<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40"
xmlns:ns0="http://schemas.microsoft.com/office/2004/12/omml">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--a:link
{mso-style-priority:99;}
span.MSOHYPERLINK
{mso-style-priority:99;}
a:visited
{mso-style-priority:99;}
span.MSOHYPERLINKFOLLOWED
{mso-style-priority:99;}
p
{mso-style-priority:99;}
pre
{mso-style-priority:99;}
p.MSOACETATE
{mso-style-priority:99;}
li.MSOACETATE
{mso-style-priority:99;}
div.MSOACETATE
{mso-style-priority:99;}
span.HTMLPREFORMATTEDCHAR
{mso-style-priority:99;}
span.BALLOONTEXTCHAR
{mso-style-priority:99;}
span.BALLOONTEXTCHAR0
{mso-style-priority:99;}
span.HTMLPREFORMATTEDCHAR0
{mso-style-priority:99;}
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:Calibri;
color:black;}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman";}
pre
{margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:Tahoma;
color:black;}
span.HTMLPreformattedChar
{font-family:Consolas;
color:black;}
span.BalloonTextChar
{font-family:Tahoma;
color:black;}
span.balloontextchar0
{font-family:Tahoma;}
span.htmlpreformattedchar0
{font-family:Consolas;
color:black;}
span.EmailStyle24
{mso-style-type:personal;
font-family:Calibri;
color:windowtext;}
span.EmailStyle25
{mso-style-type:personal;
font-family:Calibri;
color:#1F497D;}
span.EmailStyle26
{mso-style-type:personal;
font-family:Calibri;
color:#1F497D;}
span.EmailStyle27
{mso-style-type:personal;
font-family:Arial;
color:black;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
span.small1
{font-family:Arial;}
span.EmailStyle29
{mso-style-type:personal;
font-family:Calibri;
color:#1F497D;}
span.EmailStyle31
{mso-style-type:personal-reply;
font-family:Arial;
color:black;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=3 color=black face=Arial><span style='font-size:
12.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face=Arial><span style='font-size:
12.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<div>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=740
style='width:555.0pt'>
<tr>
<td width=10 valign=top style='width:7.5pt;padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=2 color=black face=Arial><span
style='font-size:11.0pt;font-family:Arial'> </span></font><font size=3
face=Arial><span style='font-size:12.0pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td width=740 valign=top style='width:555.0pt;padding:0cm 0cm 0cm 0cm'>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=740
style='width:555.0pt' height=100>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=239
style='width:179.25pt'>
<tr>
<td valign=top style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=2 color=black face=Arial><span
style='font-size:11.0pt;font-family:Arial'><a
href="http://www.intervolve.com.au/"><font color="#0066cc"><span
style='color:#0066CC;text-decoration:none'><img border=0 width=239
height=59 id="_x0000_i1031" src="cid:image002.gif@01CCD2CD.AE527570"></span></font></a></span></font><font
size=3 face=Arial><span style='font-size:12.0pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
</table>
<p class=MsoNormal><font size=3 color=black face=Arial><span
style='font-size:12.0pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=740
style='width:555.0pt'>
<tr>
<td width=75 style='width:56.25pt;padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=2 color=black face=Arial><span
style='font-size:11.0pt;font-family:Arial'> </span></font><font
size=3 face=Arial><span style='font-size:12.0pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td width=668 style='width:501.0pt;padding:0cm 0cm 0cm 0cm'>
<p><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>Hi James,<br>
<br>
</span></font><font face=Arial><span style='font-family:Arial'>Actually quite
commom of late, the largest RDP attack I've seen of this nature
originated from within AussieHQ network on the 20/08/11 over Pipe IX link
and smashed quite a number of networks over IX (the largest affected seemed
to be Netreg as per the attached graph), where a host within AussieHQ was
able to target multiple destinations over Pipe Networks IX links at over 300Mbps.
