[Dshield] TCP/3389 (MS Terminal Services) Probes

Chris Brenton cbrenton at chrisbrenton.org
Sat Mar 6 16:46:25 GMT 2004

On Sat, 2004-03-06 at 00:05, John Sage wrote:
> Mar 3 09:42:52 greatwall kernel: Ports: TCP blanket DROP: IN=eth0 OUT=
> MAC=00:40:05:ff:gg:24:00:0a:42:6e:aa:bb:08:00 SRC=
> DST=24.19.14y.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=15644 DF
> PROTO=TCP SPT=2705 DPT=3389 WINDOW=16384 RES=0x00 SYN URGP=0

This is what I'm seeing as well. A system that fingerprints as a Win2K
box that is vertically scanning my network for TCP/3389. Based on the
source ports and IP ID's its *very* busy scanning other networks at the
same time.

I'm guessing this is some kind of worm or something that breaks in via
3389 and then tries to propagate out over the same port.

I'm on the road right now, anyone want to setup Netcat to do a capture
so we can see what they are doing?


More information about the list mailing list