nanog mailing list archives

Re: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389

From: Alex Brooks <askoorb+nanog () gmail com>
Date: Fri, 13 Jan 2012 13:38:44 +0000

Hello,

On Fri, Jan 13, 2012 at 12:36 PM, James Braunegg
<james.braunegg () micron21 com> wrote:


Hey All,

Just posting to see if anyone has seen any strange outbound traffic on port 3389 from Microsoft Windows Server over 
the last few hours.

We witnessed an alarming amount of completely independent Microsoft Windows Servers,  each on separate vlan and 
subnets (ie all /30 and /29 allocations) with separate gateways on and completely separate customers, but all 
services were within the same 1.x.x.x/16 allocation all simultaneously send around 2mbit or so data to a specific 
target IP address.


Have you contacted Microsoft yet?
https://support.microsoft.com/oas/default.aspx?gprid=1163&st=1&wfxredirect=1&sd=gn

If you have a support contract (which you probably do) you'll get a
very quick response if you choose the "security" option.

Whatever you do, do let everyone know what the problem turns out to be.

Alex

Current thread:

Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 James Braunegg (Jan 13)
- RE: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 Erik Soosalu (Jan 13)
  - RE: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 James Braunegg (Jan 13)
    - RE: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 Erik Soosalu (Jan 13)
- Re: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 Alex Brooks (Jan 13)
- Re: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 Mark Keymer (Jan 13)
  - Re: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 Jerry Dixon (Jan 13)