security - suspicious outbound traffic on port 3389

Hello experts - the problem is:  the upload side of my internet connection is saturated with unwanted traffic.  Using a packet analyzer I see a lot of outbound traffic from port 3389.  This traffic is coming from multiple machines on my network, and going to one or two suspicious IP addresses.

The network has 20 PCs, all of them are configured for Microsoft RDP remote desktop access on port 3389.  I have a block of public IP addresses, and each one is mapped to a workstation.  The machines are Win 7 Pro SP1, all patched up, running MS Security Essentials.

Attached is a Wireshark packet trace Capture-of-suspicious-activity-o.txt between a machine (192.168.17.40) and an unknown IP address (174.136.39.82).  I think I captured the beginning of the conversation.  This traffic occurred while the user was logged to the console using their machine.  I cannot detect a true Remote Desktop session, but there is a lot of outbound traffic.  I had to change the .PCAP file extension to .TXT to upload it.

Please help me with the next step:  are there any known exploits running on port 3389?
John_AuskelisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ryan80Commented:
Ms just release a patch for a hole with RDP that allows remote execution. I would recommend making sure that all of your computers are up to date.

http://www.pcworld.com/businesscenter/article/252092/patch_now_microsoft_rdp_exploit_code_is_in_the_wild.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
John_AuskelisAuthor Commented:
Thanks ryan80, you are correct.  Last week Microsoft released two updates to patch vulnerabilities detailed in Security Bulletin MS12-020 (http://technet.microsoft.com/en-us/security/bulletin/ms12-020).  For Windows 7, updates KB2621440 and KB2667402 are required, plus a reboot.

I have spot checked several of my machines, and was relieved to find that the automatic updates were applied, and the machines rebooted, last week.

Again:  I have a handful of machines that all have a lot of outbound IP traffic from port 3389 to a single suspicious IP address, simultaneously.  In the past day I have seen similar behavior with three suspicious IP addresses.

Any ideas on how to troubleshoot?
0
ryan80Commented:
you can look at the machines using remote desktop services manager, and see what account is connected via RDP. Then ask that user.

If it is not RDP you can use netstat -ao to find out what the PID of the process is that is using that port, and see if it is something suspicious.

Here is the whois of that IP address. Looks like some Colo, in St. Louis.

http://www.networksolutions.com/whois/results.jsp?ip=174.136.39.82

If you are really nervous about it, block the IP address.
0
John_AuskelisAuthor Commented:
I am seeing the suspicious activity from multiple IP addresses, including Eastern Europe.  So blocking one IP address will not help here.

Thanks for the netstat -ao, this confirmed that the suspiciuos activity on port 3389 was hosted by five Microsoft services.  I wrote up the case and posted it to Microsoft last night.  Stay tuined, let's see what they say.
0
John_AuskelisAuthor Commented:
I think the traffic is malicious attempts to log on to our computers using RDP.  Since the 'bad guys' do not have any valid credentials, the systems are protected by Windows logon security.  Bottom line:  this is 'normal' traffic when port 3389 is open for RDP.

There has been so much malicious traffic lately that it consumed the entire 1.5 Mbps of my internet upload bandwidth.

Next step:  turn on Network level Authentication.  For remote users with home XP or Macs, setup a TS gateway server.  Reference: http://blogs.technet.com/b/srd/archive/2012/03/13/cve-2012-0002-a-closer-look-at-ms12-020-s-critical-issue.aspx

Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.