Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: MS Advisory on the Vulnerability in RDP; Port 3389; FormMail Attempts SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MS Advisory on the Vulnerability in RDP; Port 3389; FormMail Attempts

MS Advisory on the Vulnerability in RDP



Microsoft has released a security advisory on the vulnerability in Remote Desktop Protocol (RDP). Their initail investigation has confirmed the DoS vulnerability. Services that utilize RDP are not enabled by default, but Remote Desktop is enabled by default on Windows XP Media Center Edition.



The advisory has provided the following workarounds:


* Block TCP port 3389 at the firewall.

* Disable Terminal Services or the Remote Desktop feature if they are not required.

* Secure Remote Desktop Connections by using an IPsec policy.

* Secure Remote Desktop Connections by employing a Virtual Private Network (VPN) connection.



For more details, please refer to:

http://www.microsoft.com/technet/security/advisory/904797.mspx

Port 3389



Yesterday, we mentioned about port 3389 on Windows 0 day exploit. Our reader, Joe, has detected some scans on this port. Looking at port 3389 graph, there is also a spike in the last few days. If you also have experienced the same scan, please let us know.

http://isc.sans.org/port_details.php?port=3389

FormMail Attempts



One reader has detected several attempts on /cgi-bin/FormMail. The IP addresses came from a wide range of networks. From the logs submitted, it could be part of a botnet attempts. If you have seen similiar attempts, please send us a note.



80.xx.xx.xx - - [16/Jul/2005:14:54:57 +0200] "POST /cgi-bin/FormMail HTTP/1.1" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

12.xx.xx.xx - - [16/Jul/2005:14:54:58 +0200] "POST /cgi-bin/FormMail HTTP/1.1" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

63.xx.xx.xx - - [16/Jul/2005:14:55:03 +0200] "POST /cgi-bin/FormMail HTTP/1.0" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

200.xx.xx.xx - - [16/Jul/2005:14:55:05 +0200] "POST /cgi-bin/FormMail HTTP/1.0" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

200.xx.xx.xx - - [16/Jul/2005:14:55:08 +0200] "POST /cgi-bin/FormMail HTTP/1.0" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

80.xx.xx.xx - - [16/Jul/2005:14:55:11 +0200] "POST /cgi-bin/FormMail HTTP/1.1" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

210.xx.xx.xx - - [16/Jul/2005:14:55:15 +0200] "POST /cgi-bin/FormMail HTTP/1.0" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

61.xx.xx.xx - - [16/Jul/2005:14:55:21 +0200] "POST /cgi-bin/FormMail HTTP/1.0" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

203.xx.xx.xx - - [16/Jul/2005:14:55:31 +0200] "POST /cgi-bin/FormMail HTTP/1.0" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

213.xx.xx.xx - - [16/Jul/2005:14:55:30 +0200] "POST /cgi-bin/FormMail HTTP/1.1" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

Koon Yaw

68 Posts
Jul 16th 2005
Thread locked Subscribe Jul 16th 2005
1 decade ago

Sign Up for Free or Log In to start participating in the conversation!