Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MS Advisory on the Vulnerability in RDP; Port 3389; FormMail Attempts

Published: 2005-07-16
Last Updated: 2005-07-16 21:19:04 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)

MS Advisory on the Vulnerability in RDP



Microsoft has released a security advisory on the vulnerability in Remote Desktop Protocol (RDP). Their initail investigation has confirmed the DoS vulnerability. Services that utilize RDP are not enabled by default, but Remote Desktop is enabled by default on Windows XP Media Center Edition.



The advisory has provided the following workarounds:


* Block TCP port 3389 at the firewall.

* Disable Terminal Services or the Remote Desktop feature if they are not required.

* Secure Remote Desktop Connections by using an IPsec policy.

* Secure Remote Desktop Connections by employing a Virtual Private Network (VPN) connection.



For more details, please refer to:

http://www.microsoft.com/technet/security/advisory/904797.mspx

Port 3389



Yesterday, we mentioned about port 3389 on Windows 0 day exploit. Our reader, Joe, has detected some scans on this port. Looking at port 3389 graph, there is also a spike in the last few days. If you also have experienced the same scan, please let us know.

http://isc.sans.org/port_details.php?port=3389

FormMail Attempts



One reader has detected several attempts on /cgi-bin/FormMail. The IP addresses came from a wide range of networks. From the logs submitted, it could be part of a botnet attempts. If you have seen similiar attempts, please send us a note.



80.xx.xx.xx - - [16/Jul/2005:14:54:57 +0200] "POST /cgi-bin/FormMail HTTP/1.1" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

12.xx.xx.xx - - [16/Jul/2005:14:54:58 +0200] "POST /cgi-bin/FormMail HTTP/1.1" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

63.xx.xx.xx - - [16/Jul/2005:14:55:03 +0200] "POST /cgi-bin/FormMail HTTP/1.0" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

200.xx.xx.xx - - [16/Jul/2005:14:55:05 +0200] "POST /cgi-bin/FormMail HTTP/1.0" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

200.xx.xx.xx - - [16/Jul/2005:14:55:08 +0200] "POST /cgi-bin/FormMail HTTP/1.0" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

80.xx.xx.xx - - [16/Jul/2005:14:55:11 +0200] "POST /cgi-bin/FormMail HTTP/1.1" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

210.xx.xx.xx - - [16/Jul/2005:14:55:15 +0200] "POST /cgi-bin/FormMail HTTP/1.0" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

61.xx.xx.xx - - [16/Jul/2005:14:55:21 +0200] "POST /cgi-bin/FormMail HTTP/1.0" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

203.xx.xx.xx - - [16/Jul/2005:14:55:31 +0200] "POST /cgi-bin/FormMail HTTP/1.0" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

213.xx.xx.xx - - [16/Jul/2005:14:55:30 +0200] "POST /cgi-bin/FormMail HTTP/1.1" 200 2460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"

Keywords:
0 comment(s)
Diary Archives