[AusNOG] Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389

Daniel S daniel at netvirtue.com.au
Sat Jan 14 01:30:33 EST 2012


Hi James,

Can you run a netmon on one of the servers?  This should quickly identify
the cause and assist with a solution.

http://support.microsoft.com/kb/812953

Regards,
Daniel

On Sat, Jan 14, 2012 at 12:49 AM, James Braunegg <
james.braunegg at micron21.com> wrote:

> Dear Chris and Martin****
>
> ** **
>
> I tend to agree with you, as a remote desktop connection attempt does send
> a bit of outbound traffic, that being said iv looked in some of the logs on
> a few servers (don’t have access to most) and cannot find any large amount
> of login attempts…  The search for the needle in the hay stack continues.*
> ***
>
> ** **
>
> Kindest Regards****
>
> ** **
>
> *James Braunegg
> **W:*  1300 769 972  |  *M:*  0488 997 207 |  *D:*  (03) 9751 7616****
>
> *E:*   james.braunegg at micron21.com  |  *ABN:*  12 109 977 666
>
> [image: Description: Description: Description: M21.jpg]****
>
>
> This message is intended for the addressee named above. It may contain
> privileged or confidential information. If you are not the intended
> recipient of this message you must not use, copy, distribute or disclose it
> to anyone other than the addressee. If you have received this message in
> error please return the message to the sender by replying to it and then
> delete the message from your computer.****
>
> ** **
>
> *From:* Chris Macko [mailto:cmacko at intervolve.com.au]
> *Sent:* Saturday, January 14, 2012 12:28 AM
> *To:* James Braunegg; Martin - StudioCoast; ausnog at lists.ausnog.net
> *Subject:* RE: [AusNOG] Possible New Zero Day Microsoft Windows 3389
> vulnerability - outbound traffic 3389****
>
> ** **
>
> ** **
>
> ** **
>
>  ****
>
> [image: Description: cid:image002.gif at 01CCD24F.395D31C0]<http://www.intervolve.com.au/>
> ****
>
>  ****
>
> Hi James,
>
> That’s just RDP behaviour in responding to the request, best bet is to
> setup software or devices that block connections to diverse destination ips
> using the same port (the behaviour you’re seeing is not only common with
> RDP but with SSH / MSSQL and a great deal of other protocols).****
>
> Kind Regards,****
>
> *Chris* Macko
> *Managing Director*
> *Interhost Pacific* Pty Ltd t/a Intervolve ****
>
> *Support Phone*****
>
> 1300 664 574 / +61 8 8260 4237****
>
> *Sales Phone*****
>
> +61 3 9646 2060****
>
> *Accounts Phone*****
>
> +61 8 8260 4237****
>
> *Office Fax*****
>
> +61 8 8260 4312****
>
>  ****
>
>  ****
>
> *Sales Email*****
>
> sales at intervolve.com.au****
>
> *Support Email*****
>
> support at intervolve.com.au****
>
> *Accounts Email*****
>
> accounts at intervolve.com.au ****
>
>  ****
>
>  ****
>
> *Website*****
>
> www.*intervolve*.com.au <http://www.intervolve.com.au/>****
>
>  ****
>
>  ****
>
>  ****
>
>  ****
>
> This email contains information that is confidential to the intended
> recipient. It may also contain information, which is subject to legal
> privilege. If you are not the intended recipient, you must not use, pass on
> or copy this message. We also ask that you notify the sender by email or
> telephone and destroy the original message. Thank you.****
>
>
> ****
> ------------------------------
>
> *From:* ausnog-bounces at lists.ausnog.net [mailto:
> ausnog-bounces at lists.ausnog.net] *On Behalf Of *James Braunegg
> *Sent:* Friday, 13 January 2012 11:45 PM
> *To:* Martin - StudioCoast; ausnog at lists.ausnog.net
> *Subject:* Re: [AusNOG] Possible New Zero Day Microsoft Windows 3389
> vulnerability - outbound traffic 3389****
>
> ** **
>
> Dear Martin****
>
> ** **
>
> This could be a possibility, but the ratio of inbound traffic to outbound
> traffic was almost 1:20 (1 inbound to the server) 20 outbound to the server
> ****
>
> ** **
>
> Normally a brute force attack would be a large amount of inbound traffic,
> not outbound traffic from the server.****
>
> ** **
>
> Kindest Regards****
>
> ** **
>
> *James Braunegg
> **W:*  1300 769 972  |  *M:*  0488 997 207 |  *D:*  (03) 9751 7616****
>
> *E:*   james.braunegg at micron21.com  |  *ABN:*  12 109 977 666
>
> [image: Description: Description: Description: Description: M21.jpg]****
>
>
> This message is intended for the addressee named above. It may contain
> privileged or confidential information. If you are not the intended
> recipient of this message you must not use, copy, distribute or disclose it
> to anyone other than the addressee. If you have received this message in
> error please return the message to the sender by replying to it and then
> delete the message from your computer.****
>
> ** **
>
