?
Solved

security - suspicious outbound traffic on port 3389

Posted on 2012-03-20
5
Medium Priority
?
1,539 Views
Last Modified: 2012-03-22
Hello experts - the problem is:  the upload side of my internet connection is saturated with unwanted traffic.  Using a packet analyzer I see a lot of outbound traffic from port 3389.  This traffic is coming from multiple machines on my network, and going to one or two suspicious IP addresses.

The network has 20 PCs, all of them are configured for Microsoft RDP remote desktop access on port 3389.  I have a block of public IP addresses, and each one is mapped to a workstation.  The machines are Win 7 Pro SP1, all patched up, running MS Security Essentials.

Attached is a Wireshark packet trace Capture-of-suspicious-activity-o.txt between a machine (192.168.17.40) and an unknown IP address (174.136.39.82).  I think I captured the beginning of the conversation.  This traffic occurred while the user was logged to the console using their machine.  I cannot detect a true Remote Desktop session, but there is a lot of outbound traffic.  I had to change the .PCAP file extension to .TXT to upload it.

Please help me with the next step:  are there any known exploits running on port 3389?
0
Comment
Question by:John_Auskelis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 12

Accepted Solution

by:
ryan80 earned 1500 total points
ID: 37743227
Ms just release a patch for a hole with RDP that allows remote execution. I would recommend making sure that all of your computers are up to date.

http://www.pcworld.com/businesscenter/article/252092/patch_now_microsoft_rdp_exploit_code_is_in_the_wild.html
0
 

Author Comment

by:John_Auskelis
ID: 37744222
Thanks ryan80, you are correct.  Last week Microsoft released two updates to patch vulnerabilities detailed in Security Bulletin MS12-020 (http://technet.microsoft.com/en-us/security/bulletin/ms12-020).  For Windows 7, updates KB2621440 and KB2667402 are required, plus a reboot.

I have spot checked several of my machines, and was relieved to find that the automatic updates were applied, and the machines rebooted, last week.

Again:  I have a handful of machines that all have a lot of outbound IP traffic from port 3389 to a single suspicious IP address, simultaneously.  In the past day I have seen similar behavior with three suspicious IP addresses.

Any ideas on how to troubleshoot?
0
 
LVL 12

Assisted Solution

by:ryan80
ryan80 earned 1500 total points
ID: 37744297
you can look at the machines using remote desktop services manager, and see what account is connected via RDP. Then ask that user.

If it is not RDP you can use netstat -ao to find out what the PID of the process is that is using that port, and see if it is something suspicious.

Here is the whois of that IP address. Looks like some Colo, in St. Louis.

http://www.networksolutions.com/whois/results.jsp?ip=174.136.39.82

If you are really nervous about it, block the IP address.
0
 

Author Comment

by:John_Auskelis
ID: 37747137
I am seeing the suspicious activity from multiple IP addresses, including Eastern Europe.  So blocking one IP address will not help here.

Thanks for the netstat -ao, this confirmed that the suspiciuos activity on port 3389 was hosted by five Microsoft services.  I wrote up the case and posted it to Microsoft last night.  Stay tuined, let's see what they say.
0
 

Author Closing Comment

by:John_Auskelis
ID: 37751898
I think the traffic is malicious attempts to log on to our computers using RDP.  Since the 'bad guys' do not have any valid credentials, the systems are protected by Windows logon security.  Bottom line:  this is 'normal' traffic when port 3389 is open for RDP.

There has been so much malicious traffic lately that it consumed the entire 1.5 Mbps of my internet upload bandwidth.

Next step:  turn on Network level Authentication.  For remote users with home XP or Macs, setup a TS gateway server.  Reference: http://blogs.technet.com/b/srd/archive/2012/03/13/cve-2012-0002-a-closer-look-at-ms12-020-s-critical-issue.aspx

Thanks!
0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
Check out the latest tech news, community articles, and expert highlights in August's newsletter.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question