Solved

security - suspicious outbound traffic on port 3389

Posted on 2012-03-20
5
1,487 Views
Last Modified: 2012-03-22
Hello experts - the problem is:  the upload side of my internet connection is saturated with unwanted traffic.  Using a packet analyzer I see a lot of outbound traffic from port 3389.  This traffic is coming from multiple machines on my network, and going to one or two suspicious IP addresses.

The network has 20 PCs, all of them are configured for Microsoft RDP remote desktop access on port 3389.  I have a block of public IP addresses, and each one is mapped to a workstation.  The machines are Win 7 Pro SP1, all patched up, running MS Security Essentials.

Attached is a Wireshark packet trace Capture-of-suspicious-activity-o.txt between a machine (192.168.17.40) and an unknown IP address (174.136.39.82).  I think I captured the beginning of the conversation.  This traffic occurred while the user was logged to the console using their machine.  I cannot detect a true Remote Desktop session, but there is a lot of outbound traffic.  I had to change the .PCAP file extension to .TXT to upload it.

Please help me with the next step:  are there any known exploits running on port 3389?
0
Comment
Question by:John_Auskelis
  • 3
  • 2
5 Comments
 
LVL 12

Accepted Solution

by:
ryan80 earned 500 total points
ID: 37743227
Ms just release a patch for a hole with RDP that allows remote execution. I would recommend making sure that all of your computers are up to date.

http://www.pcworld.com/businesscenter/article/252092/patch_now_microsoft_rdp_exploit_code_is_in_the_wild.html
0
 

Author Comment

by:John_Auskelis
ID: 37744222
Thanks ryan80, you are correct.  Last week Microsoft released two updates to patch vulnerabilities detailed in Security Bulletin MS12-020 (http://technet.microsoft.com/en-us/security/bulletin/ms12-020).  For Windows 7, updates KB2621440 and KB2667402 are required, plus a reboot.

I have spot checked several of my machines, and was relieved to find that the automatic updates were applied, and the machines rebooted, last week.

Again:  I have a handful of machines that all have a lot of outbound IP traffic from port 3389 to a single suspicious IP address, simultaneously.  In the past day I have seen similar behavior with three suspicious IP addresses.

Any ideas on how to troubleshoot?
0
 
LVL 12

Assisted Solution

by:ryan80
ryan80 earned 500 total points
ID: 37744297
you can look at the machines using remote desktop services manager, and see what account is connected via RDP. Then ask that user.

If it is not RDP you can use netstat -ao to find out what the PID of the process is that is using that port, and see if it is something suspicious.

Here is the whois of that IP address. Looks like some Colo, in St. Louis.

http://www.networksolutions.com/whois/results.jsp?ip=174.136.39.82

If you are really nervous about it, block the IP address.
0
 

Author Comment

by:John_Auskelis
ID: 37747137
I am seeing the suspicious activity from multiple IP addresses, including Eastern Europe.  So blocking one IP address will not help here.

Thanks for the netstat -ao, this confirmed that the suspiciuos activity on port 3389 was hosted by five Microsoft services.  I wrote up the case and posted it to Microsoft last night.  Stay tuined, let's see what they say.
0
 

Author Closing Comment

by:John_Auskelis
ID: 37751898
I think the traffic is malicious attempts to log on to our computers using RDP.  Since the 'bad guys' do not have any valid credentials, the systems are protected by Windows logon security.  Bottom line:  this is 'normal' traffic when port 3389 is open for RDP.

There has been so much malicious traffic lately that it consumed the entire 1.5 Mbps of my internet upload bandwidth.

Next step:  turn on Network level Authentication.  For remote users with home XP or Macs, setup a TS gateway server.  Reference: http://blogs.technet.com/b/srd/archive/2012/03/13/cve-2012-0002-a-closer-look-at-ms12-020-s-critical-issue.aspx

Thanks!
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Security Overview Report 8 62
Network Security Solution 7 58
Lightweight Networking 9 61
Well known ports and optimal ports scanning range 12 68
Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
Knowing where your website is hosted is as important as the features you receive, the monthly fee, and the support you receive. Due diligence should be done when choosing your next hosting provider.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question