Dear Erik
2mbits to 4mbits of outbound traffic is a fair bit for just a port scan..
We saw around 100ks of inbound traffic to each server and around 2mbits to
4mbits outbound traffic from the servers to the same destination 58.162.67.45
The traffic pattern occurred for around 30 minutes and then simultaneously
every host (server) stopped sending traffic.
Kindest Regards
James Braunegg
W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616
E: [email protected] | ABN: 12 109 977 666
This message is intended for the addressee named above. It may contain
privileged or confidential information. If you are not the intended recipient
of this message you must not use, copy, distribute or disclose it to anyone
other than the addressee. If you have received this message in error please
return the message to the sender by replying to it and then delete the message
from your computer.
-----Original Message-----
From: Erik Soosalu [mailto:[email protected]]
Sent: Saturday, January 14, 2012 12:17 AM
To: James Braunegg; [email protected]
Subject: RE: Possible New Zero Day Microsoft Windows 3389 vulnerability -
outbound traffic 3389
Wouldn't this just be an indication of that block being scanned for open
3389 ports from that IP? You're just looking at the return traffic to the
scanning host.
-----Original Message-----
From: James Braunegg [mailto:[email protected]]
Sent: Friday, January 13, 2012 7:37 AM
To: [email protected]
Subject: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound
traffic 3389
Hey All,
Just posting to see if anyone has seen any strange outbound traffic on port
3389 from Microsoft Windows Server over the last few hours.
We witnessed an alarming amount of completely independent Microsoft Windows
Servers, each on separate vlan and subnets (ie all /30 and /29
allocations) with separate gateways on and completely separate customers, but
all services were within the same 1.x.x.x/16 allocation all simultaneously send
around 2mbit or so data to a specific target IP address.
The only common link was / is terminal services port 3389 is open to the
public. Obviously someone (Mr 133t dude) scanned an allocation within our
network, and like a worm was able to simultaneously control every Microsoft
Windows Server to send outbound traffic.
Microsoft Windows Servers within the 1.x.x.x/16 allocation which were behind a
firewall or VPN and did not have public 3389 access did not send the unknown
traffic
Would be very interested if anyone else has seen this behavior before !
Or is this the start of a lovely new Zero Day Vulnerability with Windows RDP,
if so I name it "ohDeer-RDP"
A sample of the traffic is as per below, collected from netflow
Source Destination Application Src
Port Dst
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51534
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 52699
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 60824
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51669
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 49215
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 62099
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 65429
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51965
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 50381
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59379
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58103
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59514
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58298
TCP
This occurred around 10:30pm AEST Friday the 13th of January 2012
We had many other Microsoft Windows Servers in other 2.x.x.x/16 IP ranges which
were totally unaffected.
Kindest Regards
James Braunegg
W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616
E: [email protected]<mailto:[email protected]> |
ABN: 12 109 977 666
[Description: Description: Description: M21.jpg]
This message is intended for the addressee named above. It may contain
privileged or confidential information. If you are not the intended recipient
of this message you must not use, copy, distribute or disclose it to anyone
other than the addressee. If you have received this message in error please
return the message to the sender by replying to it and then delete the message
from your computer.
