Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Port 3389 (tcp/udp) Attack Activity - Internet Security | DShield Port 3389 (tcp/udp) Attack Activity


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Loading...
[get complete service list]
Port Information
Protocol Service Name
tcp ms-term-services MS Terminal Services
udp ms-term-services MS Terminal Services
Top IPs Scanning
TodayYesterday
101.255.87.232 (70826)92.118.37.70 (5640)
86.101.64.242 (37389)18.162.212.45 (4291)
186.67.127.18 (20320)94.102.51.108 (4254)
144.217.24.5 (17712)193.169.252.35 (4200)
141.85.176.16 (17226)51.15.191.156 (4080)
194.36.91.79 (16296)172.105.11.111 (4059)
195.175.108.70 (16296)125.124.115.250 (3453)
85.120.66.52 (16289)117.6.114.26 (3120)
27.71.224.19 (9453)77.83.174.164 (3104)
72.131.206.78 (8616)139.162.108.129 (2866)
Port diary mentions
URL
Virus Alphabet, War!, Port 3389 Spike, WinZip Issues
MS Advisory on the Vulnerability in RDP; Port 3389; FormMail Attempts
Port 3389 terminal services scans
Increased Traffic on Port 3389
An Update on the Microsoft Windows RDP "Bluekeep" Vulnerability (CVE-2019-0708) [now with pcaps]
User Comments
Submitted By Date
Comment
Scott Fendley 2005-07-17 03:13:54
Potential exploit of Remote Desktop Protocol on Windows Systems. Please see http://isc.sans.org/diary.php?date=2005-07-15 and http://isc.sans.org/diary.php?date=2005-07-16 for more information.
jeff bryner 2002-11-09 21:16:59
See http://www.xato.net/reference/xato-112001-01.txt for a discussion on how terminal services source ip address can be easily spoofed; so don't trust event log entries of connection attempts. Jeff.
Add a comment
CVE Links
CVE # Description
CVE-2012-0002
CVE-2015-2373 The Remote Desktop Protocol (RDP) server service in Microsoft Windows 7 SP1, Windows 8, and Windows Server 2012 allows remote attackers to execute arbitrary code via a series of crafted packets, aka "Remote Desktop Protocol (RDP) Remote Code Execution Vulnerability."
CVE-2019-0708