On Thu, Oct 23, 2003 at 07:52:59AM -0700, Dirk Ouellette wrote: > Date:10/23 01:14:35 Name:MS-SQL Worm propagation attempt Priority:2 > Type:Misc Attack IP info: 202.108.249.21:1032 -> 12.224.114.207:1434 > References:none foundSID: 2003 > > Should I assume the above is pretty common? I looked at my firewall's > intrusion detector logs and saw this and many more from China. > Dirk
Yes, all public ip addresses are pretty much subject to constant connection attempts to various ports. 1434/udp is a sql port which had a vulnerability for which a worm was written. Packets to it are most likely from an infected host. I log invalid packets, however when I start getting a lot of packets directed at some vulnerability that I don't have such as the above I "ignore" them with logcheck so I don't see them and can focus on the "irregular" packets. Cory -- Cory Petkovsek Adapting Information Adaptable IT Consulting Technology to your (541) 914-8417 business [EMAIL PROTECTED] www.AdaptableIT.com _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
