Home page logo
/

basics logo Security Basics mailing list archives

Re: load of connections to ephemeral ports from TCP source port 3389(probably virus)
From: "Stephanus J Alex Taidri" <staidri () gmail com>
Date: Tue, 1 Nov 2011 01:22:52 +0000

Hi Greg,

Colin is right, the source and destinantion IP address is relative from where you see the traffic flows being reported.

Have you run thorough investigation on both said ip addresses to see what's process running and opening the connection?

Use netstat -anb > result.txt on the CMD DOS shell.

And checked the result.txt for what file/service has been accessing the network from or to port TCP 3389
Best Regards,
Stephanus J Alex Taidri

--- Sent from my BlackBerry

-----Original Message-----
From: <Campbell.ColinD () police qld gov au>
Date: Tue, 1 Nov 2011 08:10:44 
To: <gregkcarson () gmail com>; <staidri () gmail com>; <security-basics () securityfocus com>
Subject: RE: load of connections to ephemeral ports from TCP source port
 3389(probably virus)

Hi,

Source and destination are relative to which packets you're looking at.
My understanding is that netflow only collects data entering an
interface. Therefore if you're collecting on the external interface I
believe you're looking at the return packets (source = server,
destination = client) of the TCP conversation.

If you look at your firewall logs you'll probably find the sessions are
being initiated from your machine (192.168.2.196) destined for I.I.P.P

Colin

-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
On Behalf Of Greg Carson
Sent: Tuesday, 1 November 2011 5:45 AM
To: Stephanus J Alex Taidri; security-basics () securityfocus com
Subject: RE: load of connections to ephemeral ports from TCP source
port
3389(probably virus)

But why would the source port be 3389, it should be the destination.

Sent from my Windows Phone
From: Stephanus J Alex Taidri
Sent: 31/10/2011 1:50 PM
To: security-basics () securityfocus com
Subject: Re: load of connections to ephemeral ports from TCP source
port 3389(probably virus)
Check on your internet router whether this 192.168.2.196 being NATed
to internet. It looks to me that this is RDP -- 3389/tcp (Remote
Desktop Protocol) traffics from internet to this PC (which most likely
NATed to be accessible from the internet).

PS:
1. You can check the PC as well to verify whether the RDP session is
currently active.

2. Downstream traffics bigger than upstream is common and perfectly
okay in normal circumstances.
Best Regards,
Stephanus J Alex Taidri

--- Sent from my BlackBerry

-----Original Message-----
From: Martin T <m4rtntns () gmail com>
Sender: listbounce () securityfocus com
Date: Thu, 27 Oct 2011 03:23:14
To: <security-basics () securityfocus com>
Subject: load of connections to ephemeral ports from TCP source port
 3389(probably virus)

If I check the traffic passing my router(using NetFlow), 98% of the
flows are following:

srcIP            dstIP            prot  srcPort  dstPort  octets
packets
I.I.P.P        192.168.2.196    6     3389     3799     55          1
I.I.P.P        192.168.2.196    6     3389     4465     40          1
I.I.P.P        192.168.2.196    6     3389     1940     74          1
I.I.P.P        192.168.2.196    6     3389     2611     51          1
I.I.P.P        192.168.2.196    6     3389     2356     141         1
I.I.P.P        192.168.2.196    6     3389     2111     92          1
I.I.P.P        192.168.2.196    6     3389     1151     339         1
I.I.P.P        192.168.2.196    6     3389     2609     55          1
I.I.P.P        192.168.2.196    6     3389     1386     1500        1
I.I.P.P        192.168.2.196    6     3389     3133     1480        1
I.I.P.P        192.168.2.196    6     3389     2684     3000        2

"I.I.P.P" is a random public IP address. 192.168.2.196 is a Windows
Server 2003 in LAN. As you can see, almost every connection is to
ephemeral port on 192.168.2.196 using the source port 3389. In
addition, download traffic is 5x higher than upload traffic(download
from Internet is ~50Mbps while upload to Internet is ~10Mbps).

Has someone seen such pattern before? Maybe able to name a possible
virus family?

regards,
martin


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL certificate.  We look at how SSL works, how it benefits your
company and how your customers can tell if a site is secure. You will
find out how to test, purchase, install and use a thawte Digital
Certificate on your Apache web server. Throughout, best practices for
set-up are highlighted to help you ensure efficient ongoing management
of your encryption keys and digital certificates.


http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f7
27d1

------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL
certificate.  We look at how SSL works, how it benefits your company
and
how your customers can tell if a site is secure. You will find out how
to
test, purchase, install and use a thawte Digital Certificate on your
Apache web server. Throughout, best practices for set-up are
highlighted
to help you ensure efficient ongoing management of your encryption
keys
and digital certificates.


http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f7
27d1

------------------------------------------------------------------------


**********************************************************************
CONFIDENTIALITY:   The information contained in this 
electronic mail message and any electronic files attached 
to it may be confidential information, and may also be the 
subject of legal professional privilege and/or public interest 
immunity.  If you are not the intended recipient you are 
required to delete it.  Any use, disclosure or copying of 
this message and any attachments is unauthorised.  If you 
have received this electronic message in error, please 
inform the sender or contact securityscanner () police qld gov au 

This footnote also confirms that this email message has 
been checked for the presence of computer viruses.
**********************************************************************

  By Date           By Thread  

Current thread:
  • Re: load of connections to ephemeral ports from TCP source port 3389(probably virus) Stephanus J Alex Taidri (Nov 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]