<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40"
xmlns:ns0="http://schemas.microsoft.com/office/2004/12/omml">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--a:link
{mso-style-priority:99;}
span.MSOHYPERLINK
{mso-style-priority:99;}
a:visited
{mso-style-priority:99;}
span.MSOHYPERLINKFOLLOWED
{mso-style-priority:99;}
pre
{mso-style-priority:99;}
p.MSOACETATE
{mso-style-priority:99;}
li.MSOACETATE
{mso-style-priority:99;}
div.MSOACETATE
{mso-style-priority:99;}
span.BALLOONTEXTCHAR
{mso-style-priority:99;}
span.HTMLPREFORMATTEDCHAR
{mso-style-priority:99;}
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:Calibri;
color:black;}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman";}
pre
{margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:Tahoma;
color:black;}
span.HTMLPreformattedChar
{font-family:Consolas;
color:black;}
span.BalloonTextChar
{font-family:Tahoma;}
span.EmailStyle21
{mso-style-type:personal;
font-family:Calibri;
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal;
font-family:Calibri;
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal;
font-family:Calibri;
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:Arial;
color:black;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
span.small1
{font-family:Arial;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=3 color=black face=Arial><span style='font-size:
12.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face=Arial><span style='font-size:
12.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<div>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=740
style='width:555.0pt'>
<tr>
<td width=10 valign=top style='width:7.5pt;padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'> </span></font><font size=3><span
style='font-size:12.0pt'><o:p></o:p></span></font></p>
</td>
<td width=740 valign=top style='width:555.0pt;padding:0cm 0cm 0cm 0cm'>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=740
style='width:555.0pt' height=100>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=239
style='width:179.25pt'>
<tr>
<td valign=top style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'><a href="http://www.intervolve.com.au/"><font
color="#0066cc"><span style='color:#0066CC;text-decoration:none'><img
border=0 width=239 height=59 id="_x0000_i1029"
src="cid:image002.gif@01CCD24F.395D31C0"></span></font></a></span></font><font
size=3><span style='font-size:12.0pt'><o:p></o:p></span></font></p>
</td>
</tr>
</table>
<p class=MsoNormal><font size=3 color=black face=Calibri><span
style='font-size:12.0pt'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=740
style='width:555.0pt'>
<tr>
<td width=75 style='width:56.25pt;padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'> </span></font><font size=3><span
style='font-size:12.0pt'><o:p></o:p></span></font></p>
</td>
<td width=668 style='width:501.0pt;padding:0cm 0cm 0cm 0cm'>
<p><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>Hi James,<br>
<br>
That’s just RDP behaviour in responding to the request, best bet is to
setup software or devices that block connections to diverse destination ips
using the same port (the behaviour you’re seeing is not only common with
RDP but with SSH / MSSQL and a great deal of other protocols).<o:p></o:p></span></font></p>
<p><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>Kind Regards,<o:p></o:p></span></font></p>
<p><b><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black;font-weight:bold'>Chris</span></font></b><font
color=black face=Arial><span style='font-family:Arial;color:black'> Macko<br>
</span></font><strong><b><font size=2 color=black face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:black'>Managing Director</span></font></b></strong><font
color=black face=Arial><span style='font-family:Arial;color:black'><br>
</span></font><span class=small1><b><font size=1 color="#0066cc"
face=Arial><span style='font-size:8.5pt;color:#0066CC;font-weight:bold'>Interhost
Pacific</span></font></b></span><span class=small1><font size=1
color="#0066cc" face=Arial><span style='font-size:8.5pt;color:#0066CC'>
Pty Ltd t/a Intervolve</span></font></span><span class=small1><font
size=1 color="#999999" face=Arial><span style='font-size:7.5pt;
color:#999999'> </span></font></span><font color=black><span
style='color:black'><o:p></o:p></span></font></p>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0
width="100%" style='width:100.0%'>
<tr height=11 style='height:8.25pt'>
<td width="20%" height=11 style='width:20.0%;padding:0cm 0cm 0cm 0cm;
height:8.25pt'>
<p class=MsoNormal><b><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999;font-weight:
bold'>Support Phone</span></font></b><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td height=11 style='padding:0cm 0cm 0cm 0cm;height:8.25pt'>
<p class=MsoNormal><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999'>1300 664 574 /
