[AusNOG] Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389

Martin - StudioCoast martin.sinclair at studiocoast.com.au
Sat Jan 14 00:04:53 EST 2012


Looks like standard RDP brute force traffic to me. See it all the time 
on servers with open rdp ports.
Most likely 58.162.67.45 is attempting to login to all of those servers 
at once.

If a worm was able to get in, you would probably see a lot of inverse 
traffic as the worm would begin to brute force other IP addresses it finds.


On 13/01/2012 10:37 PM, James Braunegg wrote:
>
> Hey All,
>
> Just posting to see if anyone has seen any strange outbound traffic on 
> port 3389 from Microsoft Windows Server over the last few hours.
>
> We witnessed an alarming amount of completely independent Microsoft 
> Windows Servers,  each on separate vlan and subnets (ie all /30 and 
> /29 allocations) with separate gateways on and completely separate 
> customers, but all services were within the same 1.x.x.x/16 allocation 
> all simultaneously send around 2mbit or so data to a specific target 
> IP address.
>
> The only common link was / is terminal services port 3389 is open to 
> the public. Obviously someone (Mr 133t dude) scanned an allocation 
> within our network, and like a worm was able to simultaneously control 
> every Microsoft Windows Server to send outbound traffic.
>
> Microsoft Windows Servers within the 1.x.x.x/16 allocation which were 
> behind a firewall or VPN and did not have public 3389 access did not 
> send the unknown traffic
>
> Would be very interested if anyone else has seen this behavior before 
> ! Or is this the start of a lovely new Zero Day Vulnerability with 
> Windows RDP, if so I name it "ohDeer-RDP"
>
> A sample of the traffic is as per below, collected from netflow
>
> Source                  Destination         Application         Src 
>          Port       Dst
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389       
> 51534    TCP
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389       
> 52699    TCP
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389       
> 60824    TCP
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389       
> 51669    TCP
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389       
> 49215    TCP
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389       
> 62099    TCP
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389       
> 65429    TCP
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389       
> 51965    TCP
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389       
> 50381    TCP
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389       
> 59379    TCP
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389       
> 58103    TCP
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389       
> 59514    TCP
>
> x.x.x.x/16            58.162.67.45       ms-wbt-server  3389       
> 58298    TCP
>
> This occurred around 10:30pm AEST Friday the 13^th of January 2012
>
> We had many other Microsoft Windows Servers in other 2.x.x.x/16 IP 
> ranges which were totally unaffected.
>
> Kindest Regards
>
> *James Braunegg
> **W:*  1300 769 972  | *M:*  0488 997 207 | *D:*  (03) 9751 7616
>
> *E:*james.braunegg at micron21.com <mailto:james.braunegg at micron21.com>  
> | *ABN:*  12 109 977 666
>
> Description: Description: Description: Description: M21.jpg
>
>
> This message is intended for the addressee named above. It may contain 
> privileged or confidential information. If you are not the intended 
> recipient of this message you must not use, copy, distribute or 
> disclose it to anyone other than the addressee. If you have received 
> this message in error please return the message to the sender by 
> replying to it and then delete the message from your computer.
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120113/f6bc0c54/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 2683 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120113/f6bc0c54/attachment.jpe>


More information about the AusNOG mailing list