I was contacted by a company stating my sql server was probing their network. the log files are as follows
log record count for source ip 10.10.10.2 10.10.10.2: 255 (this is the ip address of my sql server) log record count for destination ip log record count for destination nets 172.21.0.0 : 255 log record "reject" count for source ip 2:15:02 TZ_GMT proto tcp src 10.10.10.2 dst 172.21.1.1 service ms-sql s_port 3712 2:15:02 TZ_GMT proto tcp src 10.10.10.2 dst 172.21.1.2 service ms-sql s_port 3713 2:15:02 TZ_GMT proto tcp src 10.10.10.2 dst 172.21.1.3 service ms-sql s_port 3714 2:15:02 TZ_GMT proto tcp src 10.10.10.2 dst 172.21.1.4 service ms-sql s_port 3715 and it keeps incrementing ip and port # 2:15:47 TZ_GMT proto tcp src 10.10.10.2 dst 172.21.1.255 service ms-sql s_port 3967 Is this a worm, trojan? Any thoughts and help would be greatly appreciated