As you can see the RDP traffic at a destination produces a high outbound
usage, with very little inbound.<br>
<br>
Obviously with most IX peers being limited at 100Mbps it doesn't take
much for such an attack to flood another IX peers link during such a
scenario. In 99% of these types of attacks, the originating IP is always
the same, and thus checking flows (ie netflow on routers) and determining
whether you have multiple destinations being targeted and then null
routing the IP is one way to handle this type of problem. <br>
<br>
The best advice to clients is to ensure that all management protocols are
blocked to external sources (ie SSH / RDP / MSSQL / FTP), preferably
using VPN (ie IPSEC or SSL VPN) for management communication, ensuring
that hardware firewalls and policies are reviewed on a regular basis
(nothing worse than a client having hardware firewall protection only for
one of their contractors to add allow all inbound and outbound firewall policies),
and ensure that all services are regularly checked for compromise (ie technician
from a client sets their FTP directory to C:\ and then allows Anonymous
access via FTP, with Everyone permission allowed for C:\)!<br>
<br>
My 2c worth! </span></font><font face=Wingdings><span style='font-family:
Wingdings'>J</span></font><font face=Arial><span style='font-family:Arial'>
Hope you’re having a great weekend! <font color=black><span
style='color:black'><o:p></o:p></span></font></span></font></p>
<p><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>Kind Regards,<o:p></o:p></span></font></p>
<p><b><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black;font-weight:bold'>Chris</span></font></b><font
color=black face=Arial><span style='font-family:Arial;color:black'> Macko<br>
</span></font><strong><b><font size=2 color=black face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:black'>Managing Director</span></font></b></strong><font
color=black face=Arial><span style='font-family:Arial;color:black'><br>
</span></font><span class=small1><b><font color="#0066cc" face=Arial><span
style='color:#0066CC;font-weight:bold'>Interhost Pacific</span></font></b><font
color="#0066cc"><span style='color:#0066CC'> Pty Ltd t/a Intervolve</span></font></span><span
class=small1><font size=1 color="#999999" face=Arial><span
style='font-size:7.5pt;color:#999999'> </span></font></span><font
color=black face=Arial><span style='font-family:Arial;color:black'><o:p></o:p></span></font></p>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0
width="100%" style='width:100.0%'>
<tr height=11 style='height:8.25pt'>
<td width="20%" height=11 style='width:20.0%;padding:0cm 0cm 0cm 0cm;
height:8.25pt'>
<p class=MsoNormal><b><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999;font-weight:
bold'>Support Phone</span></font></b><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td height=11 style='padding:0cm 0cm 0cm 0cm;height:8.25pt'>
<p class=MsoNormal><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999'>1300 664 574 /
+61 8 8260 4237</span></font><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><b><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999;font-weight:
bold'>Sales Phone</span></font></b><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999'>+61 3 9646 2060</span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><b><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999;font-weight:
bold'>Accounts Phone</span></font></b><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999'>+61 8 8260 4237</span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><b><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999;font-weight:
bold'>Office Fax</span></font></b><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999'>+61 8 8260 4312</span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr height=2 style='height:1.5pt'>
<td height=2 style='padding:0cm 0cm 0cm 0cm;height:1.5pt'>
<p class=MsoNormal><font size=1 color=black face=Arial><span
style='font-size:7.5pt;font-family:Arial'> </span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td height=2 style='padding:0cm 0cm 0cm 0cm;height:1.5pt'>
<p class=MsoNormal><font size=1 color=black face=Arial><span
style='font-size:7.5pt;font-family:Arial'> </span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><b><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999;font-weight:
bold'>Sales Email</span></font></b><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color="#0066cc" face=Arial><span
style='font-size:7.5pt;font-family:Arial;color:#0066CC'><a
href="mailto:sales@intervolve.com.au"><font size=1><span
