Security Basics mailing list archives
Re: load of connections to ephemeral ports from TCP source port 3389(probably virus)
From: Dana Forte <dana () layer8lv com>
Date: Thu, 27 Oct 2011 16:09:59 -0700
Looks like your 2003 server is infected with the Morto worm and it's attempting to spread itself to others via RDP. On 10/26/2011 5:23 PM, Martin T wrote:
If I check the traffic passing my router(using NetFlow), 98% of the flows are following: srcIP dstIP prot srcPort dstPort octets packets I.I.P.P 192.168.2.196 6 3389 3799 55 1 I.I.P.P 192.168.2.196 6 3389 4465 40 1 I.I.P.P 192.168.2.196 6 3389 1940 74 1 I.I.P.P 192.168.2.196 6 3389 2611 51 1 I.I.P.P 192.168.2.196 6 3389 2356 141 1 I.I.P.P 192.168.2.196 6 3389 2111 92 1 I.I.P.P 192.168.2.196 6 3389 1151 339 1 I.I.P.P 192.168.2.196 6 3389 2609 55 1 I.I.P.P 192.168.2.196 6 3389 1386 1500 1 I.I.P.P 192.168.2.196 6 3389 3133 1480 1 I.I.P.P 192.168.2.196 6 3389 2684 3000 2 "I.I.P.P" is a random public IP address. 192.168.2.196 is a Windows Server 2003 in LAN. As you can see, almost every connection is to ephemeral port on 192.168.2.196 using the source port 3389. In addition, download traffic is 5x higher than upload traffic(download from Internet is ~50Mbps while upload to Internet is ~10Mbps). Has someone seen such pattern before? Maybe able to name a possible virus family? regards, martin ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
-- Dana Forte Layer 8 Solutions LLC Information Technology Services ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- load of connections to ephemeral ports from TCP source port 3389(probably virus) Martin T (Oct 27)
- RE: load of connections to ephemeral ports from TCP source port 3389(probably virus) Michael Sturtz (Oct 27)
- RE: load of connections to ephemeral ports from TCP source port 3389(probably virus) James Jr, William A (Oct 31)
- Re: load of connections to ephemeral ports from TCP source port 3389(probably virus) Maggy May (Oct 27)
- Re: load of connections to ephemeral ports from TCP source port 3389(probably virus) Jin Ming (Oct 31)
- Message not available
- Re: load of connections to ephemeral ports from TCP source port 3389(probably virus) Denny Crane (Oct 31)
- RE: load of connections to ephemeral ports from TCP source port 3389(probably virus) Michael Sturtz (Oct 27)
- Message not available
- Re: load of connections to ephemeral ports from TCP source port 3389(probably virus) Dana Forte (Oct 31)
- Re: load of connections to ephemeral ports from TCP source port 3389(probably virus) Matthew Reed (Oct 31)
- Re: load of connections to ephemeral ports from TCP source port 3389(probably virus) Stephanus J Alex Taidri (Oct 31)
- <Possible follow-ups>
- RE: load of connections to ephemeral ports from TCP source port 3389(probably virus) Greg Carson (Oct 31)
- RE: load of connections to ephemeral ports from TCP source port 3389(probably virus) Campbell.ColinD (Oct 31)