MS server port under hack attack

Security watchers have warned of a huge increase in the number of connection attempts made on port 1433, the Microsoft SQL server port, in the last 24 hours.

An advisory released this morning by security firm Trend Micro said that the significant increase in connection attempts could signify hack attacks.

The company said that firewall logs at customer sites revealed that the attacks started to rocket yesterday (May 20).

Indeed, a quick glance at the "top ten ports under attack" list on the Sans Institute's Internet Storm Centre website shows port 1433 at number five.

Connection attempts on the Microsoft SQL server port usually number between zero and three per cent, according to the Internet Storm Centre, but yesterday they leapt into the red at 57 per cent.

"The connection attempts look like a hacking attack; at first a MSSQL handshake is transferred, which is not unusual," said the Trend Micro advisory. "But afterwards, a second packet is sent, and this packet is an attempt to login to the MSSQL server, using the account name 'sa' and an empty password. This is the default authentication set-up for MSSQL installation."

Neither the source of these attacks nor the motives behind them have yet been determined. But the increase in attacks on port 1433 should serve as a warning to administrators to check the security of SQL server installations.

On 17 April, Microsoft issued an advisory about an unchecked buffer in extended procedure functions in the SQL server that could have allowed attackers to run arbitrary code on the system.

It is possible that this latest attack could have been carried out by someone looking to exploit this vulnerability.

More details can be found here.