My next class:

Port 3389 / terminal services scans

Published: 2011-08-03. Last Updated: 2011-08-03 16:15:13 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

Thanks to Pat for pointing out a sharp increase in the number of sources scanning for port 3389 [1].

Port 3389 / TCP is used by Microsoft Terminal Services, and has been a continuing target of attacks. If you have any logs you want to share, please submit them via our contact page . In particular if you observed anything different the last couple days.

[1] https://isc.sans.edu/port.html?port=3389

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: 3389 rdp
5 comment(s)
My next class:

Comments

Both in UK time:
2011-07-31 00:04:20 174.46.126.2
2011-07-26 08:07:39 217.41.13.152

We have a public domain-joined RDP server.... I know, it wasn't me - everyone knows it's crazy, and they have my comments in writing. I had & have nothing to do with it.

The usernames attempted in these two instances were as follows. One of the sessions was firewalled off mid-flow, so this won't be a complete list.

There are of course other random infrequent attempts, but they just "smell" different and are fairly basic and brief.

1
123
a
actuser
adm
admin
admin1
admin2
administrator
aspnet
backup
console
david
guest
john
office
owner
reception
root
server
sql
support
support_388945a0
sys
test
test1
test2
test3
user
user1
user2
user3
user4
user5
I'm seeing a few more than the usual 1 or 2 hits a week. I already send my logs, so I will see what else I can get from these scans.
I had an incident at my previous job where an inexperienced admin made firewall changes. It exposed one server running remote desktop to the internet. We had repeated lockouts of Administrator. Luckily it could lockout, it was a decoy account. It seemed to be people manually trying passwords, they'd try admin or administrator a few times and then go away.
I never have 3389 open for this reason, Port Randomization is probably the best course of action against this attack.
maybe this was in relation the RDP vuln that was released by microsoft today

Diary Archives