Increased Traffic on Port 3389

Published: 2011-08-25
Last Updated: 2011-08-28 19:29:16 UTC
by Kevin Shortt (Version: 3)
1 comment(s)

 
A few weeks ago a diary [1] posted by Dr. J pointed out a spike in port 3389 [2] traffic. 

Since then the sources have spiked ten fold.  This is a key indicator that there is an increase of infected hosts that are looking to exploit open RDP services.  

We're interested to know if any of our readers have come across infected hosts that could be contributing to this port knocking out in the wild.  

Tell us what you're seeing and please share with us what you can.   

UPDATE:

There is some buzz going around today and many readers have sent in a about a posting on f-secure's website. [3]   Where there is a quick write-up describing "Morto" a new Internet worm.

If anyone has a copy of it, then please drop it off through our contact us form.  If you have anything to share about worm, then please write a comment about it.
 

 

  

[1] http://isc.sans.edu/diary.html?storyid=11299
[2] http://isc.sans.edu/port.html?port=3389
[3] http://www.f-secure.com/weblog/archives/00002227.html
 

-Kevin Shortt
--
ISC Handler on Duty

Keywords: 3389 port 3389 RDP Terminal Services
1 comment(s)

Revival of an Unpatched Apache HTTPD DoS

Published: 2011-08-25
Last Updated: 2011-08-25 03:17:50 UTC
by Kevin Shortt (Version: 1)
8 comment(s)

Readers have been writing in and I wanted to get this out to for info and comment.  I have not had a chance to test it out myself.  It first surfaced in 2007 by Michal Zalewski on bugtraq. [1]   It appears due to its lack of sophistication, that it did not get much attention by Apache developers and it has remained unpatched all of this time.

It formally resurfaced last Friday with a proof of concept.  A CVE is in draft and a patch is expected in a few days by the Apache team.  You can read a discussion about it on the Apache HTTPD dev mailing list. [2]   The link provides details on some mitigation measures to be taken.   When I get chance I will test and report back.  

In the mean time please share your experiences with your fellow readers with a comment.

 
[1] http://seclists.org/bugtraq/2007/Jan/83
[2] http://marc.info/?l=apache-httpd-dev&m=131418828705324&w=2

-Kevin
--
ISC Handler on Duty

Keywords: apache DoS kill tool
8 comment(s)

Comments

What's this all about ..?

Anonymous

Dec 3rd 2022
9 months ago

password reveal .

Anonymous

Dec 3rd 2022
9 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

Anonymous

Dec 26th 2022
9 months ago

https://thehomestore.com.pk/

Anonymous

Dec 26th 2022
9 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
9 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
9 months ago

https://defineprogramming.com/

Anonymous

Dec 26th 2022
9 months ago

https://defineprogramming.com/

https://defineprogramming.com/

Dec 26th 2022
9 months ago

Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/

https://defineprogramming.com/

Dec 26th 2022
9 months ago

Enter corthrthmment here...

rthrth

Jan 2nd 2023
8 months ago

Login here to join the discussion.


Diary Archives