Thanks to Pat for pointing out a sharp increase in the number of sources scanning for port 3389 [1]. Port 3389 / TCP is used by Microsoft Terminal Services, and has been a continuing target of attacks. If you have any logs you want to share, please submit them via our contact page . In particular if you observed anything different the last couple days. [1] https://isc.sans.edu/port.html?port=3389 ------ |
Johannes 4074 Posts ISC Handler Aug 3rd 2011 |
Thread locked Subscribe |
Aug 3rd 2011 9 years ago |
Both in UK time:
2011-07-31 00:04:20 174.46.126.2 2011-07-26 08:07:39 217.41.13.152 We have a public domain-joined RDP server.... I know, it wasn't me - everyone knows it's crazy, and they have my comments in writing. I had & have nothing to do with it. The usernames attempted in these two instances were as follows. One of the sessions was firewalled off mid-flow, so this won't be a complete list. There are of course other random infrequent attempts, but they just "smell" different and are fairly basic and brief. 1 123 a actuser adm admin admin1 admin2 administrator aspnet backup console david guest john office owner reception root server sql support support_388945a0 sys test test1 test2 test3 user user1 user2 user3 user4 user5 |
Anonymous |
Quote |
Aug 3rd 2011 9 years ago |
I'm seeing a few more than the usual 1 or 2 hits a week. I already send my logs, so I will see what else I can get from these scans.
|
HackDefendr 65 Posts |
Quote |
Aug 4th 2011 9 years ago |
I had an incident at my previous job where an inexperienced admin made firewall changes. It exposed one server running remote desktop to the internet. We had repeated lockouts of Administrator. Luckily it could lockout, it was a decoy account. It seemed to be people manually trying passwords, they'd try admin or administrator a few times and then go away.
|
sforslev 4 Posts |
Quote |
Aug 4th 2011 9 years ago |
I never have 3389 open for this reason, Port Randomization is probably the best course of action against this attack.
|
Yinette 12 Posts |
Quote |
Aug 4th 2011 9 years ago |
maybe this was in relation the RDP vuln that was released by microsoft today
|
Yinette 5 Posts |
Quote |
Aug 10th 2011 9 years ago |
Sign Up for Free or Log In to start participating in the conversation!