There appears to be a rise in hack attempts through port 3389.
In the past 6 hours, I have seen 4 different networks try to log into my
primary index server through this port.
Over the past year, I have seen about a total of 3 attempts to gain this
type of access, until now.
For those of you that don't know - This port is used by Microsoft for
Terminal services (think remote desktop).
Here is one of many log entries I have been getting - note the
originating IP address.
EMAIL NO: 3
DATE: Wed 2003-04-02 17:05:34
PRIORITY: 4
INTERFACE: EXT-DSL (xl0)
INTERFACE TYPE: External
ALARM TYPE: Block
IP PACKET: TCP [61.33.171.233/3988]-->[xxx.xxx.xxx.xxx/3389] l=0
f=0x2
[61.33.171.233/3988]-->[xxx.xxx.xxx.xxx/3389]
I decided to play on a hunch on these and found that every single one of
these sites had a windows server running TS.
Several of the sites were "home based" small business networks that had
Linksys and SonicWall firewalls.
I notified the admins of the problem and still keep getting random
attempts.
I have long since shut down these services (at the firewall) here and
plan to take steps to make certain this is not a concern for me.
Danny H. Cox
Yield Dynamics, Inc.
(408) 764-9822
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
To subscribe to the digest version first unsubscribe, then
e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archive of the last 1000 messages:
http://www.mail-archive.com/[EMAIL PROTECTED]
