Hey, You Got Your SQL In My Honeypot! presented at SAINTCONUtah 2018

by Andrew Brandt,

Summary : Beginning last year, a honeypot I run on the DMZ of my lab network started receiving a lot of traffic on a TCP port I wasn't familiar with. Out of curiosity, I investigated and discovered that the machine was getting hit, over and over again, by an elaborate, automated attack that used a sequence of Microsoft SQL database commands in an attempt to commandeer what it thought was an MS-SQL server. In this talk, I'll step attendees through the attack from its initial connection to the delivery of the malicious payload, and what I was able to determine about the IP addresses from which the attack originated and their checkered history.