A real Internet worm attack active again ... / 2011-08-29

Koos van den Hout

2011-08-29 A real Internet worm attack active again ... 8 years ago
A real Internet worm attack active again, giving me lots of tcp/3389 attempts in the firewall logs. 
Aug 28 10:49:54 greenblatt kernel: [2779836.731355] FW reject: IN=ppp0 OUT= MAC= SRC=87.126.80.33 DST=xx.xx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=18577 DF PROTO=TCP SPT=2150 DPT=3389 WINDOW=65535 RES=0x00 SYN URGP=0 
Aug 28 10:49:54 greenblatt kernel: [2779836.932856] FW reject: IN=ppp0 OUT= MAC= SRC=87.126.80.33 DST=xx.xx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=18701 DF PROTO=TCP SPT=2150 DPT=3389 WINDOW=65535 RES=0x00 SYN URGP=0 
Aug 28 11:11:33 greenblatt kernel: [2780369.772706] FW reject: IN=ppp0 OUT= MAC= SRC=184.22.73.103 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=256 PROTO=TCP SPT=6000 DPT=3389 WINDOW=16384 RES=0x00 SYN URGP=0 
Aug 28 15:37:32 greenblatt kernel: [2786904.189671] FW reject: IN=ppp0 OUT= MAC= SRC=60.190.1.15 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=113 ID=256 PROTO=TCP SPT=6587 DPT=3389 WINDOW=16384 RES=0x00 SYN URGP=0
Described in detail at Windows Remote Desktop worm "Morto" spreading - F-secure weblog.

Found via Worm spreading via RDP - The Register.
Tags: , ,
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated in 0.004620 seconds.