[148368] in North American Network Operators' Group
RE: Possible New Zero Day Microsoft Windows 3389 vulnerability -
daemon@ATHENA.MIT.EDU (James Braunegg)
Fri Jan 13 08:29:17 2012
From: James Braunegg <james.braunegg@micron21.com>
To: Erik Soosalu <erik.soosalu@calyxinc.com>, "nanog@nanog.org"
<nanog@nanog.org>
Date: Fri, 13 Jan 2012 13:28:47 +0000
In-Reply-To: <0B224A2FE01CC54C860290D42474BF6005230CAB@exchange.nff.local>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Dear Erik
2mbits to 4mbits of outbound traffic is a fair bit for just a port scan..=20
We saw around 100ks of inbound traffic to each server and around 2mbits to =
4mbits outbound traffic from the servers to the same destination 58.162.67.=
45 =20
The traffic pattern occurred for around 30 minutes and then simultaneously =
every host (server) stopped sending traffic.
Kindest Regards
James Braunegg
W:=A0 1300 769 972=A0 |=A0 M:=A0 0488 997 207 |=A0 D:=A0 (03) 9751 7616
E:=A0=A0 james.braunegg@micron21.com=A0 |=A0 ABN:=A0 12 109 977 666=A0=A0=20
This message is intended for the addressee named above. It may contain priv=
ileged or confidential information. If you are not the intended recipient o=
f this message you must not use, copy, distribute or disclose it to anyone =
other than the addressee. If you have received this message in error please=
return the message to the sender by replying to it and then delete the mes=
sage from your computer.
-----Original Message-----
From: Erik Soosalu [mailto:erik.soosalu@calyxinc.com]=20
Sent: Saturday, January 14, 2012 12:17 AM
To: James Braunegg; nanog@nanog.org
Subject: RE: Possible New Zero Day Microsoft Windows 3389 vulnerability - o=
utbound traffic 3389
Wouldn't this just be an indication of that block being scanned for open
3389 ports from that IP? You're just looking at the return traffic to the =
scanning host.
-----Original Message-----
From: James Braunegg [mailto:james.braunegg@micron21.com]
Sent: Friday, January 13, 2012 7:37 AM
To: nanog@nanog.org
Subject: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbo=
und traffic 3389
Hey All,
Just posting to see if anyone has seen any strange outbound traffic on port=
3389 from Microsoft Windows Server over the last few hours.
We witnessed an alarming amount of completely independent Microsoft Windows=
Servers, each on separate vlan and subnets (ie all /30 and /29
allocations) with separate gateways on and completely separate customers, b=
ut all services were within the same 1.x.x.x/16 allocation all simultaneous=
ly send around 2mbit or so data to a specific target IP address.
The only common link was / is terminal services port 3389 is open to the pu=
blic. Obviously someone (Mr 133t dude) scanned an allocation within our net=
work, and like a worm was able to simultaneously control every Microsoft Wi=
ndows Server to send outbound traffic.
Microsoft Windows Servers within the 1.x.x.x/16 allocation which were behin=
d a firewall or VPN and did not have public 3389 access did not send the un=
known traffic
Would be very interested if anyone else has seen this behavior before !
Or is this the start of a lovely new Zero Day Vulnerability with Windows RD=
P, if so I name it "ohDeer-RDP"
A sample of the traffic is as per below, collected from netflow
Source Destination Application Src
Port Dst
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51534
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 52699
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 60824
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51669
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 49215
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 62099
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 65429
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51965
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 50381
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59379
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58103
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59514
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58298
TCP
This occurred around 10:30pm AEST Friday the 13th of January 2012
We had many other Microsoft Windows Servers in other 2.x.x.x/16 IP ranges w=
hich were totally unaffected.
Kindest Regards
James Braunegg
W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616
E: james.braunegg@micron21.com<mailto:james.braunegg@micron21.com> |
ABN: 12 109 977 666
[Description: Description: Description: M21.jpg]
This message is intended for the addressee named above. It may contain priv=
ileged or confidential information. If you are not the intended recipient o=
f this message you must not use, copy, distribute or disclose it to anyone =
other than the addressee. If you have received this message in error please=
return the message to the sender by replying to it and then delete the mes=
sage from your computer.
