Increased Traffic on Port 3389
A few weeks ago a diary [1] posted by Dr. J pointed out a spike in port 3389 [2] traffic.
Since then the sources have spiked ten fold. This is a key indicator that there is an increase of infected hosts that are looking to exploit open RDP services.
We're interested to know if any of our readers have come across infected hosts that could be contributing to this port knocking out in the wild.
Tell us what you're seeing and please share with us what you can.
UPDATE:
There is some buzz going around today and many readers have sent in a about a posting on f-secure's website. [3] Where there is a quick write-up describing "Morto" a new Internet worm.
If anyone has a copy of it, then please drop it off through our contact us form. If you have anything to share about worm, then please write a comment about it.
[1] http://isc.sans.edu/diary.html?storyid=11299
[2] http://isc.sans.edu/port.html?port=3389
[3] http://www.f-secure.com/weblog/archives/00002227.html
-Kevin Shortt
--
ISC Handler on Duty
Revival of an Unpatched Apache HTTPD DoS
Readers have been writing in and I wanted to get this out to for info and comment. I have not had a chance to test it out myself. It first surfaced in 2007 by Michal Zalewski on bugtraq. [1] It appears due to its lack of sophistication, that it did not get much attention by Apache developers and it has remained unpatched all of this time.
It formally resurfaced last Friday with a proof of concept. A CVE is in draft and a patch is expected in a few days by the Apache team. You can read a discussion about it on the Apache HTTPD dev mailing list. [2] The link provides details on some mitigation measures to be taken. When I get chance I will test and report back.
In the mean time please share your experiences with your fellow readers with a comment.
[1] http://seclists.org/bugtraq/2007/Jan/83
[2] http://marc.info/?l=apache-httpd-dev&m=131418828705324&w=2
-Kevin
--
ISC Handler on Duty
Comments