Re: Port 1433 outbound from my Firewall...?

• From: Jim Harrison <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Mon, 04 Oct 2004 06:52:57 -0700

Search your FW log for that same timeframe.
If you have a Slammer-infected internal host, it'll show there as well.

If you don't see it in the FW logs, then there are two possibilities:
1 - your ISA is infected (sux2beu)
2 - these packets are spoofs

Unless you'e mangled those IPs too, I'd bet on #1 just based on the way those 
packets are being reported.


  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Mon, 4 Oct 2004 15:19:00 +0200
 "William Robertson" <robertson.william@xxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org

Hi there

I am seeing something strange, and would appreciate some comment on this
please...

I have noticed an ever-increasing amount of UDP:1433 traffic in my Packet
Filter Log, the bugger is that my ISA's external IP Address is shown as the
source address. My semi-conclusion at this stage is that I may have a SQL
Slammer infected server/workstation in my midst, but I would appreciate any
and all analysis of the following excerpt (BTW, the destination IP Address
range varies quite immensely)

10/4/2004, 15:12:08, <ISA Ext NIC>, 5.0.255.19, Udp, 1434, 137, -, BLOCKED,
<ISA Ext NIC>, -, -
10/4/2004, 15:12:16, <ISA Ext NIC>, 0.0.255.19, Udp, 1433, 137, -, BLOCKED,
<ISA Ext NIC>, -, -
10/4/2004, 15:12:16, <ISA Ext NIC>, 0.0.255.19, Udp, 1434, 137, -, BLOCKED,
<ISA Ext NIC>, -, -
10/4/2004, 15:12:19, <ISA Ext NIC>, 0.0.255.19, Udp, 1433, 137, -, BLOCKED,
<ISA Ext NIC>, -, -
10/4/2004, 15:12:19, <ISA Ext NIC>, 0.0.255.19, Udp, 1434, 137, -, BLOCKED,
<ISA Ext NIC>, -, -
10/4/2004, 15:12:21, <ISA Ext NIC>, 0.0.255.19, Udp, 1433, 137, -, BLOCKED,
<ISA Ext NIC>, -, -
10/4/2004, 15:12:21, <ISA Ext NIC>, 0.0.255.19, Udp, 1434, 137, -, BLOCKED,
<ISA Ext NIC>, -, -

Thanks
William R.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » Port 1433 outbound from my Firewall...?
• » Re: Port 1433 outbound from my Firewall...?
• » RE: Port 1433 outbound from my Firewall...?
• » RE: Port 1433 outbound from my Firewall...?
• » RE: Port 1433 outbound from my Firewall...?
• » RE: Port 1433 outbound from my Firewall...?
• » RE: Port 1433 outbound from my Firewall...?
• » RE: Port 1433 outbound from my Firewall...?
• » RE: Port 1433 outbound from my Firewall...?
• » RE: Port 1433 outbound from my Firewall...?

1. Home
2. isalist
3. Archive
4. 10-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---