[Snort-users] SA login failed.....

SRH-Lists giermo at ...8381...
Tue Mar 29 06:53:28 EST 2005


>I am getting quite a few unusual alerts, and am confused with what I am
seeing.
> 
>The payload of the packet is:
>04 01 00 3B 00 00 01 00 AA 27 00 18 48 00 00 01        ...;....*'..H...
>0E 1B 00 4C 6F 67 69 6E 20 66 61 69 6C 65 64 20        ...Login failed 
>66 6F 72 20 75 73 65 72 20 27 73 61 27 2E 00 00        for user 'sa'...
>00 00 FD 02 00 00 00 00 00 00 00                       ..}........
> 
>The strange thing is that the source is:
>x.x.x.x:1433 (our network)
>Destination
>x.x.x.x: 2838/random (remote unknown network)
> 
>This has now happened to two systems, both running mysql on tcp/1433.  
>It just makes no sense that the source port is 1433.  What am I missing
here?

This is a RESPONSE from your SQL server to the "attacker".  It went like
this:

attacker:2838 "Login SA" -> sql:1433
sql:1433 "Login failed for 'sa'" -> attacker:2838


so:
1)  Good thing:  They failed to login as sa on your sql box.
2)  Bad thing:  WHy the heck is your sql port 1433 facing the internet.

-steve




More information about the Snort-users mailing list