RE: Port 1433 outbound from my Firewall...?

• From: Jim Harrison <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Mon, 04 Oct 2004 07:25:33 -0700

It's unlikely that the ISA MSDE could get infeted unless it's been reconfigured 
to listen on one or more interfaces.
By default, ISA MSDE is not bound to any interface; it's strictly memory-mapped 
networking on the box.

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Mon, 4 Oct 2004 08:47:46 -0500
 "Quillman Shawn (RBNA/CSA1) *" <Shawn.Quillman@xxxxxxxxxxxx> wrote:
http://www.ISAserver.org


This ISA 2004 (MSDE doing the logging)?  If so I'm guessing your ISA is
infected.  But at least it ain't getting' your internal network :)  If
you can, reboot your ISA and see if the problem goes away for a period
of time.  Then patch your box.  Slammer is only memory resident and
doesn't write files so an infection will go away with a reboot (until it
gets infected again).

-Shawn

-----
Shawn R. Quillman
Robert Bosch Corporation RBNA/CSA1
38000 Hills Tech Drive
Farmington Hills, MI 48331
(248) 553-1164 (P) (248) 848-6969 (F)
shawn.quillman@xxxxxxxxxxxx

-----Original Message-----
From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] 
Sent: Monday, October 04, 2004 9:19 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Port 1433 outbound from my Firewall...?

http://www.ISAserver.org

Hi there

I am seeing something strange, and would appreciate some comment on this
please...

I have noticed an ever-increasing amount of UDP:1433 traffic in my
Packet
Filter Log, the bugger is that my ISA's external IP Address is shown as
the
source address. My semi-conclusion at this stage is that I may have a
SQL
Slammer infected server/workstation in my midst, but I would appreciate
any
and all analysis of the following excerpt (BTW, the destination IP
Address
range varies quite immensely)

10/4/2004, 15:12:08, <ISA Ext NIC>, 5.0.255.19, Udp, 1434, 137, -,
BLOCKED,
<ISA Ext NIC>, -, -
10/4/2004, 15:12:16, <ISA Ext NIC>, 0.0.255.19, Udp, 1433, 137, -,
BLOCKED,
<ISA Ext NIC>, -, -
10/4/2004, 15:12:16, <ISA Ext NIC>, 0.0.255.19, Udp, 1434, 137, -,
BLOCKED,
<ISA Ext NIC>, -, -
10/4/2004, 15:12:19, <ISA Ext NIC>, 0.0.255.19, Udp, 1433, 137, -,
BLOCKED,
<ISA Ext NIC>, -, -
10/4/2004, 15:12:19, <ISA Ext NIC>, 0.0.255.19, Udp, 1434, 137, -,
BLOCKED,
<ISA Ext NIC>, -, -
10/4/2004, 15:12:21, <ISA Ext NIC>, 0.0.255.19, Udp, 1433, 137, -,
BLOCKED,
<ISA Ext NIC>, -, -
10/4/2004, 15:12:21, <ISA Ext NIC>, 0.0.255.19, Udp, 1434, 137, -,
BLOCKED,
<ISA Ext NIC>, -, -

Thanks
William R.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
shawn.quillman@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » Port 1433 outbound from my Firewall...?
• » Re: Port 1433 outbound from my Firewall...?
• » RE: Port 1433 outbound from my Firewall...?
• » RE: Port 1433 outbound from my Firewall...?
• » RE: Port 1433 outbound from my Firewall...?
• » RE: Port 1433 outbound from my Firewall...?
• » RE: Port 1433 outbound from my Firewall...?
• » RE: Port 1433 outbound from my Firewall...?
• » RE: Port 1433 outbound from my Firewall...?
• » RE: Port 1433 outbound from my Firewall...?

1. Home
2. isalist
3. Archive
4. 10-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---