Today: ISC Login bugfix day. If you have issues logging in using OpenID, please email a copy of your OpenID URL to jullrich\at\sans.edu
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Cyber Security Awareness Month - Day 26 port1433/1434 MSSQL
Port 1433 together with port 1434 are the ports most associated with MSSQL or to security people as the Slammer ports.
Port 1433 is typically used for database connections, but like all TCP/IP services it does not have to be and people do move the server to a different port. When alternate ports are used, then the SQL Server Browser, listening on port 1434, lets users connect to the database and identify which port is being used by the database. The port is also called the MSQL monitoring port by some people.
MSSQL has a number of security risks associated with it, most notably is the Slammer worm which appeared in January of 2003. More than six years later it is still going around the internet and is still one of the highest hit ports in our database. Mainly because it still works.
Now most people do not intentionally open up database ports to the internet, but a few of the Microsoft products included the desktop edition of MSSQL (MSDE) so many people inadvertently had these ports open and were infected.
A number of worms/bots have also exploited MSSQL through the default SA password which for a long time was blank. This was later fixed with a patch and has subsequently been addressed in the later versions of MSSQL. However we still see a lot of scans for the port and in penetration tests entry is often gained through misconfigured MSSQL servers.
In short, databases are accessed by applications there is no good reason for them to be directly accessible from the internet.
Mark H
Web honeypot Update
We just released a significant update to our web honeypot. If you are running it, please update (and make sure automatic updates are enabled).
If you are not running the honeypot yet, here is how to get started:
Prerequisits:
- you will need Apache and PHP (should work on Windows, but we do most of our testing on Linux)
- you DO NOT need to dedicate an IP address to the honeypot. It will work fine as a virtual host.
Getting Started
- log in to "My ISC"/"My DShield" https://isc.sans.org/myisc.html
- click on "My Information" https://isc.sans.org/myinfo.html
- find the web logs signup form on the page (see image below). Fill in your information.
- The "Latest honeypot version" link will link to the honeypot. Download it
- create an empty directory (e.g. /srv/www/vhosts/webhoneypot )
- uncompress the webhoneypot into this EMPTY directory. (tar xzvf webhoneypot.tgz)
- configure the honeypot using our configure script: lib/config.php
The 'docs' directory includes a sample apache configuration (honeypot.dshield.org.conf). You will need to adjust the directory.
Please let me know if you are running into any issues, and THANKS a lot for your help. The data will be publicly available to anybody interested in helping us analyze the data.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago