Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Port 3389 / terminal services scans SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Port 3389 / terminal services scans

Thanks to Pat for pointing out a sharp increase in the number of sources scanning for port 3389 [1].

Port 3389 / TCP is used by Microsoft Terminal Services, and has been a continuing target of attacks. If you have any logs you want to share, please submit them via our contact page . In particular if you observed anything different the last couple days.

[1] https://isc.sans.edu/port.html?port=3389

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SANS Cyber Defense Forum & Training

 Johannes

3950 Posts
ISC Handler
Aug 3rd 2011
Subscribe Aug 3rd 2011
9 years ago
Both in UK time:
2011-07-31 00:04:20 174.46.126.2
2011-07-26 08:07:39 217.41.13.152

We have a public domain-joined RDP server.... I know, it wasn't me - everyone knows it's crazy, and they have my comments in writing. I had & have nothing to do with it.

The usernames attempted in these two instances were as follows. One of the sessions was firewalled off mid-flow, so this won't be a complete list.

There are of course other random infrequent attempts, but they just "smell" different and are fairly basic and brief.

1
123
a
actuser
adm
admin
admin1
admin2
administrator
aspnet
backup
console
david
guest
john
office
owner
reception
root
server
sql
support
support_388945a0
sys
test
test1
test2
test3
user
user1
user2
user3
user4
user5
 Anonymous
Quote Aug 3rd 2011
9 years ago
I'm seeing a few more than the usual 1 or 2 hits a week. I already send my logs, so I will see what else I can get from these scans.
 HackDefendr

65 Posts
Quote Aug 4th 2011
9 years ago
I had an incident at my previous job where an inexperienced admin made firewall changes. It exposed one server running remote desktop to the internet. We had repeated lockouts of Administrator. Luckily it could lockout, it was a decoy account. It seemed to be people manually trying passwords, they'd try admin or administrator a few times and then go away.
 sforslev

4 Posts
Quote Aug 4th 2011
9 years ago
I never have 3389 open for this reason, Port Randomization is probably the best course of action against this attack.
 Yinette

12 Posts
Quote Aug 4th 2011
9 years ago
maybe this was in relation the RDP vuln that was released by microsoft today
 Yinette
5 Posts
Quote Aug 10th 2011
9 years ago

Sign Up for Free or Log In to start participating in the conversation!