Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Perl/Exploit SQLinject; Increased Activity on Port 1039 SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Perl/Exploit SQLinject; Increased Activity on Port 1039
Perl/Exploit SQLinject
A fake exploit for phpBB is circulating on security related mailing lists. This exploit claims to take advantage of a SQL Injection vulnerability in phpBB. However, intsead of sending the exploit, the script will try and find a local phpBB user database and send it to a web site as part of the query string. Exploit code should always be treated with care. Fake exploits like this, which include backdoors and other hidden functions are quite common.

Increased Activity on Port 1039

Starting on December 24th the activity on Port 1039 increased drastically. The normal daily traffic records for that port was consistantly under 1000. However on the 24th traffic jumped to the hundreds of thousands and the to millions on the 25th and 26th. As far as I can tell the port is used by Dell OMI service.
service also listens on Port 1037 and 1038. Traffic rose for port 1037 on the 22nd and 23rd and for port 1038 on the 24th before dropping back to normal. It maybe that hackers are looking for all the new Christmas presents. Just keep your eyes open and if you see anything, let us know.

System Lockdowns
As a reminder, don't forget to lock your systems down before putting them on the Internet. Family members and friends will be getting computers and many of them will have little to no experience using them. If you have time, give them a hand or at least point them in the right direction. The free Survival Guide found at is a great place to start. There is also a good guide found at

Here's wishing you a safe Holiday Season
Lorna Hutcheson

165 Posts
ISC Handler
Sep 13th 2005

Sign Up for Free or Log In to start participating in the conversation!