[AusNOG] Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389
Chris Macko
cmacko at intervolve.com.au
Sat Jan 14 15:33:32 EST 2012
[cid:image002.gif at 01CCD2CD.AE527570]<http://www.intervolve.com.au/>
Hi James,
Actually quite commom of late, the largest RDP attack I've seen of this nature originated from within AussieHQ network on the 20/08/11 over Pipe IX link and smashed quite a number of networks over IX (the largest affected seemed to be Netreg as per the attached graph), where a host within AussieHQ was able to target multiple destinations over Pipe Networks IX links at over 300Mbps. As you can see the RDP traffic at a destination produces a high outbound usage, with very little inbound.
Obviously with most IX peers being limited at 100Mbps it doesn't take much for such an attack to flood another IX peers link during such a scenario. In 99% of these types of attacks, the originating IP is always the same, and thus checking flows (ie netflow on routers) and determining whether you have multiple destinations being targeted and then null routing the IP is one way to handle this type of problem.
The best advice to clients is to ensure that all management protocols are blocked to external sources (ie SSH / RDP / MSSQL / FTP), preferably using VPN (ie IPSEC or SSL VPN) for management communication, ensuring that hardware firewalls and policies are reviewed on a regular basis (nothing worse than a client having hardware firewall protection only for one of their contractors to add allow all inbound and outbound firewall policies), and ensure that all services are regularly checked for compromise (ie technician from a client sets their FTP directory to C:\ and then allows Anonymous access via FTP, with Everyone permission allowed for C:\)!
My 2c worth! :) Hope you're having a great weekend!
Kind Regards,
Chris Macko
Managing Director
Interhost Pacific Pty Ltd t/a Intervolve
Support Phone
1300 664 574 / +61 8 8260 4237
Sales Phone
+61 3 9646 2060
Accounts Phone
+61 8 8260 4237
Office Fax
+61 8 8260 4312
Sales Email
sales at intervolve.com.au<mailto:sales at intervolve.com.au>
Support Email
support at intervolve.com.au<mailto:support at intervolve.com.au>
Accounts Email
accounts at intervolve.com.au <mailto:accounts at intervolve.com.au>
Website
www.intervolve.com.au<http://www.intervolve.com.au/>
This email contains information that is confidential to the intended recipient. It may also contain information, which is subject to legal privilege. If you are not the intended recipient, you must not use, pass on or copy this message. We also ask that you notify the sender by email or telephone and destroy the original message. Thank you.
________________________________
From: James Braunegg [mailto:james.braunegg at micron21.com]
Sent: Saturday, 14 January 2012 12:49 AM
To: Chris Macko; Martin - StudioCoast; ausnog at lists.ausnog.net
Subject: RE: [AusNOG] Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389
Dear Chris and Martin
I tend to agree with you, as a remote desktop connection attempt does send a bit of outbound traffic, that being said iv looked in some of the logs on a few servers (don't have access to most) and cannot find any large amount of login attempts... The search for the needle in the hay stack continues.
Kindest Regards
James Braunegg
W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616
E: james.braunegg at micron21.com<mailto:james.braunegg at micron21.com> | ABN: 12 109 977 666
[Description: Description: Description: M21.jpg]
This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.
From: Chris Macko [mailto:cmacko at intervolve.com.au]
Sent: Saturday, January 14, 2012 12:28 AM
To: James Braunegg; Martin - StudioCoast; ausnog at lists.ausnog.net
Subject: RE: [AusNOG] Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389
[Description: cid:image002.gif at 01CCD24F.395D31C0]<http://www.intervolve.com.au/>
Hi James,
That's just RDP behaviour in responding to the request, best bet is to setup software or devices that block connections to diverse destination ips using the same port (the behaviour you're seeing is not only common with RDP but with SSH / MSSQL and a great deal of other protocols).
