RE: Decrease in 1433 Scans?

["John Campbell" <jcampbell () wsipc org>]

Yesterday was actually our busiest day so far for 1433 scans.  We saw
our first presumably automated scan (111 connection attempts, within a
few seconds) on 5/19.  Yesterday (5/22) we got three of them, for a
total of 300 or so connection attempts.  This in comparison to the 80K -
120K TCP 80 scans we get per day, depending on what day of the month it
is.

John Campbell, CISSP, GCWN
Information Security Engineer
Washington School Information Processing Cooperative
(WSIPC)

-----Original Message-----
From: Matt Barton [mailto:matt () webexc com] 
Sent: Thursday, May 23, 2002 9:38 AM
To: incidents () securityfocus com
Subject: Decrease in 1433 Scans?


Hello

Access attempts to port 1433 have been steady all this week, with tons
of attempts every hour showing up in our firewall log; however, I have
not had a single attempt since 5:43 AM EST (no EDT here in Indiana).

The firewall is still logging and the integrity of my access-list
appears to be fine.  I doubt our uplink provider is doing this, as I can
reach the firewall if I attempt to connect to port 1433 with nmap from a
remote system.

Anyone else seeing this?

-- 

Matt Barton
Webexcellence
matt () webexc com
Phone:  317.423.3548 x22
Fax:  317.423.8735
www.webexc.com


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com