style='font-size:8.5pt'>sales@intervolve.com.au</span></font></a></span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><b><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999;font-weight:
bold'>Support Email</span></font></b><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color="#0066cc" face=Arial><span
style='font-size:7.5pt;font-family:Arial;color:#0066CC'><a
href="mailto:support@intervolve.com.au"><font size=1><span
style='font-size:8.5pt'>support@intervolve.com.au</span></font></a></span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><b><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999;font-weight:
bold'>Accounts Email</span></font></b><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color="#0066cc" face=Arial><span
style='font-size:7.5pt;font-family:Arial;color:#0066CC'><a
href="mailto:accounts@intervolve.com.au"><font size=1><span
style='font-size:8.5pt'>accounts@intervolve.com.au </span></font></a></span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color=black face=Arial><span
style='font-size:7.5pt;font-family:Arial'> </span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color=black face=Arial><span
style='font-size:7.5pt;font-family:Arial'> </span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><b><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999;font-weight:
bold'>Website</span></font></b><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color="#999999" face=Arial><span
style='font-size:7.5pt;font-family:Arial;color:#999999'><a
href="http://www.intervolve.com.au/"><font size=1><span
style='font-size:8.5pt'>www.<b><span style='font-weight:bold'>intervolve</span></b>.com.au</span></font></a></span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color=black face=Arial><span
style='font-size:7.5pt;font-family:Arial'> </span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color=black face=Arial><span
style='font-size:7.5pt;font-family:Arial'> </span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color=black face=Arial><span
style='font-size:7.5pt;font-family:Arial'> </span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color=black face=Arial><span
style='font-size:7.5pt;font-family:Arial'> </span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr height=2 style='height:1.5pt'>
<td colspan=2 height=2 style='padding:0cm 0cm 0cm 0cm;height:1.5pt'>
<p class=MsoNormal><font size=1 color="#999999" face=Arial><span
style='font-size:7.5pt;font-family:Arial;color:#999999'>This email
contains information that is confidential to the intended recipient. It
may also contain information, which is subject to legal privilege. If
you are not the intended recipient, you must not use, pass on or copy
this message. We also ask that you notify the sender by email or
telephone and destroy the original message. Thank you.</span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
</table>
<p class=MsoNormal><font size=3 color=black face=Arial><span
style='font-size:12.0pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
</table>
<p class=MsoNormal><font size=3 color=black face=Arial><span
style='font-size:12.0pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
</table>
<p class=MsoNormal><font size=3 color=black face=Arial><span
style='font-size:12.0pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
</table>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'><br clear=all>
</span></font><font face=Arial><span style='font-family:Arial'><o:p></o:p></span></font></p>
</div>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial;
color:windowtext'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 color=black face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:windowtext;font-weight:bold'>From:</span></font></b><font
size=2 color=black face=Arial><span style='font-size:10.0pt;font-family:Arial;
color:windowtext'> James Braunegg [mailto:james.braunegg@micron21.com] <br>
<b><span style='font-weight:bold'>Sent:</span></b> Saturday, 14 January 2012
12:49 AM<br>
<b><span style='font-weight:bold'>To:</span></b> Chris Macko; Martin -
StudioCoast; ausnog@lists.ausnog.net<br>
<b><span style='font-weight:bold'>Subject:</span></b> RE: [AusNOG] Possible New
Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389</span></font><font
size=3 color=black face=Arial><span style='font-size:12.0pt;font-family:Arial;
color:windowtext'><o:p></o:p></span></font></p>
</div>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Arial><span
style='font-size:11.0pt;font-family:Arial;color:#1F497D'>Dear Chris and Martin<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Arial><span
style='font-size:11.0pt;font-family:Arial;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Arial><span
