
Does anyone familiar with this issue?
Regards,Yelena Varsha
June 5, 2004 at 9:49 am
You may have something unpatched or someone is looking for a server. 1434 is used to find instances across the network and see if they are running. If there is a response, then typically you'd see 1433 connection attempts.
I've only seen this when there is an infected machine searching for others.
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply