Security Basics mailing list archives
Re: load of connections to ephemeral ports from TCP source port 3389(probably virus)
From: Martin T <m4rtntns () gmail com>
Date: Sat, 29 Oct 2011 14:10:14 +0300
Gustavo, thank you for this link! Have you played around with this virus? Or you know a place where one could download this virus? I mean according to NetFlow data I have, it causes about 5 times more download traffic than upload traffic. Upload packets in average are <100 bytes while download ones(return traffic from other RDP servers) are ~500 bytes in average. George, unfortunately doe to technical limitations I'm not able to SPAN the port. All I have are those NetFlow dumps. Kumaran, I agree. Most likely it is indeed return traffic. However, according to articles I have found about Morto, it seems to scan LAN addresses only: "Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled. This creates a lot of traffic for port 3389/TCP, which is the RDP port." <- http://www.f-secure.com/weblog/archives/00002227.html Any experience with this? In addition, am I correct, that Morto creates lot of download traffic and rather little upload traffic in infected machine? regards, martin 2011/10/28 Tiago Rosado <tiagojvrosado () gmail com>:
Martin: Are you using Remote Desktop? That's the port for it ;) If not see your settings someone might be snooping what you're doing Com os melhores cumprimentos, Best Regards, Tiago Rosado On Oct 27, 2011, at 1:23 AM, Martin T wrote: If I check the traffic passing my router(using NetFlow), 98% of the flows are following: srcIP dstIP prot srcPort dstPort octets packets I.I.P.P 192.168.2.196 6 3389 3799 55 1 I.I.P.P 192.168.2.196 6 3389 4465 40 1 I.I.P.P 192.168.2.196 6 3389 1940 74 1 I.I.P.P 192.168.2.196 6 3389 2611 51 1 I.I.P.P 192.168.2.196 6 3389 2356 141 1 I.I.P.P 192.168.2.196 6 3389 2111 92 1 I.I.P.P 192.168.2.196 6 3389 1151 339 1 I.I.P.P 192.168.2.196 6 3389 2609 55 1 I.I.P.P 192.168.2.196 6 3389 1386 1500 1 I.I.P.P 192.168.2.196 6 3389 3133 1480 1 I.I.P.P 192.168.2.196 6 3389 2684 3000 2 "I.I.P.P" is a random public IP address. 192.168.2.196 is a Windows Server 2003 in LAN. As you can see, almost every connection is to ephemeral port on 192.168.2.196 using the source port 3389. In addition, download traffic is 5x higher than upload traffic(download from Internet is ~50Mbps while upload to Internet is ~10Mbps). Has someone seen such pattern before? Maybe able to name a possible virus family? regards, martin ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- load of connections to ephemeral ports from TCP source port 3389(probably virus) Martin T (Oct 27)
- RE: load of connections to ephemeral ports from TCP source port 3389(probably virus) Michael Sturtz (Oct 27)
- RE: load of connections to ephemeral ports from TCP source port 3389(probably virus) James Jr, William A (Oct 31)
- Re: load of connections to ephemeral ports from TCP source port 3389(probably virus) Maggy May (Oct 27)
- Re: load of connections to ephemeral ports from TCP source port 3389(probably virus) Jin Ming (Oct 31)
- Message not available
- Re: load of connections to ephemeral ports from TCP source port 3389(probably virus) Denny Crane (Oct 31)
- RE: load of connections to ephemeral ports from TCP source port 3389(probably virus) Michael Sturtz (Oct 27)
- Message not available
- Re: load of connections to ephemeral ports from TCP source port 3389(probably virus) Martin T (Oct 31)
- Re: load of connections to ephemeral ports from TCP source port 3389(probably virus) Dana Forte (Oct 31)
- Re: load of connections to ephemeral ports from TCP source port 3389(probably virus) Matthew Reed (Oct 31)
- Re: load of connections to ephemeral ports from TCP source port 3389(probably virus) Stephanus J Alex Taidri (Oct 31)
- <Possible follow-ups>
- RE: load of connections to ephemeral ports from TCP source port 3389(probably virus) Greg Carson (Oct 31)
- RE: load of connections to ephemeral ports from TCP source port 3389(probably virus) Campbell.ColinD (Oct 31)