Security Basics mailing list archives
RE: load of connections to ephemeral ports from TCP source port 3389(probably virus)
From: Greg Carson <gregkcarson () gmail com>
Date: Mon, 31 Oct 2011 12:45:14 -0700
But why would the source port be 3389, it should be the destination. Sent from my Windows Phone From: Stephanus J Alex Taidri Sent: 31/10/2011 1:50 PM To: security-basics () securityfocus com Subject: Re: load of connections to ephemeral ports from TCP source port 3389(probably virus) Check on your internet router whether this 192.168.2.196 being NATed to internet. It looks to me that this is RDP -- 3389/tcp (Remote Desktop Protocol) traffics from internet to this PC (which most likely NATed to be accessible from the internet). PS: 1. You can check the PC as well to verify whether the RDP session is currently active. 2. Downstream traffics bigger than upstream is common and perfectly okay in normal circumstances. Best Regards, Stephanus J Alex Taidri --- Sent from my BlackBerry -----Original Message----- From: Martin T <m4rtntns () gmail com> Sender: listbounce () securityfocus com Date: Thu, 27 Oct 2011 03:23:14 To: <security-basics () securityfocus com> Subject: load of connections to ephemeral ports from TCP source port 3389(probably virus) If I check the traffic passing my router(using NetFlow), 98% of the flows are following: srcIP dstIP prot srcPort dstPort octets packets I.I.P.P 192.168.2.196 6 3389 3799 55 1 I.I.P.P 192.168.2.196 6 3389 4465 40 1 I.I.P.P 192.168.2.196 6 3389 1940 74 1 I.I.P.P 192.168.2.196 6 3389 2611 51 1 I.I.P.P 192.168.2.196 6 3389 2356 141 1 I.I.P.P 192.168.2.196 6 3389 2111 92 1 I.I.P.P 192.168.2.196 6 3389 1151 339 1 I.I.P.P 192.168.2.196 6 3389 2609 55 1 I.I.P.P 192.168.2.196 6 3389 1386 1500 1 I.I.P.P 192.168.2.196 6 3389 3133 1480 1 I.I.P.P 192.168.2.196 6 3389 2684 3000 2 "I.I.P.P" is a random public IP address. 192.168.2.196 is a Windows Server 2003 in LAN. As you can see, almost every connection is to ephemeral port on 192.168.2.196 using the source port 3389. In addition, download traffic is 5x higher than upload traffic(download from Internet is ~50Mbps while upload to Internet is ~10Mbps). Has someone seen such pattern before? Maybe able to name a possible virus family? regards, martin ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- load of connections to ephemeral ports from TCP source port 3389(probably virus) Martin T (Oct 27)
- RE: load of connections to ephemeral ports from TCP source port 3389(probably virus) Michael Sturtz (Oct 27)
- RE: load of connections to ephemeral ports from TCP source port 3389(probably virus) James Jr, William A (Oct 31)
- Re: load of connections to ephemeral ports from TCP source port 3389(probably virus) Maggy May (Oct 27)
- Re: load of connections to ephemeral ports from TCP source port 3389(probably virus) Jin Ming (Oct 31)
- Message not available
- Re: load of connections to ephemeral ports from TCP source port 3389(probably virus) Denny Crane (Oct 31)
- RE: load of connections to ephemeral ports from TCP source port 3389(probably virus) Michael Sturtz (Oct 27)
- Message not available
- Re: load of connections to ephemeral ports from TCP source port 3389(probably virus) Dana Forte (Oct 31)
- Re: load of connections to ephemeral ports from TCP source port 3389(probably virus) Matthew Reed (Oct 31)
- Re: load of connections to ephemeral ports from TCP source port 3389(probably virus) Stephanus J Alex Taidri (Oct 31)
- <Possible follow-ups>
- RE: load of connections to ephemeral ports from TCP source port 3389(probably virus) Greg Carson (Oct 31)
- RE: load of connections to ephemeral ports from TCP source port 3389(probably virus) Campbell.ColinD (Oct 31)