Yesterday vnunet.com warned of an increase in attacks on the port used by Microsoft's SQL server. Experts now suspect that a worm may be to blame for the rapidly increasing traffic on this port.

Late yesterday, security experts released details of a worm infecting internet-facing SQL servers in the wild.

Over the last 48 hours the SQLsnake, as it is known, has gone from accounting for 49 per cent of all internet attacks to 66 per cent of malicious traffic.

Today, 1433 is the most common port being probed on the internet and reports going up on security mailing list Bugtraq have noted people "getting slammed with requests trying to exploit this."

Because the SQLsnake exploits servers with a blank administrator password, Marc Fossi, of the SecurityFocus website, warned: "If any of you have MS SQL servers with blank SA account passwords, you might have a long day ahead of you."

Statistics from the Sans Institute show that over 1,500 boxes appear to have been infected, with the main offenders in North America, Europe and Korea.

The biggest culprit, which appears to be an IP address registered to an Earthlink DSL connection at a hotel in Atlanta, has already sent out around 152,000 attacks.

Once it has infected a host, the main aim of SQLsnake is to email a list of captured passwords and configuration information to a free email account in Singapore.

The worm's main payload is written in JavaScript and generates excessive web traffic by setting up infected hosts to scan the internet for more victims.

Because the worm is multithreaded it can scan with up to 100 threads. But it also contains some sort of counter which may be used to trigger some other functionality of the worm in the future.

So far there appears to be no evidence of the worm abating. Experts are still trying to determine the motive behind the attacks.