December 7, 2009 at 9:51 am
My apologies if my post is unsuitable for this forum.
I work for a fairly small (40 ppl) company in Sweden. Last Friday evening I discovered that one of our SQL servers had a large number of port 1433 connections to an IP address in Russia (see attached screenshot).
Is there any way this could be legit? If not, what should I be looking for in order to get rid of the intruders? I fear that if our system has been compromised, there could be all kinds of bad things going on behind my back.
We have a hardware firewall, a Zyxel Zywall 35. As a temporary solution I have blocked all LAN-to-WAN traffic on port 1433 (TCP and UDP).
The server in question runs Win Server 2003 R2. The SQL is SQL Server 2005, I believe it is the Express Edition. This was part of an Autodesk package called Productstream Professional. We use it for managing CAD drawing files. This is strictly an in-house system, there are no external entities (such as customers or manufacturers) that have any access to this system whatsoever. The only exception to the above is that some of the designers work from their homes now and then, in which case they are connected via VPN to the system.
The server in question is dedicated to the Productstream app and is not used for any other purpose.
I would be most grateful for any input.
December 7, 2009 at 10:00 am
Hope you have got strong passwords!
Could just be a port scan, are you auditing login failure / success ?
December 7, 2009 at 10:06 am
If it is purely inhouse then there should be NO ability to connect to SQL from outside. And even if it weren't then almost certainly anybody outside should be using some kind of VPN solution. Outside of hosted SQL providers there is almost no reason to have SQL visible on the net..
CEWII
December 7, 2009 at 10:08 am
I would assume it was at least a hacking attempt. How's your SQL security?
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
December 7, 2009 at 10:36 am
This could also be the slammer worm as well. Onnce compromised, the server would "generate a random IP" and start trying to connect to it.
----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
Viewing 5 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply