<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font size="-1"><font face="Arial">Looks like standard RDP brute
force traffic to me. See it all the time on servers with open
rdp ports.<br>
Most likely 58.162.67.45 is attempting to login to all of those
servers at once.<br>
<br>
If a worm was able to get in, you would probably see a lot of
inverse traffic as the worm would begin to brute force other IP
addresses it finds.</font></font>
<div class="moz-signature"><font style="font-family: Arial;
font-size: 10pt;"><br>
</font></div>
<br>
On 13/01/2012 10:37 PM, James Braunegg wrote:
<blockquote
cite="mid:CA7E867D448D8B489EFF2E97E266038A1DACA672@RA-EX01.raprinting.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hey All,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Just posting to see if anyone has seen any
strange outbound traffic on port 3389 from Microsoft Windows
Server over the last few hours.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We witnessed an alarming amount of
completely independent Microsoft Windows Servers, each on
separate vlan and subnets (ie all /30 and /29 allocations)
with separate gateways on and completely separate customers,
but all services were within the same 1.x.x.x/16 allocation
all simultaneously send around 2mbit or so data to a specific
target IP address.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The only common link was / is terminal
services port 3389 is open to the public. Obviously someone
(Mr 133t dude) scanned an allocation within our network, and
like a worm was able to simultaneously control every Microsoft
Windows Server to send outbound traffic.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Microsoft Windows Servers within the
1.x.x.x/16 allocation which were behind a firewall or VPN and
did not have public 3389 access did not send the unknown
traffic<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Would be very interested if anyone else has
seen this behavior before ! Or is this the start of a lovely
new Zero Day Vulnerability with Windows RDP, if so I name it
“ohDeer-RDP”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">A sample of the traffic is as per below,
collected from netflow<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Source Destination
Application Src Port Dst<o:p></o:p></p>
<p class="MsoNormal">x.x.x.x/16 58.162.67.45
ms-wbt-server 3389 51534 TCP<o:p></o:p></p>
<p class="MsoNormal">x.x.x.x/16 58.162.67.45
ms-wbt-server 3389 52699 TCP<o:p></o:p></p>
<p class="MsoNormal">x.x.x.x/16 58.162.67.45
ms-wbt-server 3389 60824 TCP<o:p></o:p></p>
<p class="MsoNormal">x.x.x.x/16 58.162.67.45
ms-wbt-server 3389 51669 TCP<o:p></o:p></p>
<p class="MsoNormal">x.x.x.x/16 58.162.67.45
ms-wbt-server 3389 49215 TCP<o:p></o:p></p>
<p class="MsoNormal">x.x.x.x/16 58.162.67.45
ms-wbt-server 3389 62099 TCP<o:p></o:p></p>
<p class="MsoNormal">x.x.x.x/16 58.162.67.45
ms-wbt-server 3389 65429 TCP<o:p></o:p></p>
<p class="MsoNormal">x.x.x.x/16 58.162.67.45
ms-wbt-server 3389 51965 TCP<o:p></o:p></p>
<p class="MsoNormal">x.x.x.x/16 58.162.67.45
ms-wbt-server 3389 50381 TCP<o:p></o:p></p>
<p class="MsoNormal">x.x.x.x/16 58.162.67.45
ms-wbt-server 3389 59379 TCP<o:p></o:p></p>
<p class="MsoNormal">x.x.x.x/16 58.162.67.45
ms-wbt-server 3389 58103 TCP<o:p></o:p></p>
<p class="MsoNormal">x.x.x.x/16 58.162.67.45
ms-wbt-server 3389 59514 TCP<o:p></o:p></p>
<p class="MsoNormal">x.x.x.x/16 58.162.67.45
ms-wbt-server 3389 58298 TCP<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This occurred around 10:30pm AEST Friday
the 13<sup>th</sup> of January 2012<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We had many other Microsoft Windows Servers
in other 2.x.x.x/16 IP ranges which were totally unaffected.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Kindest Regards<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span
style="font-family:"Verdana","sans-serif";color:#1F497D">James
Braunegg<br>
</span></b><b><span
style="font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D">W:</span></b><span
style="font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D">
1300 769 972 | <b>M:</b> 0488 997 207 | <b>D:</b>
(03) 9751 7616<o:p></o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D">E:</span></b><span
style="font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D">
</span><span style="color:#1F497D"><a moz-do-not-send="true"
href="mailto:james.braunegg@micron21.com"><span
style="font-size:8.0pt;font-family:"Verdana","sans-serif"">james.braunegg@micron21.com</span></a></span><span
style="font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D">
| <b>ABN:</b> 12 109 977 666 <br>
<br>
<img id="Picture_x0020_1"
src="cid:part1.07050907.09090005@studiocoast.com.au"
alt="Description: Description: Description: Description:
M21.jpg" border="0" height="39" width="250"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D"><br>
</span><span
style="font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D"
lang="EN-AU">This message is intended for the addressee
named above. It may contain privileged or confidential
information. If you are not the intended recipient of this
message you must not use, copy, distribute or disclose it to
anyone other than the addressee. If you have received this
message in error please return the message to the sender by
replying to it and then delete the message from your
computer.<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
</blockquote>
</body>
</html>