Problem solve Get help with specific problems with your technologies, process and projects.

Step 4: Peek into your network traffic

The easiest way to determine if any nefarious behavior is taking place on your SQL Server is to see how it's talking on the network. Load your analyzer on the SQL Server itself or elsewhere to a span or mirror port on your Ethernet switch. Follow this step-by-step guide to test for a Trojan on your SQL Server.

Peek into your network traffic

Perhaps the easiest way to determinenr if any nefarious behavior is taking place on your SQL Server is to see how it's talking on the network. If you have a network analyzer you're comfortable with, you can start rooting out what's going on in just a minute or two. You can load your analyzer on the SQL Server itself or have it connected elsewhere to a span or mirror port on your Ethernet switch.

My favorite network analyzer, EtherPeek, can be used like most other analyzers to capture packets going to or from your SQL Server. As shown in the figure below, some traffic running over TCP port 12345 (a common NetBus Trojan port) is discovered.


EtherPeek can easily capture network traffic highlighting Trojan behavior – in this case capturing NetBus traffic

You can actually create your own network analyzer triggers and filters if you know what to look for. A good listing of common Trojans and their associated ports can be found here. This method of rooting out malicious traffic isn't foolproof since port numbers can often be changed, but it serves as a good starting point.

You can run Ether Peek in 'monitor' mode to let it glean a bird's eye view of what's taking place on the network – without having to capture packets. You can view which protocols are in use as well as look for heavy traffic, odd hosts communicating, and other network trends to/from your SQL Server system. This is demonstrated in the following screenshot.

EtherPeek's monitor mode can highlight network trends such as Trojan communications you wouldn't otherwise know about


Test for a Trojan horse on your SQL Server

 Home: Introduction
 Step 1: Scan your SQL Server for malware
 Step 2: Look in the memory
 Step 3: Look at open ports
 Step 4: Peek into your network traffic
 Step 5: Approach with a malicious mindset

Kevin Beaver is an independent information security consultant and expert witness with Atlanta-based Principle Logic, LLC . He has more than 18 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books, including Hacking Wireless Networks For Dummies, and Securing the Mobile Enterprise For Dummies (all by Wiley), as well as  The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach).

This was last published in October 2006

Dig Deeper on Microsoft SQL Server Performance Monitoring and Tuning

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What if the cyber attacks are coming from an employee at the IANA-Internet Enginnering Task force?