Increase In Microsoft-SQL-Server Scans?

Has anyone else noticed an increase in Microsoft-SQL-Server scans while using Zone Alarm?

Over the past 3-4 days I've received a ton of inbound *Microsoft-SQL-Server scans.

What are they and why so many now?

I'm using Zone Alarm 2.6.88 and Visual Zone to read my logfiles.

Thanks for any info.

Hi Suzy,

Welcome !

See also here, where was something posted about it:

http://www.security-pro.co.uk/yabb/YaBB.pl?board=osif;action=display;num=1022006809

[UNICRON]

I just checked my router logs. Wow, what is normally an unrelenting sub7 port 27374 barrage is now a MS SQL Server barrage. 6 of one, Half doz of the other I guess. Seems like the amount of scans hasn't changed all that much. Makes me think the people who normally scan for sub7 have changed to SQL Server.

2 years ago it was an IIS vulnerability that gave away the sa password without argument. I had a lot of fun with that one.

Thanks for the link. *It helped.

Hi all!

I've been using NeoWatch as my firewall for several years now. *I have to say, I've tried them all but NW is by far the best investment of $40 I've made. *I have been SWAMPED with SQL server scans lately...as many as 10-12 in a few hours! Fortunately, NW allows me to simply ban the offending ip (after I use their 'report this event' option). * That seemed to slow down the barrage somewhat from power-scanners that show up frequently.

Does anyone know who started this awful trend and why? *

[Raygun]

I was wondering why they don't just block or ban the IP. Hell I run the new BlackIce PC Protection BIP for shot and I can easily block an IP. I hope you can do that in ZA?

[UNICRON]

It really makes no difference. If you don't use SQL server and I bet 99% of the people here do not, then the scans are harmless. Whether you ban the IP or not, you are still losing bandwidth to the scan irregardless.

If you DO use SQL server, and *have it exposed to *the internet intead of have it attached to your back end on a private network, then you probably could use some skills upgrades. If you use SQL Server and have it exposed to the net AND have NO PASSWORD (these things have to happen for this threat to be harmful) then you pretty much deserve to be plagued.

Quote:

this packet is an attempt to login to the MSSQL server, using the account name 'sa' and an empty password. This is the default authentication set-up for MSSQL installation.

Who could be that stupid?