March 27, 2003 at 2:43 pm
Lately I have been observing sporadic strange activity on the ms-sql-s port when I run netstat -p tcp from command prompt. I see some strange "Foriegn Address" like ACB0C5.ipt.aol.com:1040 (port number keeps changing) trying to connect to ms-sql-s port.
The machine I am using is online with Windows 2000 server, MS SQL Server 2000 and using ASP for my front end pages. I am guessing its some sort of port scan, but thought will run it through security guru's. Any ideas or am I just being over cautious.
thanks,
Vijju
March 27, 2003 at 3:27 pm
Could be scanning. Could also be one of the two SQL worms related to the blank sa password issue roaming around. The port from the client is dynamically assigned by the client's system when it goes to make a connection, so expect that port number to always be different.
You might fire up logging on failed logins to see if any login attempts are being made.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
March 27, 2003 at 3:36 pm
I am guessing it may not be the worms floating around because I have changed the sa password as soon as I installed SQL server 2000 (thanks to guys on this site). I will fire up the logging on failed logins and see if it turns up anything.
thanks,
Vijju
March 27, 2003 at 6:32 pm
For security concern, you should apply security patch ms02-061 or service pack 3 if you havn't done it.
March 28, 2003 at 1:51 am
quote:
I am guessing it may not be the worms floating around because I have changed the sa password as soon as I installed SQL server 2000 (thanks to guys on this site).
Vijju, I think what Brian meant was that the remote addresses trying to access your server could be 'infected' by the worms, not your server.
--
Chris Hedgate @ Apptus Technologies (http://www.apptus.se)
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply