Re: load of connections to ephemeral ports from TCP source port 3389(probably virus)

["Stephanus J Alex Taidri" <staidri () gmail com>]

Hi Greg,

Colin is right, the source and destinantion IP address is relative from where you see the traffic flows being reported.

Have you run thorough investigation on both said ip addresses to see what's process running and opening the connection?

Use netstat -anb > result.txt on the CMD DOS shell.

And checked the result.txt for what file/service has been accessing the network from or to port TCP 3389
Best Regards,
Stephanus J Alex Taidri

--- Sent from my BlackBerry

-----Original Message-----
From: <Campbell.ColinD () police qld gov au>
Date: Tue, 1 Nov 2011 08:10:44 
To: <gregkcarson () gmail com>; <staidri () gmail com>; <security-basics () securityfocus com>
Subject: RE: load of connections to ephemeral ports from TCP source port
 3389(probably virus)

Hi,

Source and destination are relative to which packets you're looking at.
My understanding is that netflow only collects data entering an
interface. Therefore if you're collecting on the external interface I
believe you're looking at the return packets (source = server,
destination = client) of the TCP conversation.

If you look at your firewall logs you'll probably find the sessions are
being initiated from your machine (192.168.2.196) destined for I.I.P.P

Colin

> -----Original Message-----
> From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
> On Behalf Of Greg Carson
> Sent: Tuesday, 1 November 2011 5:45 AM
> To: Stephanus J Alex Taidri; security-basics () securityfocus com
> Subject: RE: load of connections to ephemeral ports from TCP source
port
> 3389(probably virus)
>
> But why would the source port be 3389, it should be the destination.
>
> Sent from my Windows Phone
> From: Stephanus J Alex Taidri
> Sent: 31/10/2011 1:50 PM
> To: security-basics () securityfocus com
> Subject: Re: load of connections to ephemeral ports from TCP source
> port 3389(probably virus)
> Check on your internet router whether this 192.168.2.196 being NATed
> to internet. It looks to me that this is RDP -- 3389/tcp (Remote
> Desktop Protocol) traffics from internet to this PC (which most likely
> NATed to be accessible from the internet).
>
> PS:
> 1. You can check the PC as well to verify whether the RDP session is
> currently active.
>
> 2. Downstream traffics bigger than upstream is common and perfectly
> okay in normal circumstances.
> Best Regards,
> Stephanus J Alex Taidri
>
> --- Sent from my BlackBerry
>
> -----Original Message-----
> From: Martin T <m4rtntns () gmail com>
> Sender: listbounce () securityfocus com
> Date: Thu, 27 Oct 2011 03:23:14
> To: <security-basics () securityfocus com>
> Subject: load of connections to ephemeral ports from TCP source port
>  3389(probably virus)
>
> If I check the traffic passing my router(using NetFlow), 98% of the
> flows are following:
>
> srcIP            dstIP            prot  srcPort  dstPort  octets
> packets
> I.I.P.P        192.168.2.196    6     3389     3799     55          1
> I.I.P.P        192.168.2.196    6     3389     4465     40          1
> I.I.P.P        192.168.2.196    6     3389     1940     74          1
> I.I.P.P        192.168.2.196    6     3389     2611     51          1
> I.I.P.P        192.168.2.196    6     3389     2356     141         1
> I.I.P.P        192.168.2.196    6     3389     2111     92          1
> I.I.P.P        192.168.2.196    6     3389     1151     339         1
> I.I.P.P        192.168.2.196    6     3389     2609     55          1
> I.I.P.P        192.168.2.196    6     3389     1386     1500        1
> I.I.P.P        192.168.2.196    6     3389     3133     1480        1
> I.I.P.P        192.168.2.196    6     3389     2684     3000        2
>
> "I.I.P.P" is a random public IP address. 192.168.2.196 is a Windows
> Server 2003 in LAN. As you can see, almost every connection is to
> ephemeral port on 192.168.2.196 using the source port 3389. In
> addition, download traffic is 5x higher than upload traffic(download
> from Internet is ~50Mbps while upload to Internet is ~10Mbps).
>
> Has someone seen such pattern before? Maybe able to name a possible
> virus family?
>
> regards,
> martin
------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an
> SSL certificate.  We look at how SSL works, how it benefits your
> company and how your customers can tell if a site is secure. You will
> find out how to test, purchase, install and use a thawte Digital
> Certificate on your Apache web server. Throughout, best practices for
> set-up are highlighted to help you ensure efficient ongoing management
> of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f7
> 27d1
------------------------------------------------------------------------
>
------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an
SSL
> certificate.  We look at how SSL works, how it benefits your company
and
> how your customers can tell if a site is secure. You will find out how
to
> test, purchase, install and use a thawte Digital Certificate on your
> Apache web server. Throughout, best practices for set-up are
highlighted
> to help you ensure efficient ongoing management of your encryption
keys
> and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f7
> 27d1
------------------------------------------------------------------------


**********************************************************************
CONFIDENTIALITY:   The information contained in this 
electronic mail message and any electronic files attached 
to it may be confidential information, and may also be the 
subject of legal professional privilege and/or public interest 
immunity.  If you are not the intended recipient you are 
required to delete it.  Any use, disclosure or copying of 
this message and any attachments is unauthorised.  If you 
have received this electronic message in error, please 
inform the sender or contact securityscanner () police qld gov au.

This footnote also confirms that this email message has 
been checked for the presence of computer viruses.
**********************************************************************