[Dshield] TCP/3389 (MS Terminal Services) Probes

John Sage jsage at finchhaven.com
Sat Mar 6 05:05:27 GMT 2004


On Fri, Mar 05, 2004 at 11:41:03AM -0800, Pete Cap wrote:
> Date: Fri, 5 Mar 2004 11:41:03 -0800 (PST)
> From: Pete Cap <peteoutside at yahoo.com>
> Subject: Re: [Dshield] TCP/3389 (MS Terminal Services) Probes
> To: General DShield Discussion List <list at dshield.org>
> 
> Not seeing anything strange here (bout 90 hits in the past five
> days, mostly attributed to web traffic).
>  
> Could I trouble you gents for some packet traces?

Going back over the last 7 days, I've seen this only:

Mar 3 09:42:52 greatwall kernel: Ports: TCP blanket DROP: IN=eth0 OUT=
MAC=00:40:05:ff:gg:24:00:0a:42:6e:aa:bb:08:00 SRC=80.25.201.32
DST=24.19.14y.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=15644 DF
PROTO=TCP SPT=2705 DPT=3389 WINDOW=16384 RES=0x00 SYN URGP=0

Mar 3 09:42:55 greatwall kernel: Ports: TCP blanket DROP: IN=eth0 OUT=
MAC=00:40:05:ff:gg:24:00:0a:42:6e:aa:bb:08:00 SRC=80.25.201.32
DST=24.19.14y.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=15887 DF
PROTO=TCP SPT=2705 DPT=3389 WINDOW=16384 RES=0x00 SYN URGP=0

Mar 3 09:43:02 greatwall kernel: Ports: TCP blanket DROP: IN=eth0 OUT=
MAC=00:40:05:ff:gg:24:00:0a:42:6e:aa:bb:08:00 SRC=80.25.201.32
DST=24.19.14y.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=16413 DF
PROTO=TCP SPT=2705 DPT=3389 WINDOW=16384 RES=0x00 SYN URGP=0


Mar 3 17:26:24 greatwall kernel: Ports: TCP blanket DROP: IN=eth0 OUT=
MAC=00:40:05:ff:gg:24:00:0a:42:6e:aa:bb:08:00 SRC=172.181.186.149
DST=24.19.14y.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=10615 DF
PROTO=TCP SPT=62151 DPT=3389 WINDOW=32767 RES=0x00 SYN URGP=0

Mar 3 17:26:27 greatwall kernel: Ports: TCP blanket DROP: IN=eth0 OUT=
MAC=00:40:05:ff:gg:24:00:0a:42:6e:aa:bb:08:00 SRC=172.181.186.149
DST=24.19.14y.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=11073 DF
PROTO=TCP SPT=62151 DPT=3389 WINDOW=32767 RES=0x00 SYN URGP=0


Mar 3 18:45:25 greatwall kernel: Ports: TCP blanket DROP: IN=eth0 OUT=
MAC=00:40:05:ff:gg:24:00:0a:42:6e:aa:bb:08:00 SRC=218.29.196.71
DST=24.19.14y.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=31709 DF
PROTO=TCP SPT=4251 DPT=3389 WINDOW=16384 RES=0x00 SYN URGP=0


Mar 3 20:11:42 greatwall kernel: Ports: TCP blanket DROP: IN=eth0 OUT=
MAC=00:40:05:ff:gg:24:00:0a:42:6e:aa:bb:08:00 SRC=217.14.221.1
DST=24.19.14y.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=19113 DF
PROTO=TCP SPT=23174 DPT=3389 WINDOW=65535 RES=0x00 SYN URGP=0

Mar 3 20:11:44 greatwall kernel: Ports: TCP blanket DROP: IN=eth0 OUT=
MAC=00:40:05:ff:gg:24:00:0a:42:6e:aa:bb:08:00 SRC=217.14.221.1
DST=24.19.14y.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=20539 DF
PROTO=TCP SPT=23174 DPT=3389 WINDOW=65535 RES=0x00 SYN URGP=0


I've got a listener listening; we'll see if anything shows up...



- John
-- 
"Mad cow? You'd be mad too, if someone was trying to eat you."




More information about the list mailing list