Solved

security - suspicious outbound traffic on port 3389

Posted on 2012-03-20
5
1,520 Views
Last Modified: 2012-03-22
Hello experts - the problem is:  the upload side of my internet connection is saturated with unwanted traffic.  Using a packet analyzer I see a lot of outbound traffic from port 3389.  This traffic is coming from multiple machines on my network, and going to one or two suspicious IP addresses.

The network has 20 PCs, all of them are configured for Microsoft RDP remote desktop access on port 3389.  I have a block of public IP addresses, and each one is mapped to a workstation.  The machines are Win 7 Pro SP1, all patched up, running MS Security Essentials.

Attached is a Wireshark packet trace Capture-of-suspicious-activity-o.txt between a machine (192.168.17.40) and an unknown IP address (174.136.39.82).  I think I captured the beginning of the conversation.  This traffic occurred while the user was logged to the console using their machine.  I cannot detect a true Remote Desktop session, but there is a lot of outbound traffic.  I had to change the .PCAP file extension to .TXT to upload it.

Please help me with the next step:  are there any known exploits running on port 3389?
0
Comment
Question by:John_Auskelis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 12

Accepted Solution

by:
ryan80 earned 500 total points
ID: 37743227
Ms just release a patch for a hole with RDP that allows remote execution. I would recommend making sure that all of your computers are up to date.

http://www.pcworld.com/businesscenter/article/252092/patch_now_microsoft_rdp_exploit_code_is_in_the_wild.html
0
 

Author Comment

by:John_Auskelis
ID: 37744222
Thanks ryan80, you are correct.  Last week Microsoft released two updates to patch vulnerabilities detailed in Security Bulletin MS12-020 (http://technet.microsoft.com/en-us/security/bulletin/ms12-020).  For Windows 7, updates KB2621440 and KB2667402 are required, plus a reboot.

I have spot checked several of my machines, and was relieved to find that the automatic updates were applied, and the machines rebooted, last week.

Again:  I have a handful of machines that all have a lot of outbound IP traffic from port 3389 to a single suspicious IP address, simultaneously.  In the past day I have seen similar behavior with three suspicious IP addresses.

Any ideas on how to troubleshoot?
0
 
LVL 12

Assisted Solution

by:ryan80
ryan80 earned 500 total points
ID: 37744297
you can look at the machines using remote desktop services manager, and see what account is connected via RDP. Then ask that user.

If it is not RDP you can use netstat -ao to find out what the PID of the process is that is using that port, and see if it is something suspicious.

Here is the whois of that IP address. Looks like some Colo, in St. Louis.

http://www.networksolutions.com/whois/results.jsp?ip=174.136.39.82

If you are really nervous about it, block the IP address.
0
 

Author Comment

by:John_Auskelis
ID: 37747137
I am seeing the suspicious activity from multiple IP addresses, including Eastern Europe.  So blocking one IP address will not help here.

Thanks for the netstat -ao, this confirmed that the suspiciuos activity on port 3389 was hosted by five Microsoft services.  I wrote up the case and posted it to Microsoft last night.  Stay tuined, let's see what they say.
0
 

Author Closing Comment

by:John_Auskelis
ID: 37751898
I think the traffic is malicious attempts to log on to our computers using RDP.  Since the 'bad guys' do not have any valid credentials, the systems are protected by Windows logon security.  Bottom line:  this is 'normal' traffic when port 3389 is open for RDP.

There has been so much malicious traffic lately that it consumed the entire 1.5 Mbps of my internet upload bandwidth.

Next step:  turn on Network level Authentication.  For remote users with home XP or Macs, setup a TS gateway server.  Reference: http://blogs.technet.com/b/srd/archive/2012/03/13/cve-2012-0002-a-closer-look-at-ms12-020-s-critical-issue.aspx

Thanks!
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question