Solved

security - suspicious outbound traffic on port 3389

Posted on 2012-03-20
5
1,467 Views
Last Modified: 2012-03-22
Hello experts - the problem is:  the upload side of my internet connection is saturated with unwanted traffic.  Using a packet analyzer I see a lot of outbound traffic from port 3389.  This traffic is coming from multiple machines on my network, and going to one or two suspicious IP addresses.

The network has 20 PCs, all of them are configured for Microsoft RDP remote desktop access on port 3389.  I have a block of public IP addresses, and each one is mapped to a workstation.  The machines are Win 7 Pro SP1, all patched up, running MS Security Essentials.

Attached is a Wireshark packet trace Capture-of-suspicious-activity-o.txt between a machine (192.168.17.40) and an unknown IP address (174.136.39.82).  I think I captured the beginning of the conversation.  This traffic occurred while the user was logged to the console using their machine.  I cannot detect a true Remote Desktop session, but there is a lot of outbound traffic.  I had to change the .PCAP file extension to .TXT to upload it.

Please help me with the next step:  are there any known exploits running on port 3389?
0
Comment
Question by:John_Auskelis
  • 3
  • 2
5 Comments
 
LVL 12

Accepted Solution

by:
ryan80 earned 500 total points
Comment Utility
Ms just release a patch for a hole with RDP that allows remote execution. I would recommend making sure that all of your computers are up to date.

http://www.pcworld.com/businesscenter/article/252092/patch_now_microsoft_rdp_exploit_code_is_in_the_wild.html
0
 

Author Comment

by:John_Auskelis
Comment Utility
Thanks ryan80, you are correct.  Last week Microsoft released two updates to patch vulnerabilities detailed in Security Bulletin MS12-020 (http://technet.microsoft.com/en-us/security/bulletin/ms12-020).  For Windows 7, updates KB2621440 and KB2667402 are required, plus a reboot.

I have spot checked several of my machines, and was relieved to find that the automatic updates were applied, and the machines rebooted, last week.

Again:  I have a handful of machines that all have a lot of outbound IP traffic from port 3389 to a single suspicious IP address, simultaneously.  In the past day I have seen similar behavior with three suspicious IP addresses.

Any ideas on how to troubleshoot?
0
 
LVL 12

Assisted Solution

by:ryan80
ryan80 earned 500 total points
Comment Utility
you can look at the machines using remote desktop services manager, and see what account is connected via RDP. Then ask that user.

If it is not RDP you can use netstat -ao to find out what the PID of the process is that is using that port, and see if it is something suspicious.

Here is the whois of that IP address. Looks like some Colo, in St. Louis.

http://www.networksolutions.com/whois/results.jsp?ip=174.136.39.82

If you are really nervous about it, block the IP address.
0
 

Author Comment

by:John_Auskelis
Comment Utility
I am seeing the suspicious activity from multiple IP addresses, including Eastern Europe.  So blocking one IP address will not help here.

Thanks for the netstat -ao, this confirmed that the suspiciuos activity on port 3389 was hosted by five Microsoft services.  I wrote up the case and posted it to Microsoft last night.  Stay tuined, let's see what they say.
0
 

Author Closing Comment

by:John_Auskelis
Comment Utility
I think the traffic is malicious attempts to log on to our computers using RDP.  Since the 'bad guys' do not have any valid credentials, the systems are protected by Windows logon security.  Bottom line:  this is 'normal' traffic when port 3389 is open for RDP.

There has been so much malicious traffic lately that it consumed the entire 1.5 Mbps of my internet upload bandwidth.

Next step:  turn on Network level Authentication.  For remote users with home XP or Macs, setup a TS gateway server.  Reference: http://blogs.technet.com/b/srd/archive/2012/03/13/cve-2012-0002-a-closer-look-at-ms12-020-s-critical-issue.aspx

Thanks!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now