RE: load of connections to ephemeral ports from TCP source port 3389(probably virus)



You may already know this is but port 3389 is Remote Desktop for Windows. The first this I would do is block that port going outbound/inbound at your firewall if you have not done so already. Then I would investigate what malware/virus/backdoor likes to use that port, which is your question right now and I'm sorry I cannot help you on that one and kill it if you can.

Then I would hit each workstation and make sure Remote Help or whatever it is called is turned off. Sorry, I'm not a Windows person so I cannot remember the name of the built in software that allows remote connections for tech support but I do know it is on by default. I know that would be destination port 3389 but it really should not be on anyway.


Bill James
Senior Network Security Analyst

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Michael Sturtz
Sent: Thursday, October 27, 2011 12:25 PM
To: Martin T; security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: load of connections to ephemeral ports from TCP source port 3389(probably virus)

Someone appears to be trying to connect over RDP (Microsoft Remote Desktop Protocol). Do you have that port open inbound from the internet to your Windows 2003 server? If so it would appear that they are trying to logon to the console of the machine.
Michael

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Martin T
Sent: Wednesday, October 26, 2011 5:23 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: load of connections to ephemeral ports from TCP source port 3389(probably virus)

If I check the traffic passing my router(using NetFlow), 98% of the flows are following:

srcIP dstIP prot srcPort dstPort octets packets
I.I.P.P 192.168.2.196 6 3389 3799 55 1
I.I.P.P 192.168.2.196 6 3389 4465 40 1
I.I.P.P 192.168.2.196 6 3389 1940 74 1
I.I.P.P 192.168.2.196 6 3389 2611 51 1
I.I.P.P 192.168.2.196 6 3389 2356 141 1
I.I.P.P 192.168.2.196 6 3389 2111 92 1
I.I.P.P 192.168.2.196 6 3389 1151 339 1
I.I.P.P 192.168.2.196 6 3389 2609 55 1
I.I.P.P 192.168.2.196 6 3389 1386 1500 1
I.I.P.P 192.168.2.196 6 3389 3133 1480 1
I.I.P.P 192.168.2.196 6 3389 2684 3000 2

"I.I.P.P" is a random public IP address. 192.168.2.196 is a Windows Server 2003 in LAN. As you can see, almost every connection is to ephemeral port on 192.168.2.196 using the source port 3389. In addition, download traffic is 5x higher than upload traffic(download from Internet is ~50Mbps while upload to Internet is ~10Mbps).

Has someone seen such pattern before? Maybe able to name a possible virus family?

regards,
martin

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------