Re: load of connections to ephemeral ports from TCP source port 3389(probably virus)




Matthew Reed
713.502.5181

----- Original Message -----
From: Dana Forte [mailto:dana@xxxxxxxxxxxx]
Sent: Thursday, October 27, 2011 06:09 PM
Cc: security-basics@xxxxxxxxxxxxxxxxx <security-basics@xxxxxxxxxxxxxxxxx>
Subject: Re: load of connections to ephemeral ports from TCP source port 3389(probably virus)

Looks like your 2003 server is infected with the Morto worm and it's
attempting to spread itself to others via RDP.

On 10/26/2011 5:23 PM, Martin T wrote:
If I check the traffic passing my router(using NetFlow), 98% of the
flows are following:

srcIP dstIP prot srcPort dstPort octets packets
I.I.P.P 192.168.2.196 6 3389 3799 55 1
I.I.P.P 192.168.2.196 6 3389 4465 40 1
I.I.P.P 192.168.2.196 6 3389 1940 74 1
I.I.P.P 192.168.2.196 6 3389 2611 51 1
I.I.P.P 192.168.2.196 6 3389 2356 141 1
I.I.P.P 192.168.2.196 6 3389 2111 92 1
I.I.P.P 192.168.2.196 6 3389 1151 339 1
I.I.P.P 192.168.2.196 6 3389 2609 55 1
I.I.P.P 192.168.2.196 6 3389 1386 1500 1
I.I.P.P 192.168.2.196 6 3389 3133 1480 1
I.I.P.P 192.168.2.196 6 3389 2684 3000 2

"I.I.P.P" is a random public IP address. 192.168.2.196 is a Windows
Server 2003 in LAN. As you can see, almost every connection is to
ephemeral port on 192.168.2.196 using the source port 3389. In
addition, download traffic is 5x higher than upload traffic(download
from Internet is ~50Mbps while upload to Internet is ~10Mbps).

Has someone seen such pattern before? Maybe able to name a possible
virus family?

regards,
martin

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


--
Dana Forte
Layer 8 Solutions LLC
Information Technology Services


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


________________________________

NOTICE: This message, as well as any attached document, contains information from Consolidated Graphics, Inc. that is confidential and/or privileged, or may contain attorney work product. The information is intended only for the use of the addressee(s) named above. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, forwarding, printing, copying, disclosure, or the taking of any action in reliance on the contents of this message or its attachments is strictly prohibited, and may be unlawful. If you have received this message in error, please destroy all copies (in any form) of this message and its attachments, if any, without disclosing the contents, and notify the sender immediately. Unintended transmission does not constitute waiver of the attorney-client privilege or any other privilege. Unless expressly stated in this email, nothing in this message should be construed as a digital or electronic signature. Thank you for your cooperation.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------