style='font-size:11.0pt;font-family:Arial;color:#1F497D'>I tend to agree with
you, as a remote desktop connection attempt does send a bit of outbound
traffic, that being said iv looked in some of the logs on a few servers (don’t
have access to most) and cannot find any large amount of login attempts…
The search for the needle in the hay stack continues.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Arial><span
style='font-size:11.0pt;font-family:Arial;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Arial><span
style='font-size:11.0pt;font-family:Arial;color:#1F497D'>Kindest Regards<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Arial><span
style='font-size:11.0pt;font-family:Arial;color:#1F497D'><o:p> </o:p></span></font></p>
<div>
<p class=MsoNormal><b><font size=2 color="#1f497d" face=Arial><span
style='font-size:11.0pt;font-family:Arial;color:#1F497D;font-weight:bold'>James
Braunegg<br>
</span></font></b><b><font size=1 color="#1f497d" face=Arial><span
style='font-size:8.0pt;font-family:Arial;color:#1F497D;font-weight:bold'>W:</span></font></b><font
size=1 color="#1f497d" face=Arial><span style='font-size:8.0pt;font-family:
Arial;color:#1F497D'> 1300 769 972 | <b><span
style='font-weight:bold'>M:</span></b> 0488 997 207 | <b><span
style='font-weight:bold'>D:</span></b> (03) 9751 7616<o:p></o:p></span></font></p>
<p class=MsoNormal><b><font size=1 color="#1f497d" face=Arial><span
style='font-size:8.0pt;font-family:Arial;color:#1F497D;font-weight:bold'>E:</span></font></b><font
size=1 color="#1f497d" face=Arial><span style='font-size:8.0pt;font-family:
Arial;color:#1F497D'> </span></font><font color="#1f497d"
face=Arial><span style='font-family:Arial;color:#1F497D'><a
href="mailto:james.braunegg@micron21.com"><font size=1><span style='font-size:
8.0pt'>james.braunegg@micron21.com</span></font></a></span></font><font size=1
color="#1f497d" face=Arial><span style='font-size:8.0pt;font-family:Arial;
color:#1F497D'> | <b><span style='font-weight:bold'>ABN:</span></b>
12 109 977 666 <br>
<br>
<img border=0 width=250 height=39 id="Picture_x005f_x0020_1"
src="cid:image003.jpg@01CCD2CD.AE527570"
alt="Description: Description: Description: M21.jpg"><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 color="#1f497d" face=Arial><span
style='font-size:8.0pt;font-family:Arial;color:#1F497D'><br>
</span></font><font size=1 color="#1f497d" face=Arial><span lang=EN-AU
style='font-size:8.0pt;font-family:Arial;color:#1F497D'>This message is
intended for the addressee named above. It may contain privileged or
confidential information. If you are not the intended recipient of this message
you must not use, copy, distribute or disclose it to anyone other than the
addressee. If you have received this message in error please return the message
to the sender by replying to it and then delete the message from your computer.<o:p></o:p></span></font></p>
</div>
<p class=MsoNormal><font size=2 color="#1f497d" face=Arial><span
style='font-size:11.0pt;font-family:Arial;color:#1F497D'><o:p> </o:p></span></font></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'>
<p class=MsoNormal><b><font size=2 color=black face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:windowtext;font-weight:bold'>From:</span></font></b><font
size=2 color=black face=Arial><span style='font-size:10.0pt;font-family:Arial;
color:windowtext'> Chris Macko [mailto:cmacko@intervolve.com.au] <br>
<b><span style='font-weight:bold'>Sent:</span></b> Saturday, January 14, 2012
12:28 AM<br>
<b><span style='font-weight:bold'>To:</span></b> James Braunegg; Martin -
StudioCoast; ausnog@lists.ausnog.net<br>
<b><span style='font-weight:bold'>Subject:</span></b> RE: [AusNOG] Possible New
Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389<o:p></o:p></span></font></p>
</div>
</div>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face=Arial><span style='font-size:
12.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face=Arial><span style='font-size:
12.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<div>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=740
style='width:555.0pt'>
<tr>
<td width=10 valign=top style='width:7.5pt;padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=2 color=black face=Arial><span
style='font-size:11.0pt;font-family:Arial'> </span></font><font size=3
face=Arial><span style='font-size:12.0pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td width=740 valign=top style='width:555.0pt;padding:0cm 0cm 0cm 0cm'>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=740
style='width:555.0pt'>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=239
style='width:179.25pt'>
<tr>
<td valign=top style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=2 color=black face=Arial><span
style='font-size:11.0pt;font-family:Arial'><a
href="http://www.intervolve.com.au/"><font color="#0066cc"><span
style='color:#0066CC;text-decoration:none'><img border=0 width=239
height=59 id="Picture_x005f_x0020_5"
src="cid:image002.gif@01CCD2CD.AE527570"
alt="Description: cid:image002.gif@01CCD24F.395D31C0"></span></font></a></span></font><font
size=3 face=Arial><span style='font-size:12.0pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
</table>
<p class=MsoNormal><font size=3 color=black face=Arial><span
style='font-size:12.0pt;font-family:Arial;color:windowtext'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=740
style='width:555.0pt'>
<tr>
<td width=75 style='width:56.25pt;padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=2 color=black face=Arial><span
style='font-size:11.0pt;font-family:Arial'> </span></font><font
size=3 face=Arial><span style='font-size:12.0pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td width=668 style='width:501.0pt;padding:0cm 0cm 0cm 0cm'>
<p><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>Hi James,<br>
<br>
That’s just RDP behaviour in responding to the request, best bet is to
setup software or devices that block connections to diverse destination
ips using the same port (the behaviour you’re seeing is not only common
with RDP but with SSH / MSSQL and a great deal of other protocols).<o:p></o:p></span></font></p>
<p><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>Kind Regards,<o:p></o:p></span></font></p>
<p><b><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black;font-weight:bold'>Chris</span></font></b><font
color=black face=Arial><span style='font-family:Arial;color:black'> Macko<br>
</span></font><strong><b><font size=2 color=black face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:black'>Managing Director</span></font></b></strong><font
color=black face=Arial><span style='font-family:Arial;color:black'><br>
</span></font><span class=small1><b><font size=1 color="#0066cc"
face=Arial><span style='font-size:8.5pt;color:#0066CC;font-weight:bold'>Interhost
Pacific</span></font></b></span><span class=small1><font size=1
color="#0066cc" face=Arial><span style='font-size:8.5pt;color:#0066CC'>
Pty Ltd t/a Intervolve</span></font></span><span class=small1><font
size=1 color="#999999" face=Arial><span style='font-size:7.5pt;
color:#999999'> </span></font></span><font color=black face=Arial><span
style='font-family:Arial;color:black'><o:p></o:p></span></font></p>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0
width="100%" style='width:100.0%'>
<tr height=11 style='height:8.25pt'>
<td width="20%" height=11 style='width:20.0%;padding:0cm 0cm 0cm 0cm;
height:8.25pt'>
<p class=MsoNormal><b><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999;font-weight:
bold'>Support Phone</span></font></b><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td height=11 style='padding:0cm 0cm 0cm 0cm;height:8.25pt'>
<p class=MsoNormal><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999'>1300 664 574 /
+61 8 8260 4237</span></font><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><b><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999;font-weight:
bold'>Sales Phone</span></font></b><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999'>+61 3 9646 2060</span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><b><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999;font-weight:
bold'>Accounts Phone</span></font></b><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999'>+61 8 8260 4237</span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><b><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999;font-weight:
bold'>Office Fax</span></font></b><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999'>+61 8 8260 4312</span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr height=2 style='height:1.5pt'>
<td height=2 style='padding:0cm 0cm 0cm 0cm;height:1.5pt'>
<p class=MsoNormal><font size=1 color=black face=Arial><span
style='font-size:7.5pt;font-family:Arial'> </span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td height=2 style='padding:0cm 0cm 0cm 0cm;height:1.5pt'>
<p class=MsoNormal><font size=1 color=black face=Arial><span
style='font-size:7.5pt;font-family:Arial'> </span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><b><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999;font-weight:
bold'>Sales Email</span></font></b><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color="#0066cc" face=Arial><span
style='font-size:7.5pt;font-family:Arial;color:#0066CC'><a
href="mailto:sales@intervolve.com.au"><font size=1><span
