Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Port 3389 (tcp/udp) Attack Activity - SANS Internet Storm Center Port 3389 (tcp/udp) Attack Activity


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Loading...
[get complete service list]
Port Information
Protocol Service Name
tcp ms-term-services MS Terminal Services
udp ms-term-services MS Terminal Services
Top IPs Scanning
TodayYesterday
79.124.62.62 (1313)212.102.57.142 (2122)
185.177.25.224 (1291)5.188.158.228 (1425)
37.9.13.22 (1275)37.9.13.178 (1327)
5.188.159.57 (1243)185.177.25.224 (1315)
37.9.13.178 (1218)37.9.13.22 (1125)
5.188.158.228 (1212)79.124.62.62 (1090)
213.226.123.38 (1193)5.188.159.57 (1088)
72.167.39.40 (1054)92.255.85.37 (1035)
97.74.81.123 (972)72.167.39.40 (1003)
72.167.32.184 (931)185.73.126.93 (952)
Port diary mentions
URL
Virus Alphabet, War!, Port 3389 Spike, WinZip Issues
MS Advisory on the Vulnerability in RDP; Port 3389; FormMail Attempts
Port 3389 terminal services scans
Increased Traffic on Port 3389
An Update on the Microsoft Windows RDP "Bluekeep" Vulnerability (CVE-2019-0708) [now with pcaps]
Did the recent malicious BlueKeep campaign have any positive impact when it comes to patching?
User Comments
Submitted By Date
Comment
Scott Fendley 2005-07-17 03:13:54
Potential exploit of Remote Desktop Protocol on Windows Systems. Please see http://isc.sans.org/diary.php?date=2005-07-15 and http://isc.sans.org/diary.php?date=2005-07-16 for more information.
jeff bryner 2002-11-09 21:16:59
See http://www.xato.net/reference/xato-112001-01.txt for a discussion on how terminal services source ip address can be easily spoofed; so don't trust event log entries of connection attempts. Jeff.
Add a comment
CVE Links
CVE # Description
CVE-2012-0002 The Remote Desktop Protocol (RDP) implementation in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly process packets in memory, which allows remote attackers to execute arbitrary code by sending crafted RDP packets triggering access to an object that (1) was not properly initialized or (2) is deleted, aka "Remote Desktop Protocol Vulnerability."
CVE-2015-2373
CVE-2019-0708