Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Random Port Scan for Open RDP Backdoor - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Random Port Scan for Open RDP Backdoor

Over the past several months I have been observing random Remote Desktop Protocol (RDP) activity targeting my honeypot. Back in September, US-Cert [1] issued an alert regarding RDP being actively used and exploited by malicious actors released by the FBI [2].

The default Windows service port for RDP is TCP 3389 and the activity against this service can easily be identified in the packets with "Cookie: mstshash=".

Username Testing

It the past 6 weeks I have observed this activity on its default port including multiples other ports from various sources, testing access using mainly two username (i.e. hello, Administr).

Testing for RDP Service

Obviously this service should not be exposed directly to Internet and if used should be secured appropriately with a strong password and should be monitored for unusual activity. More information is available here to further protect against RDP-based attacks.

[1] https://www.us-cert.gov/ncas/current-activity/2018/09/28/IC3-Issues-Alert-RDP-Exploitation
[2] https://www.ic3.gov/media/2018/180927.aspx

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Guy

438 Posts
ISC Handler
One other thing is that the ports around TCP/3389, so 3388-339X are scanned, too.
The other thing is to enable IP logging for RDP on MS servers. This often not possible.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!