Kind Regards,
Chris Macko
Managing Director
Interhost Pacific Pty Ltd t/a Intervolve
Support Phone
1300 664 574 / +61 8 8260 4237
Sales Phone
+61 3 9646 2060
Accounts Phone
+61 8 8260 4237
Office Fax
+61 8 8260 4312
Sales Email
sales at intervolve.com.au<mailto:sales at intervolve.com.au>
Support Email
support at intervolve.com.au<mailto:support at intervolve.com.au>
Accounts Email
accounts at intervolve.com.au <mailto:accounts at intervolve.com.au>
Website
www.intervolve.com.au<http://www.intervolve.com.au/>
This email contains information that is confidential to the intended recipient. It may also contain information, which is subject to legal privilege. If you are not the intended recipient, you must not use, pass on or copy this message. We also ask that you notify the sender by email or telephone and destroy the original message. Thank you.
________________________________
From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of James Braunegg
Sent: Friday, 13 January 2012 11:45 PM
To: Martin - StudioCoast; ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389
Dear Martin
This could be a possibility, but the ratio of inbound traffic to outbound traffic was almost 1:20 (1 inbound to the server) 20 outbound to the server
Normally a brute force attack would be a large amount of inbound traffic, not outbound traffic from the server.
Kindest Regards
James Braunegg
W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616
E: james.braunegg at micron21.com<mailto:james.braunegg at micron21.com> | ABN: 12 109 977 666
[Description: Description: Description: Description: M21.jpg]
This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.
From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Martin - StudioCoast
Sent: Saturday, January 14, 2012 12:05 AM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389
Looks like standard RDP brute force traffic to me. See it all the time on servers with open rdp ports.
Most likely 58.162.67.45 is attempting to login to all of those servers at once.
If a worm was able to get in, you would probably see a lot of inverse traffic as the worm would begin to brute force other IP addresses it finds.
On 13/01/2012 10:37 PM, James Braunegg wrote:
Hey All,
Just posting to see if anyone has seen any strange outbound traffic on port 3389 from Microsoft Windows Server over the last few hours.
We witnessed an alarming amount of completely independent Microsoft Windows Servers, each on separate vlan and subnets (ie all /30 and /29 allocations) with separate gateways on and completely separate customers, but all services were within the same 1.x.x.x/16 allocation all simultaneously send around 2mbit or so data to a specific target IP address.
The only common link was / is terminal services port 3389 is open to the public. Obviously someone (Mr 133t dude) scanned an allocation within our network, and like a worm was able to simultaneously control every Microsoft Windows Server to send outbound traffic.
Microsoft Windows Servers within the 1.x.x.x/16 allocation which were behind a firewall or VPN and did not have public 3389 access did not send the unknown traffic
Would be very interested if anyone else has seen this behavior before ! Or is this the start of a lovely new Zero Day Vulnerability with Windows RDP, if so I name it "ohDeer-RDP"
A sample of the traffic is as per below, collected from netflow
Source Destination Application Src Port Dst
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51534 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 52699 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 60824 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51669 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 49215 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 62099 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 65429 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51965 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 50381 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59379 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58103 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59514 TCP
x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58298 TCP
This occurred around 10:30pm AEST Friday the 13th of January 2012
We had many other Microsoft Windows Servers in other 2.x.x.x/16 IP ranges which were totally unaffected.
Kindest Regards
James Braunegg
W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616
E: james.braunegg at micron21.com<mailto:james.braunegg at micron21.com> | ABN: 12 109 977 666
[Description: Description: Description: Description: Description: M21.jpg]
This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120114/01b711ac/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.gif
Type: image/gif
Size: 5566 bytes
Desc: image002.gif
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120114/01b711ac/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 2683 bytes
Desc: image003.jpg
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120114/01b711ac/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pipe-aussiehq.jpg
Type: image/jpeg
Size: 809788 bytes
Desc: pipe-aussiehq.jpg
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120114/01b711ac/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pipe-netreg.jpg
Type: image/jpeg
Size: 790076 bytes
Desc: pipe-netreg.jpg
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120114/01b711ac/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pipe-amcom.jpg
Type: image/jpeg
Size: 831978 bytes
Desc: pipe-amcom.jpg
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120114/01b711ac/attachment-0003.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pipe-daraco.jpg
Type: image/jpeg
Size: 830813 bytes
Desc: pipe-daraco.jpg
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120114/01b711ac/attachment-0004.jpg>
More information about the AusNOG
mailing list