Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC Port Details:


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Graph

[show ascii data]
Graph Criteria
  • Start Date:
  • End Date:
  • Port:
  • Left Y Axis:
  • Right Y Axis:

Port Information

Protocol Service Name
tcp ms-sql-m Microsoft-SQL-Monitor
udp ms-sql-m SQL Slammer / Sapphire worm
[get complete service list]

User Comment

Submitted By Date
Comment
Rivaldo Oliveira 2011-12-24 02:07:39
I have observed a significant increase in traffic on port 1434 in the last days, someone has something new about a new variant of the slammer? thank you Rivaldo Oliveira
Stephen Kawamoto 2009-10-04 18:45:22
I looked over eeye.com's reverse engineering of the worm that did the SQL Slammer (given the name, "Sapphire Worm") on Jan. 25, and it's elegant, not quick and dirty. Reference: http://www.eeye.com/html/Research/Flash/sapphire.txt
Marcus H. Sachs, SANS Institute 2003-10-10 00:35:20
SANS Top-20 Entry: W2 Microsoft SQL Server (MSSQL) http://isc.sans.org/top20.html#w2 The Microsoft SQL Server (MSSQL) contains several serious vulnerabilities that allow remote attackers to obtain sensitive information, alter database content, compromise SQL servers, and, in some configurations, compromise server hosts. MSSQL vulnerabilities are well-publicized and actively under attack. Two recent MSSQL worms in May 2002 and January 2003 exploited several known MSSQL flaws. Hosts compromised by these worms generate a damaging level of network traffic when they scan for other vulnerable hosts.
Johannes Ullrich 2003-01-26 22:05:40
This port is used by the SQL Slammer or Sapphire worm. See 'analysis' section on homepage. Worm started at 12:30 AM January 25th. It is targeting MS-SQL servers on port 1434 (UDP).
David Berg 2003-01-25 20:33:56
Observed 30 probes in 30 minutes from 30 sources -- all source port 69 to destination 1434 UDP. Probes continuing as I write this at the same pace. First probe at 21:35 Pacific time.
Add a comment

CVE Links

CVE # Description
CVE-2002-649 "Multiple buffer overflows in the Resolution Service for Microsoft SQL Server 2000 and Microsoft Desktop Engine 2000 (MSDE) allow remote attackers to cause a denial of service or execute arbitrary code via UDP packets to port 1434 in which (1) a 0x04 byte that causes the SQL Monitor thread to generate a long registry key name