[Dshield] MS Term Services

Coxe, John B. JOHN.B.COXE at saic.com
Tue Sep 2 23:30:23 GMT 2003

Noticed a huge ramp up today in the port 3389 hits.  The peak so far today
at incidents.org and dshield.org is comparable to the one a month ago.
However, the targets/sources ration is around 1300, markedly higher than
normal (10-20) and about double the case a month ago when it was high.  One
might suspect this is an attempt to find seed systems for a 9/11 DoS attack.
SoBig expires 9/10 and the next launch is expected on 9/11.  The target
seems to be practically exclusively Italy right now.

The vulnerability I know about goes back to NT4 in '99, before y2k.  M$
doesn't support NT4 anymore, but the hot fix may still be available from
them.  Nonetheless, anyone irresponsible enough to be running a system that
has a 4 year old vulnerability like that isn't hunting down hot fixes.
Anyone know of any recent exploits against terminal services under W2K
and/or WXP?

More information about the list mailing list