+61 8 8260 4237</span></font><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><b><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999;font-weight:
bold'>Sales Phone</span></font></b><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999'>+61 3 9646 2060</span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><b><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999;font-weight:
bold'>Accounts Phone</span></font></b><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999'>+61 8 8260 4237</span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><b><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999;font-weight:
bold'>Office Fax</span></font></b><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999'>+61 8 8260 4312</span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr height=2 style='height:1.5pt'>
<td height=2 style='padding:0cm 0cm 0cm 0cm;height:1.5pt'>
<p class=MsoNormal><font size=1 color=black face=Arial><span
style='font-size:7.5pt;font-family:Arial'> </span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td height=2 style='padding:0cm 0cm 0cm 0cm;height:1.5pt'>
<p class=MsoNormal><font size=1 color=black face=Arial><span
style='font-size:7.5pt;font-family:Arial'> </span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><b><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999;font-weight:
bold'>Sales Email</span></font></b><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color="#0066cc" face=Arial><span
style='font-size:7.5pt;font-family:Arial;color:#0066CC'><a
href="mailto:sales@intervolve.com.au"><font size=1><span
style='font-size:8.5pt'>sales@intervolve.com.au</span></font></a></span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><b><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999;font-weight:
bold'>Support Email</span></font></b><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color="#0066cc" face=Arial><span
style='font-size:7.5pt;font-family:Arial;color:#0066CC'><a
href="mailto:support@intervolve.com.au"><font size=1><span
style='font-size:8.5pt'>support@intervolve.com.au</span></font></a></span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><b><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999;font-weight:
bold'>Accounts Email</span></font></b><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color="#0066cc" face=Arial><span
style='font-size:7.5pt;font-family:Arial;color:#0066CC'><a
href="mailto:accounts@intervolve.com.au"><font size=1><span
style='font-size:8.5pt'>accounts@intervolve.com.au </span></font></a></span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color=black face=Arial><span
style='font-size:7.5pt;font-family:Arial'> </span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color=black face=Arial><span
style='font-size:7.5pt;font-family:Arial'> </span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><b><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999;font-weight:
bold'>Website</span></font></b><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color="#999999" face=Arial><span
style='font-size:7.5pt;font-family:Arial;color:#999999'><a
href="http://www.intervolve.com.au/"><font size=1><span
style='font-size:8.5pt'>www.<b><span style='font-weight:bold'>intervolve</span></b>.com.au</span></font></a></span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color=black face=Arial><span
style='font-size:7.5pt;font-family:Arial'> </span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color=black face=Arial><span
style='font-size:7.5pt;font-family:Arial'> </span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color=black face=Arial><span
style='font-size:7.5pt;font-family:Arial'> </span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color=black face=Arial><span
style='font-size:7.5pt;font-family:Arial'> </span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr height=2 style='height:1.5pt'>
<td colspan=2 height=2 style='padding:0cm 0cm 0cm 0cm;height:1.5pt'>
<p class=MsoNormal><font size=1 color="#999999" face=Arial><span
style='font-size:7.5pt;font-family:Arial;color:#999999'>This email
contains information that is confidential to the intended recipient. It
may also contain information, which is subject to legal privilege. If
you are not the intended recipient, you must not use, pass on or copy
this message. We also ask that you notify the sender by email or
telephone and destroy the original message. Thank you.</span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
</table>
<p class=MsoNormal><font size=3 color=black face=Calibri><span
style='font-size:12.0pt'><o:p></o:p></span></font></p>
</td>
</tr>
</table>
<p class=MsoNormal><font size=3 color=black face=Calibri><span
style='font-size:12.0pt'><o:p></o:p></span></font></p>
</td>
</tr>
</table>
<p class=MsoNormal><font size=3 color=black face=Calibri><span
style='font-size:12.0pt'><o:p></o:p></span></font></p>
</td>
</tr>
</table>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'><br clear=all>
