Home page logo

pauldotcom logo PaulDotCom mailing list archives

RDP and netflows
From: Mike Patterson <mike () snowcrash ca>
Date: Mon, 23 Aug 2010 18:19:48 -0400

We had a host compromised through RDP, and I'm looking at flow data.
(That and partial Snort alerts is all we have; suggestions for how to do
IDS and monitoring will be > /dev/null, we already know our weaknesses

I know for a fact the host was compromised through RDP; it's a very good
guess it was a weak password.  The questions we have are: who, and what
may they have done once they had access to the host?  We know they
disabled antivirus and installed some bruteforce tools, but the question
is did they transfer any files off the host?

So our flows show RDP from four unique remote IPs in a given 18 hour
period.  Two of those IPs had thousands of small flows (a few KB each).
 Two had only a handful (20 and 14) of smaller ones, ranging in size
from a couple hundred bytes up to a couple of megabytes.

My working theory is the ones with thousands were password guessers; the
ones with a few dozen were the ones the intruders used to do their dirty
work, and that no files were transferred over RDP.  Does this seem
reasonable?  I don't know well enough how RDP works or shoes up in
netflow data to be able to say, and I need to figure it out soon.  I'll
be experimenting on my own, but in the meantime, if anybody has any
experience with this, I'd appreciate hearing from you.

Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
  • RDP and netflows Mike Patterson (Aug 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]