Help needed with Encore Pro and MSSQL problem

General Discussion on any topic relating to CPAP and/or Sleep Apnea.
User avatar
littlebaddow
Posts: 416
Joined: Wed Dec 08, 2004 12:21 pm
Location: Essex, England

Help needed with Encore Pro and MSSQL problem

Post by littlebaddow » Thu Aug 25, 2005 6:16 am

I'm trying to unpick several issues with my PC following some recent unwise downloading to my PC by one of my daughters (she is recovering well and should be out of plaster in a few weeks )

One of the frequent messages I'm getting from Norton AV is that an instrusion has been detected and blocked, relating to MSSQL, which is I believe what makes the Encore Pro database operate.

Any advice appreciated (in laymans terms please) on whether this is a serious threat and what I can do about it?

The full details (for those to whom they might mean something) are:

Intrusion: MSSQL StackOverflow
Intruder: 217.43.195.15 (1488)
Protocol: UDP
Attacked IP: 0.0.0.0
Attacked Port: ms-sql-m (1434)

Thanks


_________________
MachineMask
Airsense 10 & Airfit N20

User avatar
ozij
Posts: 10444
Joined: Fri Mar 18, 2005 11:52 pm

Post by ozij » Thu Aug 25, 2005 6:52 am

MSSql had a vulnerablity that was used for attacking computers running it. Microsoft patched it, and patched computers are no longer vulnerable.

1. Did you reinstall your operating system?

2. If yes, did you connect to http://windowsupdate.microsoft.com ? Do so if you haven't and let windows install all the security updates.

3. Make sure you've got the latest virus signatures from Symantec (and the latest antivirus progarm version) and run a full scan.

I wouldn't consider my computer secure without taking those 3 steps.

O.

P.S. I'm glad to hear you daughter is reviving. What did you use, the keyboard?

_________________
Mask: AirFit™ P10 Nasal Pillow CPAP Mask with Headgear
Additional Comments: Machine: Resmed AirSense10 for Her with Climateline heated hose ; alternating masks.
And now here is my secret, a very simple secret; it is only with the heart that one can see rightly, what is essential is invisible to the eye.
Antoine de Saint-Exupery

Good advice is compromised by missing data
Forum member Dog Slobber Nov. 2023

morphy
Posts: 18
Joined: Sat Jul 23, 2005 7:55 am
Location: Suffolk County, LI

Post by morphy » Thu Aug 25, 2005 7:27 am

He prolly used a Slaptop!

User avatar
littlebaddow
Posts: 416
Joined: Wed Dec 08, 2004 12:21 pm
Location: Essex, England

Post by littlebaddow » Thu Aug 25, 2005 8:53 am

Thanks ozij

Yes to 1 and 3, and I'll make a point of doing 2 as soon as I get home.(I'm currently at work, but of course I'm busy working )

As for my daughter (in case there are any social workers watching) the only part of her anatomy that got a bashing was her ears

_________________
MachineMask
Airsense 10 & Airfit N20

User avatar
christinequilts
Posts: 489
Joined: Sun Jan 23, 2005 12:06 pm

Post by christinequilts » Thu Aug 25, 2005 11:12 am

If it makes you feel better my MS-SQL accidently got deleted by me...got click happy while cleaning up my computer. I was in a panic until I remember I had just done an export of data to send it to my desktop...and I actually found the exported file on my desktop. Knowing I should be able to import the data back in I was a little more at ease as I reinstalled Encore Pro from the CD. It recognized that the Encore Pro was installed so it didn't mess with that but it did reinstall the SQL and something else I can't recall. I was totally shocked when I opened up Encore Pro and my old data was still there...didn't even need exported copy but it did teach me a lesson to backup my BiPAP ST data before I screw around with my computer too much.

It does look like you need to get your security updates up to date. I did a Whois search of the intruder IP- looks like someone in the UK who is using btcentralplus.com as their ISP. Someone more techy then me can probably help you figure out more about who tried to attack you and what it means.


Hmmm...this doesn't sound good...
UDP Port 1434
Common Use

Microsoft SQL Monitor use in monitoring Microsoft SQL Databases.

Inbound Traffic

Inbound scans are typically from systems infected with the SQL Slammer worm looking for vulnerable Microsoft SQL Servers or MSDE systems to infect. SQL Slammer has the distinction of being the fastest worm ever released on the internet and while we were perhaps the first to publish a notice concerning SQL Slammer by then it was too late as SQL Slammer had compromised most of its available victims world wide within 15 minutes.

Outbound Traffic

Outbound scans if occurring in volume should be considered an indication of a possible worm infection on the source computer and should be investigated.


JL
Posts: 81
Joined: Sat Apr 16, 2005 2:15 pm
Location: San Antonio, Texas

Post by JL » Thu Aug 25, 2005 3:27 pm

From a post I did in Jun 05:

MS SQL Security Center states Default install of MSSQL monitors TCP port 1433 and UDP port 1434...configure firewall to filter out packets addressed to those ports.

...could block them specifically with your firewall. Found it easier to just start MSSQL as needed with my firewall blocking internet activity and then stop it before going on the internet.

Jim
9-11 cm Remstar Auto w/C-Flex off,
Heated Humidifier & Hose...Breeze, Activa, Ultra Mirage FF, Hybrid
Encore Pro w/MyEncore enhancements

User avatar
rested gal
Posts: 12881
Joined: Thu Sep 09, 2004 10:14 pm
Location: Tennessee

Post by rested gal » Thu Aug 25, 2005 4:16 pm

Found it easier to just start MSSQL as needed with my firewall blocking internet activity and then stop it before going on the internet.
Good advice, JL. I start/stop MSSQL long enough to do the Encore thing, and don't connect to the internet until after I've turned MSSQL off. That was -SWS's routine, too, I believe.

Makes the simple cable download straight from my first 420E to my computer look more and more inviting to go back to. I never minded carrying that sweet little machine to my computer desk.

User avatar
ozij
Posts: 10444
Joined: Fri Mar 18, 2005 11:52 pm

Post by ozij » Thu Aug 25, 2005 11:35 pm

Inbound scans are typically from systems infected with the SQL Slammer worm looking for vulnerable Microsoft SQL Servers or MSDE systems to infect. SQL Slammer has the distinction of being the fastest worm ever released on the internet and while we were perhaps the first to publish a notice concerning SQL Slammer by then it was too late as SQL Slammer had compromised most of its available victims world wide within 15 minutes.
Christine - who is "we" in that sentence? I'm curious about that well organized data.

O.

_________________
Mask: AirFit™ P10 Nasal Pillow CPAP Mask with Headgear
Additional Comments: Machine: Resmed AirSense10 for Her with Climateline heated hose ; alternating masks.
And now here is my secret, a very simple secret; it is only with the heart that one can see rightly, what is essential is invisible to the eye.
Antoine de Saint-Exupery

Good advice is compromised by missing data
Forum member Dog Slobber Nov. 2023

User avatar
BP
Posts: 199
Joined: Fri Aug 19, 2005 4:09 pm
Location: Atlanta, GA

Post by BP » Fri Aug 26, 2005 2:28 pm

You guys might also want to make sure that sql server isn't running any background services. If these are listening on either one of those ports someone could still compromise your pc. Don't know what os you're running but you can probably use task manager to check for these processes.

BTW, to be safe you should probably get an inexpensive switch/firewall. This can be used to block access to all ports, essentially hiding your network from the internet. These can be purchased for around $100 from linksys or d-link, and many others.

The software firewall that comes with XP SP2 is probably the next best thing and is free. I am less familiar with it, but it seems to work well.

-BP