</span><o:p></o:p></font></p>
</div>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
color=black face="Times New Roman"><span style='font-size:12.0pt;font-family:
"Times New Roman";color:windowtext'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 color=black face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma;color:windowtext;font-weight:bold'>From:</span></font></b><font
size=2 color=black face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma;
color:windowtext'> ausnog-bounces@lists.ausnog.net
[mailto:ausnog-bounces@lists.ausnog.net] <b><span style='font-weight:bold'>On
Behalf Of </span></b>James Braunegg<br>
<b><span style='font-weight:bold'>Sent:</span></b> Friday, 13 January 2012
11:45 PM<br>
<b><span style='font-weight:bold'>To:</span></b> Martin - StudioCoast;
ausnog@lists.ausnog.net<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [AusNOG] Possible New
Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389</span></font><font
size=3 color=black face="Times New Roman"><span style='font-size:12.0pt;
font-family:"Times New Roman";color:windowtext'><o:p></o:p></span></font></p>
</div>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'>Dear Martin<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'>This could be a possibility, but the
ratio of inbound traffic to outbound traffic was almost 1:20 (1 inbound to the
server) 20 outbound to the server<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'>Normally a brute force attack would be a
large amount of inbound traffic, not outbound traffic from the server.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'>Kindest Regards<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></font></p>
<div>
<p class=MsoNormal><b><font size=2 color="#1f497d" face=Verdana><span
style='font-size:11.0pt;font-family:Verdana;color:#1F497D;font-weight:bold'>James
Braunegg<br>
</span></font></b><b><font size=1 color="#1f497d" face=Verdana><span
style='font-size:8.0pt;font-family:Verdana;color:#1F497D;font-weight:bold'>W:</span></font></b><font
size=1 color="#1f497d" face=Verdana><span style='font-size:8.0pt;font-family:
Verdana;color:#1F497D'> 1300 769 972 | <b><span
style='font-weight:bold'>M:</span></b> 0488 997 207 | <b><span
style='font-weight:bold'>D:</span></b> (03) 9751 7616<o:p></o:p></span></font></p>
<p class=MsoNormal><b><font size=1 color="#1f497d" face=Verdana><span
style='font-size:8.0pt;font-family:Verdana;color:#1F497D;font-weight:bold'>E:</span></font></b><font
size=1 color="#1f497d" face=Verdana><span style='font-size:8.0pt;font-family:
Verdana;color:#1F497D'> </span></font><font color="#1f497d"><span
style='color:#1F497D'><a href="mailto:james.braunegg@micron21.com"><font
size=1 face=Verdana><span style='font-size:8.0pt;font-family:Verdana'>james.braunegg@micron21.com</span></font></a></span></font><font
size=1 color="#1f497d" face=Verdana><span style='font-size:8.0pt;font-family:
Verdana;color:#1F497D'> | <b><span style='font-weight:bold'>ABN:</span></b>
12 109 977 666 <br>
<br>
<img border=0 width=250 height=39 id="_x0000_i1026"
src="cid:image003.jpg@01CCD24F.395D31C0"
alt="Description: Description: Description: M21.jpg"><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 color="#1f497d" face=Verdana><span
style='font-size:8.0pt;font-family:Verdana;color:#1F497D'><br>
</span></font><font size=1 color="#1f497d" face=Verdana><span lang=EN-AU
style='font-size:8.0pt;font-family:Verdana;color:#1F497D'>This message is
intended for the addressee named above. It may contain privileged or
confidential information. If you are not the intended recipient of this message
you must not use, copy, distribute or disclose it to anyone other than the
addressee. If you have received this message in error please return the message
to the sender by replying to it and then delete the message from your computer.<o:p></o:p></span></font></p>
</div>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></font></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'>
<p class=MsoNormal><b><font size=2 color=black face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma;color:windowtext;font-weight:bold'>From:</span></font></b><font
size=2 color=black face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma;
color:windowtext'> ausnog-bounces@lists.ausnog.net
[mailto:ausnog-bounces@lists.ausnog.net] <b><span style='font-weight:bold'>On
Behalf Of </span></b>Martin - StudioCoast<br>
<b><span style='font-weight:bold'>Sent:</span></b> Saturday, January 14, 2012
12:05 AM<br>
<b><span style='font-weight:bold'>To:</span></b> ausnog@lists.ausnog.net<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [AusNOG] Possible New
Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389<o:p></o:p></span></font></p>
</div>
</div>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
10.0pt;font-family:Arial'>Looks like standard RDP brute force traffic to me.
