<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
span.balloontextchar0
{mso-style-name:balloontextchar;
mso-style-priority:99;
font-family:"Tahoma","sans-serif";}
span.htmlpreformattedchar0
{mso-style-name:htmlpreformattedchar;
mso-style-priority:99;
font-family:Consolas;
color:black;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle25
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle26
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle27
{mso-style-type:personal;
font-family:"Arial","sans-serif";
color:black;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
span.small1
{mso-style-name:small1;
font-family:"Arial","sans-serif";}
span.EmailStyle30
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>Dear Chris and Martin<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>I tend to agree with you, as a remote desktop connection attempt does send a bit of outbound traffic, that being said iv looked in some of the logs on a few servers (don’t have access to most) and cannot find any large amount of login attempts… The search for the needle in the hay stack continues.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Kindest Regards<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal><b><span style='font-family:"Verdana","sans-serif";color:#1F497D'>James Braunegg<br></span></b><b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'>W:</span></b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'> 1300 769 972 | <b>M:</b> 0488 997 207 | <b>D:</b> (03) 9751 7616</span><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'>E:</span></b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'> </span><span style='color:#1F497D'><a href="mailto:james.braunegg@micron21.com"><span style='font-size:8.0pt;font-family:"Verdana","sans-serif"'>james.braunegg@micron21.com</span></a></span><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'> | <b>ABN:</b> 12 109 977 666 <br><br><img border=0 width=250 height=39 id="Picture_x0020_1" src="cid:image001.jpg@01CCD25A.8BD54040" alt="Description: Description: Description: M21.jpg"><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'><br></span><span lang=EN-AU style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'>This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.<o:p></o:p></span></p></div><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> Chris Macko [mailto:cmacko@intervolve.com.au] <br><b>Sent:</b> Saturday, January 14, 2012 12:28 AM<br><b>To:</b> James Braunegg; Martin - StudioCoast; ausnog@lists.ausnog.net<br><b>Subject:</b> RE: [AusNOG] Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><div><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=740 style='width:555.0pt'><tr><td width=10 valign=top style='width:7.5pt;padding:0in 0in 0in 0in'><p class=MsoNormal> <span style='font-size:12.0pt'><o:p></o:p></span></p></td><td width=740 valign=top style='width:555.0pt;padding:0in 0in 0in 0in'><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=740 style='width:555.0pt'><tr><td style='padding:0in 0in 0in 0in'><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=239 style='width:179.25pt'><tr><td valign=top style='padding:0in 0in 0in 0in'><p class=MsoNormal><a href="http://www.intervolve.com.au/"><span style='color:#0066CC;text-decoration:none'><img border=0 width=239 height=59 id="Picture_x0020_5" src="cid:image002.gif@01CCD25A.8BD54040" alt="Description: cid:image002.gif@01CCD24F.395D31C0"></span></a><span style='font-size:12.0pt'><o:p></o:p></span></p></td></tr></table></td></tr><tr><td style='padding:0in 0in 0in 0in'><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=740 style='width:555.0pt'><tr><td width=75 style='width:56.25pt;padding:0in 0in 0in 0in'><p class=MsoNormal> <span style='font-size:12.0pt'><o:p></o:p></span></p></td><td width=668 style='width:501.0pt;padding:0in 0in 0in 0in'><p><span style='font-family:"Arial","sans-serif";color:black'>Hi James,<br><br>That’s just RDP behaviour in responding to the request, best bet is to setup software or devices that block connections to diverse destination ips using the same port (the behaviour you’re seeing is not only common with RDP but with SSH / MSSQL and a great deal of other protocols).<o:p></o:p></span></p><p><span style='font-family:"Arial","sans-serif";color:black'>Kind Regards,<o:p></o:p></span></p><p><b><span style='font-family:"Arial","sans-serif";color:black'>Chris</span></b><span style='font-family:"Arial","sans-serif";color:black'> Macko<br></span><strong><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>Managing Director</span></strong><span style='font-family:"Arial","sans-serif";color:black'><br></span><span class=small1><b><span style='font-size:8.5pt;color:#0066CC'>Interhost Pacific</span></b></span><span class=small1><span style='font-size:8.5pt;color:#0066CC'> Pty Ltd t/a Intervolve</span></span><span class=small1><span style='font-size:7.5pt;color:#999999'> </span></span><span style='color:black'><o:p></o:p></span></p><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width="100%" style='width:100.0%'><tr style='height:8.25pt'><td width="20%" style='width:20.0%;padding:0in 0in 0in 0in;height:8.25pt'><p class=MsoNormal><b><span style='font-size:8.5pt;font-family:"Arial","sans-serif";color:#999999'>Support Phone</span></b><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td><td style='padding:0in 0in 0in 0in;height:8.25pt'><p class=MsoNormal><span style='font-size:8.5pt;font-family:"Arial","sans-serif";color:#999999'>1300 664 574 / +61 8 8260 4237</span><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:8.5pt;font-family:"Arial","sans-serif";color:#999999'>Sales