[Dshield] MS Term Services

Keith Bergen keith at keithbergen.com
Wed Sep 3 00:51:08 GMT 2003


To date, there have been no known exploits, but perhaps they are looking to
find poorly administered systems with easy-to-guess passwords. As an aside,
I have only received 15 hits on 3389 since April.

3389 is Terminal Services, as you state, and is used for Remote Desktop.
Contrary to popular belief, Remote Desktop can be safely used, but you need
to take some precautions.

1) Rename the "administrator" account to something else. I like to combine
letters and numbers. (This actually applies to any system). Obfuscate any
passwords.
2) Change the default port number.
http://support.microsoft.com/default.aspx?scid=kb;en-us;306759
3) Always keep up-to-date on patches (again, actually applies to any system)
4) Turn off the guest login.
5) Don't have accounts without passwords. As a safety feature, Remote
Desktop will not allow you to connect with an account that has no password,
but it's still a good idea.

Keith.

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Coxe, John B.
Sent: Tuesday, September 02, 2003 7:30 PM
To: Dshield List (E-mail)
Subject: [Dshield] MS Term Services


Noticed a huge ramp up today in the port 3389 hits.  The peak so far today
at incidents.org and dshield.org is comparable to the one a month ago.
However, the targets/sources ration is around 1300, markedly higher than
normal (10-20) and about double the case a month ago when it was high.  One
might suspect this is an attempt to find seed systems for a 9/11 DoS attack.
SoBig expires 9/10 and the next launch is expected on 9/11.  The target
seems to be practically exclusively Italy right now.

The vulnerability I know about goes back to NT4 in '99, before y2k.  M$
doesn't support NT4 anymore, but the hot fix may still be available from
them.  Nonetheless, anyone irresponsible enough to be running a system that
has a 4 year old vulnerability like that isn't hunting down hot fixes.
Anyone know of any recent exploits against terminal services under W2K
and/or WXP?

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list