See it all the time on servers with open rdp ports.<br>
Most likely 58.162.67.45 is attempting to login to all of those servers at
once.<br>
<br>
If a worm was able to get in, you would probably see a lot of inverse traffic
as the worm would begin to brute force other IP addresses it finds.</span></font>
<o:p></o:p></p>
<div>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'><o:p> </o:p></span></font></p>
</div>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'><br>
On 13/01/2012 10:37 PM, James Braunegg wrote: <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'>Hey All,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'>Just posting to see if anyone has seen any strange
outbound traffic on port 3389 from Microsoft Windows Server over the last few
hours.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'>We witnessed an alarming amount of completely
independent Microsoft Windows Servers, each on separate vlan and subnets
(ie all /30 and /29 allocations) with separate gateways on and completely
separate customers, but all services were within the same 1.x.x.x/16 allocation
all simultaneously send around 2mbit or so data to a specific target IP
address.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'>The only common link was / is terminal services port
3389 is open to the public. Obviously someone (Mr 133t dude) scanned an
allocation within our network, and like a worm was able to simultaneously
control every Microsoft Windows Server to send outbound traffic.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'>Microsoft Windows Servers within the 1.x.x.x/16
allocation which were behind a firewall or VPN and did not have public 3389
access did not send the unknown traffic<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'>Would be very interested if anyone else has seen this
behavior before ! Or is this the start of a lovely new Zero Day Vulnerability
with Windows RDP, if so I name it “ohDeer-RDP”<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'>A sample of the traffic is as per below, collected
from netflow<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'>Source
Destination Application
Src
Port Dst<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 51534 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 52699 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 60824 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 51669 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 49215 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 62099 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 65429 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 51965 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 50381 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 59379 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 58103 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 59514 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 58298 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'>This occurred around 10:30pm AEST Friday the 13<sup>th</sup>
of January 2012<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'>We had many other Microsoft Windows Servers in other
2.x.x.x/16 IP ranges which were totally unaffected.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'>Kindest Regards<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'> <o:p></o:p></span></font></p>
<p class=MsoNormal><b><font size=2 color="#1f497d" face=Verdana><span
style='font-size:11.0pt;font-family:Verdana;color:#1F497D;font-weight:bold'>James
Braunegg<br>
</span></font></b><b><font size=1 color="#1f497d" face=Verdana><span
style='font-size:8.0pt;font-family:Verdana;color:#1F497D;font-weight:bold'>W:</span></font></b><font
size=1 color="#1f497d" face=Verdana><span style='font-size:8.0pt;font-family:
Verdana;color:#1F497D'> 1300 769 972 | <b><span
style='font-weight:bold'>M:</span></b> 0488 997 207 | <b><span
style='font-weight:bold'>D:</span></b> (03) 9751 7616</span></font><o:p></o:p></p>
<p class=MsoNormal><b><font size=1 color="#1f497d" face=Verdana><span
style='font-size:8.0pt;font-family:Verdana;color:#1F497D;font-weight:bold'>E:</span></font></b><font
size=1 color="#1f497d" face=Verdana><span style='font-size:8.0pt;font-family:
Verdana;color:#1F497D'> </span></font><font color="#1f497d"><span
style='color:#1F497D'><a href="mailto:james.braunegg@micron21.com"><font
size=1 face=Verdana><span style='font-size:8.0pt;font-family:Verdana'>james.braunegg@micron21.com</span></font></a></span></font><font
size=1 color="#1f497d" face=Verdana><span style='font-size:8.0pt;font-family:
Verdana;color:#1F497D'> | <b><span style='font-weight:bold'>ABN:</span></b>
12 109 977 666 <br>
<br>
<img border=0 width=250 height=39 id="Picture_x005f_x0020_1"
src="cid:image003.jpg@01CCD24F.395D31C0"
alt="Description: Description: Description: Description:
M21.jpg"></span></font><o:p></o:p></p>
<p class=MsoNormal><font size=1 color="#1f497d" face=Verdana><span
style='font-size:8.0pt;font-family:Verdana;color:#1F497D'><br>
</span></font><font size=1 color="#1f497d" face=Verdana><span lang=EN-AU
style='font-size:8.0pt;font-family:Verdana;color:#1F497D'>This message is
intended for the addressee named above. It may contain privileged or
confidential information. If you are not the intended recipient of this message
you must not use, copy, distribute or disclose it to anyone other than the
addressee. If you have received this message in error please return the message
to the sender by replying to it and then delete the message from your computer.</span></font><o:p></o:p></p>
<p class=MsoNormal><font size=2 color=black face=Calibri><span
style='font-size:11.0pt'> <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;font-family:"Times New Roman"'><br>
<br>
<o:p></o:p></span></font></p>
<pre><font size=2 color=black face="Courier New"><span style='font-size:10.0pt'>_______________________________________________<o:p></o:p></span></font></pre><pre><font
size=2 color=black face="Courier New"><span style='font-size:10.0pt'>AusNOG mailing list<o:p></o:p></span></font></pre><pre><font
size=2 color=black face="Courier New"><span style='font-size:10.0pt'><a
href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><o:p></o:p></span></font></pre><pre><font
size=2 color=black face="Courier New"><span style='font-size:10.0pt'><a
href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a><o:p></o:p></span></font></pre></div>
</body>
</html>