Phone</span></b><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:8.5pt;font-family:"Arial","sans-serif";color:#999999'>+61 3 9646 2060</span><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:8.5pt;font-family:"Arial","sans-serif";color:#999999'>Accounts Phone</span></b><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:8.5pt;font-family:"Arial","sans-serif";color:#999999'>+61 8 8260 4237</span><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:8.5pt;font-family:"Arial","sans-serif";color:#999999'>Office Fax</span></b><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:8.5pt;font-family:"Arial","sans-serif";color:#999999'>+61 8 8260 4312</span><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td></tr><tr style='height:1.5pt'><td style='padding:0in 0in 0in 0in;height:1.5pt'><p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'> </span><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td><td style='padding:0in 0in 0in 0in;height:1.5pt'><p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'> </span><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:8.5pt;font-family:"Arial","sans-serif";color:#999999'>Sales Email</span></b><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#0066CC'><a href="mailto:sales@intervolve.com.au"><span style='font-size:8.5pt'>sales@intervolve.com.au</span></a></span><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:8.5pt;font-family:"Arial","sans-serif";color:#999999'>Support Email</span></b><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#0066CC'><a href="mailto:support@intervolve.com.au"><span style='font-size:8.5pt'>support@intervolve.com.au</span></a></span><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:8.5pt;font-family:"Arial","sans-serif";color:#999999'>Accounts Email</span></b><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#0066CC'><a href="mailto:accounts@intervolve.com.au"><span style='font-size:8.5pt'>accounts@intervolve.com.au </span></a></span><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'> </span><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'> </span><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:8.5pt;font-family:"Arial","sans-serif";color:#999999'>Website</span></b><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#999999'><a href="http://www.intervolve.com.au/"><span style='font-size:8.5pt'>www.<b>intervolve</b>.com.au</span></a></span><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'> </span><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'> </span><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'> </span><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'> </span><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td></tr><tr style='height:1.5pt'><td colspan=2 style='padding:0in 0in 0in 0in;height:1.5pt'><p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#999999'>This email contains information that is confidential to the intended recipient. It may also contain information, which is subject to legal privilege. If you are not the intended recipient, you must not use, pass on or copy this message. We also ask that you notify the sender by email or telephone and destroy the original message. Thank you.</span><span style='font-size:8.5pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p></td></tr></table></td></tr></table></td></tr></table></td></tr></table><p class=MsoNormal><br clear=all><span style='font-size:10.0pt'><o:p></o:p></span></p></div><div><div class=MsoNormal align=center style='text-align:center'><span style='font-size:12.0pt;font-family:"Times New Roman","serif";color:windowtext'><hr size=2 width="100%" align=center></span></div><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> ausnog-bounces@lists.ausnog.net [mailto:ausnog-bounces@lists.ausnog.net] <b>On Behalf Of </b>James Braunegg<br><b>Sent:</b> Friday, 13 January 2012 11:45 PM<br><b>To:</b> Martin - StudioCoast; ausnog@lists.ausnog.net<br><b>Subject:</b> Re: [AusNOG] Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389</span><span style='font-size:12.0pt;font-family:"Times New Roman","serif";color:windowtext'><o:p></o:p></span></p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:#1F497D'>Dear Martin<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>This could be a possibility, but the ratio of inbound traffic to outbound traffic was almost 1:20 (1 inbound to the server) 20 outbound to the server<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Normally a brute force attack would be a large amount of inbound traffic, not outbound traffic from the server.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Kindest Regards<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal><b><span style='font-family:"Verdana","sans-serif";color:#1F497D'>James Braunegg<br></span></b><b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'>W:</span></b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'> 1300 769 972 | <b>M:</b> 0488 997 207 | <b>D:</b> (03) 9751 7616<o:p></o:p></span></p><p class=MsoNormal><b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'>E:</span></b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'> </span><span style='color:#1F497D'><a href="mailto:james.braunegg@micron21.com"><span style='font-size:8.0pt;font-family:"Verdana","sans-serif"'>james.braunegg@micron21.com</span></a></span><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'> | <b>ABN:</b> 12 109 977 666 <br><br><img border=0 width=250 height=39 id="Picture_x0020_2" src="cid:image001.jpg@01CCD25A.8BD54040" alt="Description: Description: Description: Description: M21.jpg"><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'><br></span><span lang=EN-AU style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'>This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.