Microsoft WINS and SQL Server Targeted

The Internet Storm Center (ISC) reports that attempts to penetrate systems through WINS and SQL Server have been detected. According to "Handler's Diary" entries during the last week, the ISC has received reports of increased probes directed at TCP port 42 which is used by WINS. A chart provided by Research and Education Networking Information and Analysis Center (REN-ISAC) shows a significant increase in traffic destined for port 42 over the past several days.

In mid-December Microsoft issued patch MS04-045 to protect WINS and undoubtedly some administrators have not yet installed the patch. If you're among those who haven't then now would be a good time to do so. In addition to installing the patch administrators can ensure that WINS is not exposed to outside networks by blocking access to TCP port 42.

ISC has also received reports of brute force attempts against SQL Server passwords. Administrators should consider checking their SQL Servers to make sure none are exposed to the Internet unless they absolutely must be. 

ISC said they believe that the tool SQLck.exe is being used in the password cracking attempts and requests that anybody who finds the program on their servers contact ISC to provide them with a copy of the executable file for analysis.