Were I to guess, I would say that the increase is almost directly related to Erik Forsberg's BugTraq posting yesterday regarding the potential for Man-in-the-middle attacks via MS Terminal Services/RDP. His group apparently has an unreleased binary which could exploit this flaw...but a skilled individual who was so inclined would likely have little problem developing one themselves.
That having been said, networks which give preferential treatment (security-wise) to machines that make VPN client connections would seem to be marginally more vulnerable, in that VPN client machines which are running MS Terminal Server in an unprotected (eg. home LAN on cheap cable modem) environment pose a large threat. Of course, it's only natural to give VPN client machines preferential treatment... Is there a mechanism in the GTA/Safenet VPN server or client that allows one to push a firewall/security policy to the client machine? michael w. agard [manager of global network operations] [sbi-razorfish] 212.798.6608 office 917.213.6981 mobile 212.966.6915 fax [EMAIL PROTECTED] * the price of security is eternal vigilance * -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 3:33 AM To: [EMAIL PROTECTED] Subject: RE: [gb-users] Possible hack attempts on port 3389 Yes, we're finding the same. However as in common with most folk here we take the attitude that everything is blocked (in and out) unless specifically allowed and even then preferably from a vpn or fixed ip address. rgds gmcb -----Original Message----- From: Cox, Danny H. To: [EMAIL PROTECTED] Sent: 03/04/2003 02:32 Subject: [gb-users] Possible hack attempts on port 3389 There appears to be a rise in hack attempts through port 3389. In the past 6 hours, I have seen 4 different networks try to log into my primary index server through this port. Over the past year, I have seen about a total of 3 attempts to gain this type of access, until now. For those of you that don't know - This port is used by Microsoft for Terminal services (think remote desktop). Here is one of many log entries I have been getting - note the originating IP address. EMAIL NO: 3 DATE: Wed 2003-04-02 17:05:34 PRIORITY: 4 INTERFACE: EXT-DSL (xl0) INTERFACE TYPE: External ALARM TYPE: Block IP PACKET: TCP [61.33.171.233/3988]-->[xxx.xxx.xxx.xxx/3389] l=0 f=0x2 [61.33.171.233/3988]-->[xxx.xxx.xxx.xxx/3389] I decided to play on a hunch on these and found that every single one of these sites had a windows server running TS. Several of the sites were "home based" small business networks that had Linksys and SonicWall firewalls. I notified the admins of the problem and still keep getting random attempts. I have long since shut down these services (at the firewall) here and plan to take steps to make certain this is not a concern for me. Danny H. Cox Yield Dynamics, Inc. (408) 764-9822 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/[EMAIL PROTECTED] DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of any organisation or employer. If you have received this message in error, do not open any attachment but immediately contact the sender, deleting this message from your system. No responsibility is accepted by the sender for any damage resulting from any bug or virus infection. Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/[EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/[EMAIL PROTECTED]
