Outgoing 3389!

medicnick83

medicnick83

Paramedic
Joined
Aug 23, 2006
Messages
21,158
Reaction score
565
Location
CBD, Cape Town
Hi guys,

See attached picture for the issue I'm having which I would like some help with.

Untitled136.jpg


Basically, we've blocked all traffic from going out via this so it's sorted, but having said that, we want to stop this.
I've run so many different tools trying to remove this (no success), do you guys have any suggestions?

It's on a server which I cannot just shut down and go into safe mode for (we trying to repair it via remote) till we absolutley have to go in and do on site (at clients request)
 
U do realize that 3389 is RDP so if u working on the server remotely you will see entries in netstat, is this a terminal server ?
 
Whew,a worm opening up outbound RDP connections by the dozens. Can't way i've met this one yet
What have you run sofar and i'll add my standard tools to the list
 
Those are all SYN_SENT, means it's trying to connect. There's no ESTABLISHED, so I wouldn't worry, it looks like you've blocked 3389 successfully.
 
Because they blocked outgoing 3389,not the ideal solution ;)
Having something on the system opening up millions of connections that haven't timed out is problematic
 
gdiza said:
Hi guys,

See attached picture for the issue I'm having which I would like some help with.

Untitled136.jpg


Basically, we've blocked all traffic from going out via this so it's sorted, but having said that, we want to stop this.
I've run so many different tools trying to remove this (no success), do you guys have any suggestions?

It's on a server which I cannot just shut down and go into safe mode for (we trying to repair it via remote) till we absolutley have to go in and do on site (at clients request)
Click to expand...

netstat /b

What apps are communicating?

Netlimiter can tell you as well.

Never open rdp to the web, always have a vpn buffer.
 
Hmm
http://www.theregister.co.uk/2011/08/28/morto_worm_spreading/
It’s retro day in the world of Internet security, with an Internet worm dubbed “Morto” spreading via the Windows Remote Desktop Protocol (RDP).

F-Secure is reporting that the worm is behind a spike in traffic on Port 3389/TCP. Once it’s entered a network, the worm starts scanning for machines that have RDP enabled. Vulnerable machines get Morto copied to their local drives as a DLL, a.dll, which creates other files detailed in the F-Secure post.
Click to expand...
Not certain if it's related
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X