<o:p></o:p></span></p></div><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> ausnog-bounces@lists.ausnog.net [mailto:ausnog-bounces@lists.ausnog.net] <b>On Behalf Of </b>Martin - StudioCoast<br><b>Sent:</b> Saturday, January 14, 2012 12:05 AM<br><b>To:</b> ausnog@lists.ausnog.net<br><b>Subject:</b> Re: [AusNOG] Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Looks like standard RDP brute force traffic to me. See it all the time on servers with open rdp ports.<br>Most likely 58.162.67.45 is attempting to login to all of those servers at once.<br><br>If a worm was able to get in, you would probably see a lot of inverse traffic as the worm would begin to brute force other IP addresses it finds.</span> <o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal><br>On 13/01/2012 10:37 PM, James Braunegg wrote: <o:p></o:p></p><p class=MsoNormal>Hey All,<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Just posting to see if anyone has seen any strange outbound traffic on port 3389 from Microsoft Windows Server over the last few hours.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>We witnessed an alarming amount of completely independent Microsoft Windows Servers, each on separate vlan and subnets (ie all /30 and /29 allocations) with separate gateways on and completely separate customers, but all services were within the same 1.x.x.x/16 allocation all simultaneously send around 2mbit or so data to a specific target IP address.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>The only common link was / is terminal services port 3389 is open to the public. Obviously someone (Mr 133t dude) scanned an allocation within our network, and like a worm was able to simultaneously control every Microsoft Windows Server to send outbound traffic.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Microsoft Windows Servers within the 1.x.x.x/16 allocation which were behind a firewall or VPN and did not have public 3389 access did not send the unknown traffic<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Would be very interested if anyone else has seen this behavior before ! Or is this the start of a lovely new Zero Day Vulnerability with Windows RDP, if so I name it “ohDeer-RDP”<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>A sample of the traffic is as per below, collected from netflow<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Source Destination Application Src Port Dst<o:p></o:p></p><p class=MsoNormal>x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51534 TCP<o:p></o:p></p><p class=MsoNormal>x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 52699 TCP<o:p></o:p></p><p class=MsoNormal>x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 60824 TCP<o:p></o:p></p><p class=MsoNormal>x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51669 TCP<o:p></o:p></p><p class=MsoNormal>x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 49215 TCP<o:p></o:p></p><p class=MsoNormal>x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 62099 TCP<o:p></o:p></p><p class=MsoNormal>x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 65429 TCP<o:p></o:p></p><p class=MsoNormal>x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51965 TCP<o:p></o:p></p><p class=MsoNormal>x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 50381 TCP<o:p></o:p></p><p class=MsoNormal>x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59379 TCP<o:p></o:p></p><p class=MsoNormal>x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58103 TCP<o:p></o:p></p><p class=MsoNormal>x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59514 TCP<o:p></o:p></p><p class=MsoNormal>x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58298 TCP<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>This occurred around 10:30pm AEST Friday the 13<sup>th</sup> of January 2012<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>We had many other Microsoft Windows Servers in other 2.x.x.x/16 IP ranges which were totally unaffected.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Kindest Regards<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><b><span style='font-family:"Verdana","sans-serif";color:#1F497D'>James Braunegg<br></span></b><b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'>W:</span></b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'> 1300 769 972 | <b>M:</b> 0488 997 207 | <b>D:</b> (03) 9751 7616</span><o:p></o:p></p><p class=MsoNormal><b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'>E:</span></b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'> </span><span style='color:#1F497D'><a href="mailto:james.braunegg@micron21.com"><span style='font-size:8.0pt;font-family:"Verdana","sans-serif"'>james.braunegg@micron21.com</span></a></span><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'> | <b>ABN:</b> 12 109 977 666 <br><br><img border=0 width=250 height=39 id="Picture_x005f_x0020_1" src="cid:image001.jpg@01CCD25A.8BD54040" alt="Description: Description: Description: Description: Description:
M21.jpg"></span><o:p></o:p></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'><br></span><span lang=EN-AU style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'>This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.</span><o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p> </o:p></span></p><pre>_______________________________________________<o:p></o:p></pre><pre>AusNOG mailing list<o:p></o:p></pre><pre><a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><o:p></o:p></pre><pre><a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a><o:p></o:p></pre></div></body></html>