style='font-size:8.5pt'>sales@intervolve.com.au</span></font></a></span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><b><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999;font-weight:
bold'>Support Email</span></font></b><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color="#0066cc" face=Arial><span
style='font-size:7.5pt;font-family:Arial;color:#0066CC'><a
href="mailto:support@intervolve.com.au"><font size=1><span
style='font-size:8.5pt'>support@intervolve.com.au</span></font></a></span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><b><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999;font-weight:
bold'>Accounts Email</span></font></b><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color="#0066cc" face=Arial><span
style='font-size:7.5pt;font-family:Arial;color:#0066CC'><a
href="mailto:accounts@intervolve.com.au"><font size=1><span
style='font-size:8.5pt'>accounts@intervolve.com.au </span></font></a></span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color=black face=Arial><span
style='font-size:7.5pt;font-family:Arial'> </span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color=black face=Arial><span
style='font-size:7.5pt;font-family:Arial'> </span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><b><font size=1 color="#999999" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#999999;font-weight:
bold'>Website</span></font></b><font size=1 face=Arial><span
style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color="#999999" face=Arial><span
style='font-size:7.5pt;font-family:Arial;color:#999999'><a
href="http://www.intervolve.com.au/"><font size=1><span
style='font-size:8.5pt'>www.<b><span style='font-weight:bold'>intervolve</span></b>.com.au</span></font></a></span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color=black face=Arial><span
style='font-size:7.5pt;font-family:Arial'> </span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color=black face=Arial><span
style='font-size:7.5pt;font-family:Arial'> </span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color=black face=Arial><span
style='font-size:7.5pt;font-family:Arial'> </span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
<td style='padding:0cm 0cm 0cm 0cm'>
<p class=MsoNormal><font size=1 color=black face=Arial><span
style='font-size:7.5pt;font-family:Arial'> </span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
<tr height=2 style='height:1.5pt'>
<td colspan=2 height=2 style='padding:0cm 0cm 0cm 0cm;height:1.5pt'>
<p class=MsoNormal><font size=1 color="#999999" face=Arial><span
style='font-size:7.5pt;font-family:Arial;color:#999999'>This email
contains information that is confidential to the intended recipient. It
may also contain information, which is subject to legal privilege. If
you are not the intended recipient, you must not use, pass on or copy
this message. We also ask that you notify the sender by email or
telephone and destroy the original message. Thank you.</span></font><font
size=1 face=Arial><span style='font-size:8.5pt;font-family:Arial'><o:p></o:p></span></font></p>
</td>
</tr>
</table>
<p class=MsoNormal><font size=3 color=black face=Arial><span
style='font-size:12.0pt;font-family:Arial;color:windowtext'><o:p></o:p></span></font></p>
</td>
</tr>
</table>
<p class=MsoNormal><font size=3 color=black face=Arial><span
style='font-size:12.0pt;font-family:Arial;color:windowtext'><o:p></o:p></span></font></p>
</td>
</tr>
</table>
<p class=MsoNormal><font size=3 color=black face=Arial><span
style='font-size:12.0pt;font-family:Arial;color:windowtext'><o:p></o:p></span></font></p>
</td>
</tr>
</table>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'><br clear=all>
</span></font><font size=2 face=Arial><span style='font-size:10.0pt;font-family:
Arial'><o:p></o:p></span></font></p>
</div>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial;
color:windowtext'>
<hr size=2 width="100%" align=center>
</span></font></div>
<p class=MsoNormal><b><font size=2 color=black face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:windowtext;font-weight:bold'>From:</span></font></b><font
size=2 color=black face=Arial><span style='font-size:10.0pt;font-family:Arial;
color:windowtext'> ausnog-bounces@lists.ausnog.net
[mailto:ausnog-bounces@lists.ausnog.net] <b><span style='font-weight:bold'>On
Behalf Of </span></b>James Braunegg<br>
<b><span style='font-weight:bold'>Sent:</span></b> Friday, 13 January 2012
11:45 PM<br>
<b><span style='font-weight:bold'>To:</span></b> Martin - StudioCoast;
ausnog@lists.ausnog.net<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [AusNOG] Possible New
Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389</span></font><font
size=3 color=black face=Arial><span style='font-size:12.0pt;font-family:Arial;
color:windowtext'><o:p></o:p></span></font></p>
</div>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Arial><span
style='font-size:11.0pt;font-family:Arial;color:#1F497D'>Dear Martin<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Arial><span
style='font-size:11.0pt;font-family:Arial;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Arial><span
style='font-size:11.0pt;font-family:Arial;color:#1F497D'>This could be a
possibility, but the ratio of inbound traffic to outbound traffic was almost
1:20 (1 inbound to the server) 20 outbound to the server<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Arial><span
style='font-size:11.0pt;font-family:Arial;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Arial><span
style='font-size:11.0pt;font-family:Arial;color:#1F497D'>Normally a brute force
attack would be a large amount of inbound traffic, not outbound traffic from
the server.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Arial><span
style='font-size:11.0pt;font-family:Arial;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Arial><span
style='font-size:11.0pt;font-family:Arial;color:#1F497D'>Kindest Regards<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Arial><span
style='font-size:11.0pt;font-family:Arial;color:#1F497D'><o:p> </o:p></span></font></p>
<div>
<p class=MsoNormal><b><font size=2 color="#1f497d" face=Arial><span
style='font-size:11.0pt;font-family:Arial;color:#1F497D;font-weight:bold'>James
Braunegg<br>
</span></font></b><b><font size=1 color="#1f497d" face=Arial><span
style='font-size:8.0pt;font-family:Arial;color:#1F497D;font-weight:bold'>W:</span></font></b><font
size=1 color="#1f497d" face=Arial><span style='font-size:8.0pt;font-family:
Arial;color:#1F497D'> 1300 769 972 | <b><span
style='font-weight:bold'>M:</span></b> 0488 997 207 | <b><span
style='font-weight:bold'>D:</span></b> (03) 9751 7616<o:p></o:p></span></font></p>
<p class=MsoNormal><b><font size=1 color="#1f497d" face=Arial><span
style='font-size:8.0pt;font-family:Arial;color:#1F497D;font-weight:bold'>E:</span></font></b><font
size=1 color="#1f497d" face=Arial><span style='font-size:8.0pt;font-family:
Arial;color:#1F497D'> </span></font><font color="#1f497d"
face=Arial><span style='font-family:Arial;color:#1F497D'><a
href="mailto:james.braunegg@micron21.com"><font size=1><span style='font-size:
8.0pt'>james.braunegg@micron21.com</span></font></a></span></font><font size=1
color="#1f497d" face=Arial><span style='font-size:8.0pt;font-family:Arial;
color:#1F497D'> | <b><span style='font-weight:bold'>ABN:</span></b>
12 109 977 666 <br>
<br>
<img border=0 width=250 height=39 id="Picture_x005f_x0020_2"
src="cid:image003.jpg@01CCD2CD.AE527570"
alt="Description: Description: Description: Description: M21.jpg"><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 color="#1f497d" face=Arial><span
style='font-size:8.0pt;font-family:Arial;color:#1F497D'><br>
</span></font><font size=1 color="#1f497d" face=Arial><span lang=EN-AU
style='font-size:8.0pt;font-family:Arial;color:#1F497D'>This message is
intended for the addressee named above. It may contain privileged or
confidential information. If you are not the intended recipient of this message
you must not use, copy, distribute or disclose it to anyone other than the
addressee. If you have received this message in error please return the message
to the sender by replying to it and then delete the message from your computer.<o:p></o:p></span></font></p>
</div>
<p class=MsoNormal><font size=2 color="#1f497d" face=Arial><span
style='font-size:11.0pt;font-family:Arial;color:#1F497D'><o:p> </o:p></span></font></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'>
<p class=MsoNormal><b><font size=2 color=black face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:windowtext;font-weight:bold'>From:</span></font></b><font
size=2 color=black face=Arial><span style='font-size:10.0pt;font-family:Arial;
color:windowtext'> ausnog-bounces@lists.ausnog.net
[mailto:ausnog-bounces@lists.ausnog.net] <b><span style='font-weight:bold'>On
Behalf Of </span></b>Martin - StudioCoast<br>
<b><span style='font-weight:bold'>Sent:</span></b> Saturday, January 14, 2012
12:05 AM<br>
<b><span style='font-weight:bold'>To:</span></b> ausnog@lists.ausnog.net<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [AusNOG] Possible New
Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389<o:p></o:p></span></font></p>
</div>
</div>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
10.0pt;font-family:Arial'>Looks like standard RDP brute force traffic to me.
