Help needed with Encore Pro and MSSQL problem

[littlebaddow]

I'm trying to unpick several issues with my PC following some recent unwise downloading to my PC by one of my daughters (she is recovering well and should be out of plaster in a few weeks )

One of the frequent messages I'm getting from Norton AV is that an instrusion has been detected and blocked, relating to MSSQL, which is I believe what makes the Encore Pro database operate.

Any advice appreciated (in laymans terms please) on whether this is a serious threat and what I can do about it?

The full details (for those to whom they might mean something) are:

Intrusion: MSSQL StackOverflow
Intruder: 217.43.195.15 (1488)
Protocol: UDP
Attacked IP: 0.0.0.0
Attacked Port: ms-sql-m (1434)

Thanks

[ozij]

MSSql had a vulnerablity that was used for attacking computers running it. Microsoft patched it, and patched computers are no longer vulnerable.

1. Did you reinstall your operating system?

2. If yes, did you connect to http://windowsupdate.microsoft.com ? Do so if you haven't and let windows install all the security updates.

3. Make sure you've got the latest virus signatures from Symantec (and the latest antivirus progarm version) and run a full scan.

I wouldn't consider my computer secure without taking those 3 steps.

O.

P.S. I'm glad to hear you daughter is reviving. What did you use, the keyboard?

[morphy]

He prolly used a Slaptop!

[littlebaddow]

Thanks ozij

Yes to 1 and 3, and I'll make a point of doing 2 as soon as I get home.(I'm currently at work, but of course I'm busy working )

As for my daughter (in case there are any social workers watching) the only part of her anatomy that got a bashing was her ears

[christinequilts]

If it makes you feel better my MS-SQL accidently got deleted by me...got click happy while cleaning up my computer. I was in a panic until I remember I had just done an export of data to send it to my desktop...and I actually found the exported file on my desktop. Knowing I should be able to import the data back in I was a little more at ease as I reinstalled Encore Pro from the CD. It recognized that the Encore Pro was installed so it didn't mess with that but it did reinstall the SQL and something else I can't recall. I was totally shocked when I opened up Encore Pro and my old data was still there...didn't even need exported copy but it did teach me a lesson to backup my BiPAP ST data before I screw around with my computer too much.

It does look like you need to get your security updates up to date. I did a Whois search of the intruder IP- looks like someone in the UK who is using btcentralplus.com as their ISP. Someone more techy then me can probably help you figure out more about who tried to attack you and what it means.


Hmmm...this doesn't sound good...
UDP Port 1434
Common Use

Microsoft SQL Monitor use in monitoring Microsoft SQL Databases.

Inbound Traffic

Inbound scans are typically from systems infected with the SQL Slammer worm looking for vulnerable Microsoft SQL Servers or MSDE systems to infect. SQL Slammer has the distinction of being the fastest worm ever released on the internet and while we were perhaps the first to publish a notice concerning SQL Slammer by then it was too late as SQL Slammer had compromised most of its available victims world wide within 15 minutes.

Outbound Traffic

Outbound scans if occurring in volume should be considered an indication of a possible worm infection on the source computer and should be investigated.

[JL]

From a post I did in Jun 05:

MS SQL Security Center states Default install of MSSQL monitors TCP port 1433 and UDP port 1434...configure firewall to filter out packets addressed to those ports.

...could block them specifically with your firewall. Found it easier to just start MSSQL as needed with my firewall blocking internet activity and then stop it before going on the internet.

Jim

[rested gal]

Found it easier to just start MSSQL as needed with my firewall blocking internet activity and then stop it before going on the internet.

Good advice, JL. I start/stop MSSQL long enough to do the Encore thing, and don't connect to the internet until after I've turned MSSQL off. That was -SWS's routine, too, I believe.

Makes the simple cable download straight from my first 420E to my computer look more and more inviting to go back to. I never minded carrying that sweet little machine to my computer desk.

[ozij]

Inbound scans are typically from systems infected with the SQL Slammer worm looking for vulnerable Microsoft SQL Servers or MSDE systems to infect. SQL Slammer has the distinction of being the fastest worm ever released on the internet and while we were perhaps the first to publish a notice concerning SQL Slammer by then it was too late as SQL Slammer had compromised most of its available victims world wide within 15 minutes.

Christine - who is "we" in that sentence? I'm curious about that well organized data.

O.

[BP]

You guys might also want to make sure that sql server isn't running any background services. If these are listening on either one of those ports someone could still compromise your pc. Don't know what os you're running but you can probably use task manager to check for these processes.

BTW, to be safe you should probably get an inexpensive switch/firewall. This can be used to block access to all ports, essentially hiding your network from the internet. These can be purchased for around $100 from linksys or d-link, and many others.

The software firewall that comes with XP SP2 is probably the next best thing and is free. I am less familiar with it, but it seems to work well.

-BP