[148369] in North American Network Operators' Group
RE: Possible New Zero Day Microsoft Windows 3389 vulnerability -
daemon@ATHENA.MIT.EDU (Erik Soosalu)
Fri Jan 13 08:39:09 2012
Date: Fri, 13 Jan 2012 08:38:19 -0500
In-Reply-To: <CA7E867D448D8B489EFF2E97E266038A1DACB8F3@RA-EX01.raprinting.com>
From: "Erik Soosalu" <erik.soosalu@calyxinc.com>
To: "James Braunegg" <james.braunegg@micron21.com>,
<nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I would agree that it is a large stream.
The other thing would be a password crack attempt. There was tool out a =
couple of years, and I've forgotten the name of it now, that worked at =
brute forcing RDP passwords. It worked without ending up in the Windows =
logs, because at the time Windows would only log incorrect RDP password =
attempts on the 5th try. So it would try 4 passwords, disconnect and =
then connect again.
If it was such a program, trying as fast as it could, there would be a =
lot of initial "screen renders" being sent to the attack IP with very =
little traffic coming back - just the login attempts.
Thanks,
Erik=20
-----Original Message-----
From: James Braunegg [mailto:james.braunegg@micron21.com]=20
Sent: Friday, January 13, 2012 8:29 AM
To: Erik Soosalu; nanog@nanog.org
Subject: RE: Possible New Zero Day Microsoft Windows 3389 vulnerability =
- outbound traffic 3389
Dear Erik
2mbits to 4mbits of outbound traffic is a fair bit for just a port =
scan..=20
We saw around 100ks of inbound traffic to each server and around 2mbits =
to 4mbits outbound traffic from the servers to the same destination =
58.162.67.45 =20
The traffic pattern occurred for around 30 minutes and then =
simultaneously every host (server) stopped sending traffic.
Kindest Regards
James Braunegg
W:=A0 1300 769 972=A0 |=A0 M:=A0 0488 997 207 |=A0 D:=A0 (03) 9751 7616
E:=A0=A0 james.braunegg@micron21.com=A0 |=A0 ABN:=A0 12 109 977 =
666=A0=A0=20
This message is intended for the addressee named above. It may contain =
privileged or confidential information. If you are not the intended =
recipient of this message you must not use, copy, distribute or disclose =
it to anyone other than the addressee. If you have received this message =
in error please return the message to the sender by replying to it and =
then delete the message from your computer.
-----Original Message-----
From: Erik Soosalu [mailto:erik.soosalu@calyxinc.com]=20
Sent: Saturday, January 14, 2012 12:17 AM
To: James Braunegg; nanog@nanog.org
Subject: RE: Possible New Zero Day Microsoft Windows 3389 vulnerability =
- outbound traffic 3389
Wouldn't this just be an indication of that block being scanned for open
3389 ports from that IP? You're just looking at the return traffic to =
the scanning host.
-----Original Message-----
From: James Braunegg [mailto:james.braunegg@micron21.com]
Sent: Friday, January 13, 2012 7:37 AM
To: nanog@nanog.org
Subject: Possible New Zero Day Microsoft Windows 3389 vulnerability - =
outbound traffic 3389
Hey All,
Just posting to see if anyone has seen any strange outbound traffic on =
port 3389 from Microsoft Windows Server over the last few hours.
We witnessed an alarming amount of completely independent Microsoft =
Windows Servers, each on separate vlan and subnets (ie all /30 and /29
allocations) with separate gateways on and completely separate =
customers, but all services were within the same 1.x.x.x/16 allocation =
all simultaneously send around 2mbit or so data to a specific target IP =
address.
The only common link was / is terminal services port 3389 is open to the =
public. Obviously someone (Mr 133t dude) scanned an allocation within =
our network, and like a worm was able to simultaneously control every =
Microsoft Windows Server to send outbound traffic.
Microsoft Windows Servers within the 1.x.x.x/16 allocation which were =
behind a firewall or VPN and did not have public 3389 access did not =
send the unknown traffic
Would be very interested if anyone else has seen this behavior before !
Or is this the start of a lovely new Zero Day Vulnerability with Windows =
RDP, if so I name it "ohDeer-RDP"
A sample of the traffic is as per below, collected from netflow
Source Destination Application Src
Port Dst
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51534
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 52699
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 60824
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51669
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 49215
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 62099
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 65429
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51965
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 50381
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59379
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58103
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59514
TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58298
TCP
This occurred around 10:30pm AEST Friday the 13th of January 2012
We had many other Microsoft Windows Servers in other 2.x.x.x/16 IP =
ranges which were totally unaffected.
Kindest Regards
James Braunegg
W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616
E: james.braunegg@micron21.com<mailto:james.braunegg@micron21.com> |
ABN: 12 109 977 666
[Description: Description: Description: M21.jpg]
This message is intended for the addressee named above. It may contain =
privileged or confidential information. If you are not the intended =
recipient of this message you must not use, copy, distribute or disclose =
it to anyone other than the addressee. If you have received this message =
in error please return the message to the sender by replying to it and =
then delete the message from your computer.