> *From:* ausnog-bounces at lists.ausnog.net [mailto:
> ausnog-bounces at lists.ausnog.net] *On Behalf Of *Martin - StudioCoast
> *Sent:* Saturday, January 14, 2012 12:05 AM
> *To:* ausnog at lists.ausnog.net
> *Subject:* Re: [AusNOG] Possible New Zero Day Microsoft Windows 3389
> vulnerability - outbound traffic 3389****
>
> ** **
>
> Looks like standard RDP brute force traffic to me. See it all the time on
> servers with open rdp ports.
> Most likely 58.162.67.45 is attempting to login to all of those servers at
> once.
>
> If a worm was able to get in, you would probably see a lot of inverse
> traffic as the worm would begin to brute force other IP addresses it finds.
> ****
>
> ** **
>
>
> On 13/01/2012 10:37 PM, James Braunegg wrote: ****
>
> Hey All,****
>
>  ****
>
> Just posting to see if anyone has seen any strange outbound traffic on
> port 3389 from Microsoft Windows Server over the last few hours.****
>
>  ****
>
> We witnessed an alarming amount of completely independent Microsoft
> Windows Servers,  each on separate vlan and subnets (ie all /30 and /29
> allocations) with separate gateways on and completely separate customers,
> but all services were within the same 1.x.x.x/16 allocation all
> simultaneously send around 2mbit or so data to a specific target IP address.
> ****
>
>  ****
>
> The only common link was / is terminal services port 3389 is open to the
> public. Obviously someone (Mr 133t dude) scanned an allocation within our
> network, and like a worm was able to simultaneously control every Microsoft
> Windows Server to send outbound traffic.****
>
>  ****
>
> Microsoft Windows Servers within the 1.x.x.x/16 allocation which were
> behind a firewall or VPN and did not have public 3389 access did not send
> the unknown traffic****
>
>  ****
>
> Would be very interested if anyone else has seen this behavior before ! Or
> is this the start of a lovely new Zero Day Vulnerability with Windows RDP,
> if so I name it “ohDeer-RDP”****
>
>  ****
>
> A sample of the traffic is as per below, collected from netflow****
>
>  ****
>
> Source                  Destination         Application         Src
>          Port       Dst****
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389
> 51534    TCP****
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389
> 52699    TCP****
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389
> 60824    TCP****
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389
> 51669    TCP****
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389
> 49215    TCP****
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389
> 62099    TCP****
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389
> 65429    TCP****
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389
> 51965    TCP****
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389
> 50381    TCP****
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389
> 59379    TCP****
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389
> 58103    TCP****
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389
> 59514    TCP****
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389
> 58298    TCP****
>
>  ****
>
> This occurred around 10:30pm AEST Friday the 13th of January 2012****
>
>  ****
>
> We had many other Microsoft Windows Servers in other 2.x.x.x/16 IP ranges
> which were totally unaffected.****
>
>  ****
>
> Kindest Regards****
>
>  ****
>
> *James Braunegg
> **W:*  1300 769 972  |  *M:*  0488 997 207 |  *D:*  (03) 9751 7616****
>
> *E:*   james.braunegg at micron21.com  |  *ABN:*  12 109 977 666
>
> [image: Description: Description: Description: Description: Description:
> M21.jpg]****
>
>
> This message is intended for the addressee named above. It may contain
> privileged or confidential information. If you are not the intended
> recipient of this message you must not use, copy, distribute or disclose it
> to anyone other than the addressee. If you have received this message in
> error please return the message to the sender by replying to it and then
> delete the message from your computer.****
>
>  ****
>
> ** **
>
> _______________________________________________****
>
> AusNOG mailing list****
>
> AusNOG at lists.ausnog.net****
>
> http://lists.ausnog.net/mailman/listinfo/ausnog****
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120114/cdace15b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2683 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120114/cdace15b/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.gif
Type: image/gif
Size: 5566 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120114/cdace15b/attachment.gif>


More information about the AusNOG mailing list