Open MS-SQL Server Resolution Service Report

This report identifies hosts that have the MS-SQL Server Resolution Service running and accessible on the Internet.

These services have the potential to expose information about a client’s network on which this service is accessible and the service itself can be used in UDP amplification attacks.

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the MS-SQL response came on (usually UDP)
  • port
    Port that the MS-SQL response came from (usually 1434)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Will always be mssql
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • sic
    Standard Industrial Classification System Code
  • server_name
    The ServerName field in the response — this is usually the NetBIOS name of the server
  • instance_name
    The InstanceName field in the response — this is the name of the SQL instance on the server
  • version
    Version number of the running MS-SQL / SQLExpress service
  • tcp_port
    The TCP port that you would use to connect to the MS-SQL instance
  • named_pipe
    The named pipe that the SQL server is advertising
  • response_length
    Length of the response from the MS-SQL Server Resolution Service (including packet headers)
  • amplification
    The probable amplification amount, if this device was to participate in a UDP amplification attack — this value is determined by dividing the response_length by the size of the probe that was used

Sample

"timestamp","ip","protocol","port","hostname","tag","version","asn","geo","region","city","naics","sic","server_name","instance_name","tcp_port","named_pipe","response_length","amplification"
"2015-02-04 07:38:43","110.88.113.98","udp",1434,"98.113.88.110.broad.ly.fj.dynamic.163data.com.cn","mssql","8.00.194",4134,"CN","FUJIAN","LONGYAN",0,0,"IT6MHA4GLBKT3S1","CXDY3",1266,"\IT6MHA4GLBKT3S1pipeMSSQL$CXDY3sqlquery",322,"7.16"
"2015-02-04 07:38:44","112.20.234.33","udp",1434,,"mssql","8.00.194",56046,"CN","BEIJING","BEIJING",0,0,"WWW-A0DC0030EFA","MSDE",1121,"\WWW-A0DC0030EFApipeMSSQL$MSDEsqlquery",318,"7.07"
"2015-02-04 07:38:44","182.73.224.158","udp",1434,,"mssql","10.0.2531.0",9498,"IN","ANDHRA PRADESH","HYDERABAD",0,0,"OTSI-LYNC","RTCLOCAL",56011,,396,"8.80"
"2015-02-04 07:38:44","82.119.155.254","udp",1434,"mail.gorodavto.com","mssql","9.00.5000.00",12683,"RU","STAVROPOL'SKIY KRAY","MINERALNYE VODY",0,0,"RU003710S00005","MS_ADMT",0,,734,"16.31"
"2015-02-04 07:38:44","163.17.10.26","udp",1434,,"mssql","10.50.1600.1",1659,"TW","TAICHUNG CITY","TAICHUNG",0,0,"AIT-CSIE","SQLSERVER2008R2",1186,,402,"8.93"
"2015-02-04 07:38:44","182.18.189.236","udp",1434,"inl1.joinindia.biz","mssql","9.00.3042.00",18229,"IN","MAHARASHTRA","MUMBAI",0,0,"WIN-JVS9RCPJ2R1","MSSQLSERVER",1433,"\WIN-JVS9RCPJ2R1pipesqlquery",318,"7.07"
"2015-02-04 07:38:44","177.189.201.149","udp",1434,"177-189-201-149.dsl.telesp.net.br","mssql","9.00.5000.00",27699,"BR","SAO PAULO","SAO PAULO",518210,737415,"RAQUELMATTAR-PC","MSSQLSERVER",1433,"\RAQUELMATTAR-PCpipesqlquery",318,"7.07"
"2015-02-04 07:38:44","178.32.46.20","udp",1434,,"mssql","9.00.5000.00",16276,"FR","NORD-PAS-DE-CALAIS","ROUBAIX",0,0,"2K8STD-AD","BKUPEXEC",65039,"\2K8STD-ADpipeMSSQL$BKUPEXECsqlquery",320,"7.11"
"2015-02-04 07:38:44","65.182.104.147","udp",1434,,"mssql","8.00.194",33055,"US","ARIZONA","PHOENIX",0,0,"BCC-0T12YTA16XM","MSSQLSERVER",1433,"\BCC-0T12YTA16XMpipesqlquery",310,"6.89"
"2015-02-04 07:38:44","187.45.202.36","udp",1434,"xxxdnn1984.locaweb.com.br","mssql","11.0.2100.60",27715,"BR","SAO PAULO","SAO PAULO",0,0,"WIN-8ESSG5B75DD","SQLSERVER2012",1445,,620,"13.78"

Our 73 Report Types