[Flow-tools] load of connections to ephemeral ports from TCP source port 3389(probably virus)

Wed, 26 Oct 2011 16:57:10 -0700 

I have a router interface with IP address 192.168.9.94/27. In
addition, I have following static routes in this router:

ip route 192.168.9.112 255.255.255.240 192.168.9.65
ip route 192.168.20.16 255.255.255.248 192.168.9.65
ip route 192.168.20.24 255.255.255.248 192.168.9.65
ip route 192.168.20.112 255.255.255.248 192.168.9.65
ip route 192.168.2.128 255.255.255.128 192.168.9.65
ip route 192.168.21.128 255.255.255.128 192.168.9.65
ip route 10.10.10.0 255.255.255.0 192.168.9.65

As you see, all those point to 192.168.9.65 which is a first usable
address in 192.168.9.64/27 network.

Now if I execute:

# flow-cat 2011-10-26/* | flow-filter -f access-list.acl -Dacl | flow-print

..while "access-list.acl" looks following(in other words I want to
analyse all the networks associated with this connection):

ip access-list standard acl permit 192.168.9.64 0.0.0.31
ip access-list standard acl permit 192.168.9.112 0.0.0.15
ip access-list standard acl permit 192.168.20.16 0.0.0.7
ip access-list standard acl permit 192.168.20.24 0.0.0.7
ip access-list standard acl permit 192.168.20.112 0.0.0.7
ip access-list standard acl permit 192.168.2.128 0.0.0.127
ip access-list standard acl permit 192.168.21.128 0.0.0.127
ip access-list standard acl permit 10.10.10.0 0.0.0.255
ip access-list standard acl deny any

..then 98% of lines looks like this:

srcIP            dstIP            prot  srcPort  dstPort  octets      packets
I.I.P.P        192.168.2.196    6     3389     3799     55          1
I.I.P.P        192.168.2.196    6     3389     4465     40          1
I.I.P.P        192.168.2.196    6     3389     1940     74          1
I.I.P.P        192.168.2.196    6     3389     2611     51          1
I.I.P.P        192.168.2.196    6     3389     2356     141         1
I.I.P.P        192.168.2.196    6     3389     2111     92          1
I.I.P.P        192.168.2.196    6     3389     1151     339         1
I.I.P.P        192.168.2.196    6     3389     2609     55          1
I.I.P.P        192.168.2.196    6     3389     1386     1500        1
I.I.P.P        192.168.2.196    6     3389     3133     1480        1
I.I.P.P        192.168.2.196    6     3389     2684     3000        2


"I.I.P.P" is a random public IP address. 192.168.2.196 is a Windows
Server 2003. As you can see, almost every connection is to ephemeral
port on 192.168.2.196 using the source port 3389. In addition,
download traffic for customer is 5x higher than upload traffic.

What might cause such traffic? A virus? If yes, then how does this
behave.. Or have I misunderstood something? If no, then what traffic
might this be?

PS unfortunately I don't manage the 192.168.2.196 Windows Terminal Server.

regards,
martin
_______________________________________________
Flow-tools mailing list
[email protected]
http://mailman.splintered.net/mailman/listinfo/flow-tools

Reply via email to