Security Basics mailing list archives

Re: Serveral host broadcasting to port 1434

From: Adriel Desautels <adriel () netragard com>
Date: Fri, 23 May 2008 15:46:01 -0400

Sounds a bit fishy. I'd evaluate the systems that are sending thetraffic. Identify the process responsible and make sure that it is notmalware. This does sound very malwareish.


Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


the_loser55 () hotmail com wrote:

Hello,

I've just started playing with snort rules and created a new rule for the internal network that would grab any traffic on port 1434 
"Microsoft-SQL-Monitor". The rule is now running and I see several desktop PC's sending out traffic to destination 
255.255.255.255 port 1434. So my question is are these desktops compromised. I've seen references to a MS-SQL worm with activity like this. 
Any thoughts would be much appreciated.

Thanks

Current thread:

Serveral host broadcasting to port 1434 the_loser55 (May 23)
- Re: Serveral host broadcasting to port 1434 Adriel Desautels (May 23)