Security Basics mailing list archives
Re: load of connections to ephemeral ports from TCP source port 3389(probably virus)
From: "Stephanus J Alex Taidri" <staidri () gmail com>
Date: Tue, 1 Nov 2011 01:22:52 +0000
Hi Greg, Colin is right, the source and destinantion IP address is relative from where you see the traffic flows being reported. Have you run thorough investigation on both said ip addresses to see what's process running and opening the connection? Use netstat -anb > result.txt on the CMD DOS shell. And checked the result.txt for what file/service has been accessing the network from or to port TCP 3389 Best Regards, Stephanus J Alex Taidri --- Sent from my BlackBerry -----Original Message----- From: <Campbell.ColinD () police qld gov au> Date: Tue, 1 Nov 2011 08:10:44 To: <gregkcarson () gmail com>; <staidri () gmail com>; <security-basics () securityfocus com> Subject: RE: load of connections to ephemeral ports from TCP source port 3389(probably virus) Hi, Source and destination are relative to which packets you're looking at. My understanding is that netflow only collects data entering an interface. Therefore if you're collecting on the external interface I believe you're looking at the return packets (source = server, destination = client) of the TCP conversation. If you look at your firewall logs you'll probably find the sessions are being initiated from your machine (192.168.2.196) destined for I.I.P.P Colin
-----Original Message----- From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
On Behalf Of Greg Carson Sent: Tuesday, 1 November 2011 5:45 AM To: Stephanus J Alex Taidri; security-basics () securityfocus com Subject: RE: load of connections to ephemeral ports from TCP source
port
3389(probably virus) But why would the source port be 3389, it should be the destination. Sent from my Windows Phone From: Stephanus J Alex Taidri Sent: 31/10/2011 1:50 PM To: security-basics () securityfocus com Subject: Re: load of connections to ephemeral ports from TCP source port 3389(probably virus) Check on your internet router whether this 192.168.2.196 being NATed to internet. It looks to me that this is RDP -- 3389/tcp (Remote Desktop Protocol) traffics from internet to this PC (which most likely NATed to be accessible from the internet). PS: 1. You can check the PC as well to verify whether the RDP session is currently active. 2. Downstream traffics bigger than upstream is common and perfectly okay in normal circumstances. Best Regards, Stephanus J Alex Taidri --- Sent from my BlackBerry -----Original Message----- From: Martin T <m4rtntns () gmail com> Sender: listbounce () securityfocus com Date: Thu, 27 Oct 2011 03:23:14 To: <security-basics () securityfocus com> Subject: load of connections to ephemeral ports from TCP source port 3389(probably virus) If I check the traffic passing my router(using NetFlow), 98% of the flows are following: srcIP dstIP prot srcPort dstPort octets packets I.I.P.P 192.168.2.196 6 3389 3799 55 1 I.I.P.P 192.168.2.196 6 3389 4465 40 1 I.I.P.P 192.168.2.196 6 3389 1940 74 1 I.I.P.P 192.168.2.196 6 3389 2611 51 1 I.I.P.P 192.168.2.196 6 3389 2356 141 1 I.I.P.P 192.168.2.196 6 3389 2111 92 1 I.I.P.P 192.168.2.196 6 3389 1151 339 1 I.I.P.P 192.168.2.196 6 3389 2609 55 1 I.I.P.P 192.168.2.196 6 3389 1386 1500 1 I.I.P.P 192.168.2.196 6 3389 3133 1480 1 I.I.P.P 192.168.2.196 6 3389 2684 3000 2 "I.I.P.P" is a random public IP address. 192.168.2.196 is a Windows Server 2003 in LAN. As you can see, almost every connection is to ephemeral port on 192.168.2.196 using the source port 3389. In addition, download traffic is 5x higher than upload traffic(download from Internet is ~50Mbps while upload to Internet is ~10Mbps). Has someone seen such pattern before? Maybe able to name a possible virus family? regards, martin
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442 f7
27d1
------------------------------------------------------------------------
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an
SSL
certificate. We look at how SSL works, how it benefits your company
and
how your customers can tell if a site is secure. You will find out how
to
test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are
highlighted
to help you ensure efficient ongoing management of your encryption
keys
and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442 f7
27d1
------------------------------------------------------------------------ ********************************************************************** CONFIDENTIALITY: The information contained in this electronic mail message and any electronic files attached to it may be confidential information, and may also be the subject of legal professional privilege and/or public interest immunity. If you are not the intended recipient you are required to delete it. Any use, disclosure or copying of this message and any attachments is unauthorised. If you have received this electronic message in error, please inform the sender or contact securityscanner () police qld gov au. This footnote also confirms that this email message has been checked for the presence of computer viruses. **********************************************************************
Current thread:
- Re: load of connections to ephemeral ports from TCP source port 3389(probably virus) Stephanus J Alex Taidri (Nov 01)