Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Increased Traffic on Port 3389 - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Increased Traffic on Port 3389

 
A few weeks ago a diary [1] posted by Dr. J pointed out a spike in port 3389 [2] traffic. 

Since then the sources have spiked ten fold.  This is a key indicator that there is an increase of infected hosts that are looking to exploit open RDP services.  

We're interested to know if any of our readers have come across infected hosts that could be contributing to this port knocking out in the wild.  

Tell us what you're seeing and please share with us what you can.   

  

[1] http://isc.sans.edu/diary.html?storyid=11299
[2] http://isc.sans.edu/port.html?port=3389
 

-Kevin Shortt
--
ISC Handler on Duty

Kevin Shortt

81 Posts
ISC Handler
Can anyone shed some light into how logging works for RDP on Windows 7?

On my home computer, I have enabled RDP, but only allowing connections from computers running with Network Level Authentication.

In Event View I can find entries under "Applications and Service logs - Microsoft - Windows - TerminalServices RemoteConnectionManager - Operational.

But the entries are only "Listener RDP-Tcp received a connection".

I would like to know: From where did the connection come from, which username were supplied, etc

Anyone?
Anonymous

Sign Up for Free or Log In to start participating in the conversation!