Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Port 3389 (tcp/udp) Attack Activity

SANS Site Network

Current Site

SANS Internet Storm Center

Other SANS Sites Help

Graduate Degree Programs

Security Training

Security Certification

Security Awareness Training

Penetration Testing

Industrial Control Systems

Cyber Defense Foundations

DFIR

Software Security

Government OnSite Training

Port 3389 (tcp/udp) Attack Activity

Log In or Sign Up for Free!

Loading...

[get complete service list]

Port Information
Protocol	Service	Name
tcp	ms-term-services	MS Terminal Services
udp	ms-term-services	MS Terminal Services

Top IPs Scanning
Today	Yesterday
104.140.188.58 (1)	124.158.10.5 (3381)
39.109.115.176 (1)	103.90.226.199 (1560)

Port diary mentions
URL
Virus Alphabet, War!, Port 3389 Spike, WinZip Issues
MS Advisory on the Vulnerability in RDP; Port 3389; FormMail Attempts
Port 3389 terminal services scans
Increased Traffic on Port 3389
An Update on the Microsoft Windows RDP "Bluekeep" Vulnerability (CVE-2019-0708) [now with pcaps]
Did the recent malicious BlueKeep campaign have any positive impact when it comes to patching?

User Comments
Submitted By	Date
Comment
Scott Fendley	2005-07-17 03:13:54
Potential exploit of Remote Desktop Protocol on Windows Systems. Please see http://isc.sans.org/diary.php?date=2005-07-15 and http://isc.sans.org/diary.php?date=2005-07-16 for more information.
jeff bryner	2002-11-09 21:16:59
See http://www.xato.net/reference/xato-112001-01.txt for a discussion on how terminal services source ip address can be easily spoofed; so don't trust event log entries of connection attempts. Jeff.

CVE Links
CVE #	Description
CVE-2012-0002
CVE-2015-2373	The Remote Desktop Protocol (RDP) server service in Microsoft Windows 7 SP1, Windows 8, and Windows Server 2012 allows remote attackers to execute arbitrary code via a series of crafted packets, aka "Remote Desktop Protocol (RDP) Remote Code Execution Vulnerability."
CVE-2019-0708