See it all the time on servers with open rdp ports.<br>
Most likely 58.162.67.45 is attempting to login to all of those servers at
once.<br>
<br>
If a worm was able to get in, you would probably see a lot of inverse traffic
as the worm would begin to brute force other IP addresses it finds.</span></font><font
face=Arial><span style='font-family:Arial'> <o:p></o:p></span></font></p>
<div>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
</div>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'><br>
On 13/01/2012 10:37 PM, James Braunegg wrote: <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'>Hey All,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'>Just posting to see if anyone has seen any strange
outbound traffic on port 3389 from Microsoft Windows Server over the last few
hours.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'>We witnessed an alarming amount of completely
independent Microsoft Windows Servers, each on separate vlan and subnets
(ie all /30 and /29 allocations) with separate gateways on and completely
separate customers, but all services were within the same 1.x.x.x/16 allocation
all simultaneously send around 2mbit or so data to a specific target IP
address.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'>The only common link was / is terminal services port
3389 is open to the public. Obviously someone (Mr 133t dude) scanned an
allocation within our network, and like a worm was able to simultaneously
control every Microsoft Windows Server to send outbound traffic.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'>Microsoft Windows Servers within the 1.x.x.x/16
allocation which were behind a firewall or VPN and did not have public 3389
access did not send the unknown traffic<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'>Would be very interested if anyone else has seen this
behavior before ! Or is this the start of a lovely new Zero Day Vulnerability
with Windows RDP, if so I name it “ohDeer-RDP”<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'>A sample of the traffic is as per below, collected
from netflow<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'>Source
Destination
Application Src
Port Dst<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 51534 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 52699 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 60824 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 51669 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 49215 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 62099 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 65429 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 51965 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 50381 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 59379 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 58103 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'>x.x.x.x/16
58.162.67.45 ms-wbt-server 3389
59514 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'>x.x.x.x/16
58.162.67.45 ms-wbt-server
3389 58298 TCP<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'>This occurred around 10:30pm AEST Friday the 13<sup>th</sup>
of January 2012<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'>We had many other Microsoft Windows Servers in other
2.x.x.x/16 IP ranges which were totally unaffected.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'>Kindest Regards<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'> <o:p></o:p></span></font></p>
<p class=MsoNormal><b><font size=2 color="#1f497d" face=Arial><span
style='font-size:11.0pt;font-family:Arial;color:#1F497D;font-weight:bold'>James
Braunegg<br>
</span></font></b><b><font size=1 color="#1f497d" face=Arial><span
style='font-size:8.0pt;font-family:Arial;color:#1F497D;font-weight:bold'>W:</span></font></b><font
size=1 color="#1f497d" face=Arial><span style='font-size:8.0pt;font-family:
Arial;color:#1F497D'> 1300 769 972 | <b><span
style='font-weight:bold'>M:</span></b> 0488 997 207 | <b><span
style='font-weight:bold'>D:</span></b> (03) 9751 7616</span></font><font
face=Arial><span style='font-family:Arial'><o:p></o:p></span></font></p>
<p class=MsoNormal><b><font size=1 color="#1f497d" face=Arial><span
style='font-size:8.0pt;font-family:Arial;color:#1F497D;font-weight:bold'>E:</span></font></b><font
size=1 color="#1f497d" face=Arial><span style='font-size:8.0pt;font-family:
Arial;color:#1F497D'> </span></font><font color="#1f497d"
face=Arial><span style='font-family:Arial;color:#1F497D'><a
href="mailto:james.braunegg@micron21.com"><font size=1><span style='font-size:
8.0pt'>james.braunegg@micron21.com</span></font></a></span></font><font size=1
color="#1f497d" face=Arial><span style='font-size:8.0pt;font-family:Arial;
color:#1F497D'> | <b><span style='font-weight:bold'>ABN:</span></b>
12 109 977 666 <br>
<br>
<img border=0 width=250 height=39 id="Picture_x005f_x005f_x005f_x0020_1"
src="cid:image003.jpg@01CCD2CD.AE527570"
alt="Description: Description: Description: Description: Description:
M21.jpg"></span></font><font
face=Arial><span style='font-family:Arial'><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 color="#1f497d" face=Arial><span
style='font-size:8.0pt;font-family:Arial;color:#1F497D'><br>
</span></font><font size=1 color="#1f497d" face=Arial><span lang=EN-AU
style='font-size:8.0pt;font-family:Arial;color:#1F497D'>This message is
intended for the addressee named above. It may contain privileged or
confidential information. If you are not the intended recipient of this message
you must not use, copy, distribute or disclose it to anyone other than the
addressee. If you have received this message in error please return the message
to the sender by replying to it and then delete the message from your computer.</span></font><font
face=Arial><span style='font-family:Arial'><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
11.0pt;font-family:Arial'> <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3 color=black
face=Arial><span style='font-size:12.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<pre><font size=2 color=black face=Arial><span style='font-size:10.0pt;
font-family:Arial'>_______________________________________________<o:p></o:p></span></font></pre><pre><font
size=2 color=black face=Arial><span style='font-size:10.0pt;font-family:Arial'>AusNOG mailing list<o:p></o:p></span></font></pre><pre><font
size=2 color=black face=Arial><span style='font-size:10.0pt;font-family:Arial'><a
href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><o:p></o:p></span></font></pre><pre><font
size=2 color=black face=Arial><span style='font-size:10.0pt;font-family:Arial'><a
href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a><o:p></o:p></span></font></pre></div>
</body>
</html>