RE: load of connections to ephemeral ports from TCP source port 3389(probably virus)

[Greg Carson <gregkcarson () gmail com>]

But why would the source port be 3389, it should be the destination.

Sent from my Windows Phone
From: Stephanus J Alex Taidri
Sent: 31/10/2011 1:50 PM
To: security-basics () securityfocus com
Subject: Re: load of connections to ephemeral ports from TCP source
port 3389(probably virus)
Check on your internet router whether this 192.168.2.196 being NATed
to internet. It looks to me that this is RDP -- 3389/tcp (Remote
Desktop Protocol) traffics from internet to this PC (which most likely
NATed to be accessible from the internet).

PS:
1. You can check the PC as well to verify whether the RDP session is
currently active.

2. Downstream traffics bigger than upstream is common and perfectly
okay in normal circumstances.
Best Regards,
Stephanus J Alex Taidri

--- Sent from my BlackBerry

-----Original Message-----
From: Martin T <m4rtntns () gmail com>
Sender: listbounce () securityfocus com
Date: Thu, 27 Oct 2011 03:23:14
To: <security-basics () securityfocus com>
Subject: load of connections to ephemeral ports from TCP source port
 3389(probably virus)

If I check the traffic passing my router(using NetFlow), 98% of the
flows are following:

srcIP            dstIP            prot  srcPort  dstPort  octets      packets
I.I.P.P        192.168.2.196    6     3389     3799     55          1
I.I.P.P        192.168.2.196    6     3389     4465     40          1
I.I.P.P        192.168.2.196    6     3389     1940     74          1
I.I.P.P        192.168.2.196    6     3389     2611     51          1
I.I.P.P        192.168.2.196    6     3389     2356     141         1
I.I.P.P        192.168.2.196    6     3389     2111     92          1
I.I.P.P        192.168.2.196    6     3389     1151     339         1
I.I.P.P        192.168.2.196    6     3389     2609     55          1
I.I.P.P        192.168.2.196    6     3389     1386     1500        1
I.I.P.P        192.168.2.196    6     3389     3133     1480        1
I.I.P.P        192.168.2.196    6     3389     2684     3000        2

"I.I.P.P" is a random public IP address. 192.168.2.196 is a Windows
Server 2003 in LAN. As you can see, almost every connection is to
ephemeral port on 192.168.2.196 using the source port 3389. In
addition, download traffic is 5x higher than upload traffic(download
from Internet is ~50Mbps while upload to Internet is ~10Mbps).

Has someone seen such pattern before? Maybe able to name a possible
virus family?

regards,
martin

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL certificate.  We look at how SSL works, how it benefits your
company and how your customers can tell if a site is secure. You will
find out how to test, purchase, install and use a thawte Digital
Certificate on your Apache web server. Throughout, best practices for
set-up are highlighted to help you ensure efficient ongoing management
of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------